Real-Time Edge Processing Detection of Malicious Attacks Using Machine Learning and Processor Core Events

Abstract

A method for the detection of the malicious events such as the SPECTRE exploit is proposed and evaluated using machine learning and processor core events. In this work, we use machine learning to implement a system based on hardware event counters to detect malicious exploits such as SPECTRE running in a process on a Linux based system. Our approach is designed to use existing on-chip hardware to detect a SPECTRE-based exploitation in real time. Prototype architectures in both x86 and ARM-based SoC’s representing an embedded system with a corresponding realtime Edge-based classifier is designed and implemented to validate the approach. This exploit detection architecture uses software agents and requires no additional hardware. In particular, a software agent periodically accesses the event counter register file during runtime. At each observation time, a feature vector is formulated consisting of a particular subset of event counter data. The event counter data used in the detection technique includes cache and branch prediction counts. Various different machine learning classifiers are implemented with a goal of predicting either the presence of the malicious exploit or something other than the malicious exploit. Thus, the classifier outputs binary states of “malicious exploit present” versus “normal operation.” Many classifiers resulted in true positive rates in excess of 98% with corresponding false positive rates less than 1%. In many cases, a 0% false positive rate is achieved. These predictive approaches are compared for training complexity and performance.