LAMBDA: Lightweight Assessment of Malware for emBeddeD Architectures

Security is a critical aspect in many of the latest embedded and IoT systems. Malware is one of the severe threats of security for such devices. There have been enormous efforts in malware detection and analysis; however, occurrences of newer varieties of malicious codes prove that it is an extremely difficult problem given the nature of these surreptitious codes. In this article, instead of addressing a general solution, we aim at malware detection for platforms that have more than one core for performance enhancement. We investigate the utility of multiple cores from the point of view of security, where one of the cores operate as a watchdog. We define a notion of a new metric called LAMBDA (Lightweight Assessment of Malware for emBeddeD Architectures), denoted by λ, indicating a conceptual boundary between the programs which are allowed to run on a given platform, with the codes that are suspected as malwares. The metric λ is computed using carefully chosen monitors or features, which are tuples of high-level programs representing OS resources, along with low-level hardware performance counters. In comparison to heavy-weight machine learning techniques, we use an online hypothesis testing, in the form of t-test, to classify a given program-under-test. For applications where security is of prime concern, we propose an additional step based on multivariate analysis to classify the unknown programs that are closer to the threshold with a high degree of confidence. We present experimental results focusing on an ARM-based platform which validate that the proposed approach provides a lightweight, accurate assessment of malware codes for embedded platforms. In addition to it, we also present a security analysis to show the difficulty of a mimicry attack attempting to bypass LAMBDA.