Hardware assisted malware detection for embedded systems

Detection of malicious software (malware) has been a challenging issue over the past years due to the increase of security threats. While there were many methods attempted to tackle this problem, little efforts are made to tackle security in embedded systems. Commercial anti-virus programs do not serve as a solution as this approach is unable to deliver the necessary security protection for these systems and may not be effective. As such, several researchers have attempted to develop tools for malware detection on the hardware level. In this paper, we aim to propose a lightweight malware detection tool using hardware performance counters (HPC) as a form of protection against malware for embedded systems. HPC provides a high-level abstraction layer that have been used to collect, monitor, and measure various system data, as well as examine resource usage. This approach aims to exploit HPC on ARM-based embedded systems and perform analysis as well as identify any malicious behaviour from its intended behaviour. The tool is designed to extract and differentiate the HPC data into two sets, malware and benign. The collection of HPC data comes from selected operating systems programs when any malware or benign programs are running in the embedded systems. Through a statistical approach, these HPC values are analysed and a distance metric, denoted as λ is used to evaluate if program running is its intended benign behaviour. With the historical data obtained, we perform an offline testing and implemented this malware detection methodology on a NVIDIA® Jetson Xavier™ NX Development Board operating on embedded Linux and Desay SV Automotive third-generation Intelligent Processing Unit (IPU-03) operating on QNX. Lastly, we propose a windowing technique to capture malware detection which centres on collection of the HPC data and evaluation of λ-value of the system at specific intervals continuously.