We aim to further improve and develop the anomaly detection framework. Research on secure processors, which is being conducted in collaboration with IITD, will also be conducted with the aim of improving performance, and will be evaluated using the developed processor simulator. We will consider making the processor simulation environment publicly available so that it can be widely used toward the realization of hardware design that takes security into consideration. We will also conduct research on authentication evasion attacks using license servers.
WP2 | Implementation report
Evolution of anomaly detection framework to online detection
In fiscal 2019, we developed an online detection method to detect malware during program execution. Utilizing the knowledge of offline detection method development implemented in 2018, we have developed the malware detection method based on the behavior of the program developed here to online detection. In previous studies, it has been clarified that the behavior of the program can be identified by machine learning using the PMC (Performance Monitoring Counter) mounted on the processor. However, the possibility of identifying whether the program is a whitelisted program during the execution of the program has not been clarified.
The online detection developed in this research sets multiple checkpoints during program execution to continuously monitor the program, and acquires the PMC value at the checkpoint. Then, a classifier by machine learning is generated for each checkpoint based on the PMC value. When identifying a program, the PMC value at the checkpoint is acquired and a classifier is used to determine whether the program is a whitelist. The checkpoints were set at regular time intervals, and the effectiveness was investigated from various angles, such as the investigation of checkpoint intervals suitable for online detection.
Research on secure processors
Jointly filed a patent for research on secure processors in collaboration with IITD. These inventions are technologies for improving the performance of a mechanism for securely executing a program such as Intel’s SGX.
The application technology is summarized below.
|
[Problem] Performance degradation |
The data in the cache memory is replaced by another thread by the context switch.
Intel SGX flushes the TLB (Translation Lookaside Buffer) when a system call is called. |
|
[Improvement] Performance Improvement |
When a system call or interrupt is called, we proposed a method to determine the core to allocate threads based on the instruction footprint.
Prepare a cuckoo filter for threads and all cores. The cuckoo filter has a hash of the thread’s working set with respect to page numbers. The cuckoo filter is used to increase memory footprint duplication between threads scheduled on the same core to prevent the cache memory from being polluted by data from other threads. |
| TLB compressed content is stored in on-chip memory as part of the thread’s context and decompressed when the thread is assigned to the core. |
These technologies make it possible to suppress performance degradation due to cache memory pollution and performance degradation due to TLB flash. We are improving the processor simulator and confirming its effectiveness quantitatively.
We are also considering making this processor simulation environment publicly available so that it can be widely used toward the realization of hardware design that takes security into consideration.
Research on authentication evasion attacks using license server
We conducted research on authentication evasion attacks using a license server when using software. First, we demonstrated to major license management servers that machine learning can implement attacks more efficiently than the authentication evasion attacks that have been revealed so far. He then proposed a new license management technology that is resistant to such attacks. This technology measures to prevent an attacker from executing a program even if activation is bypassed by distributing invalid instructions and instructions that cause errors in the binary. This result was summarized as a treatise and presented at an international conference.