Scientists Working on a CPU That Can Detect Malware at the Hardware Level

Share this…

Researchers are working on a new CPU chip design that will extend the fight against malware at the hardware level in an attempt to bolster computers, mobiles, and other devices against the rising wave of security threats.

The work is being carried out by two teams of researchers from the Binghamton University and the University of California-Riverside.

The project is named “Practical Hardware-Assisted Always-On Malware Detection” and will be funded through a three-year research grant of $275,000 the teams received from the National Science Foundation.


New chip design to detect process anomalies inside the CPU

The principle at the base of this research is to modify a CPU chip to include extra logic to detect anomalies in running processes. Once something out of order is detected, the CPU will alert local security software that something is wrong. The local security software will have the final decision on what to do with the detected anomaly.

Researchers are sceptic that the modified CPU will pick up all threats, but they view their project as an extra layer of defense they can add to CPUs, and not as a standalone security system.

Scientists say that the CPU will use low complexity machine learning algorithms to classify malware from normal processes.

“The detector is, essentially, like a canary in a coal mine to warn software programs when there is a problem,” said Dmitry Ponomarev, professor of computer science at Binghamton University, State University of New York.

“The hardware detector is fast, but is less flexible and comprehensive. The hardware detector’s role is to find suspicious behavior and better direct the efforts of the software,” Prof. Ponomarev also added.

Previous work on this topic

The work of Prof. Ponomarev and his team is not unique. In 2014, a team of three researchers from the Columbia University in New York, have also explored the subject in their paper titled “Unsupervised Anomaly-based Malware Detection using Hardware Features.”

In their work, the Columbia team used a similar system to the one proposed by the Binghamton and California-Riverside researchers. The Columbia team used unsupervised machine learning to build profiles of normal program execution based on data from performance counters and used these profiles to detect significant deviations in program behavior that occurred as a result of malware exploitation attempts.

Similar work has been carried out by Intel and researchers from Clarkson University. The work of the Binghamton researcher team, on which this project is based, is detailed in research papers titled “Hardware-based Malware Detection using Low-level Architectural Features” and “Ensemble Learning for Low-level Hardware-supported Malware Detection.”

In recent months, news about CPUs and security involved researchers bypassing ASLR protections on Intel Haswell CPUs or researchers finding hidden code (some would call it a backdoor) inside the architecture of Intel x86 processors. In fact, two of the researchers working on this project, were also on the team that discovered the Intel Haswell CPU ASLR bypass technique.