CuMONITOR: Continuous Monitoring of Microarchitecture for Software Task Identification and Classification

Abstract

The interactions between software and hardware are increasingly important to computer system security. This research collected microprocessor control signal sequences to develop machine learning models that identify software tasks. In contrast with prior work that relies on hardware performance counters to collect data for task identification, this research is based on creating additional digital logic to record sequences of control signals inside a processor’s microarchitecture. The proposed approach considers software task identification in hardware as a general problem, with attacks treated as a subset of software tasks. Three lines of effort are presented. First, a data collection approach is described to extract sequences of control signals labeled by task identity during actual (i.e., non-simulated) system operation. Second, experimental design selects hardware and software configurations to train and evaluate machine learning models. The machine learning models significantly outperform a naïve classifier based on Euclidean distances from class means. Various experiment configurations produced a range of balanced accuracy scores. Third, task classification is addressed using decision boundaries defined with thresholds chosen by an optimization strategy to develop non-neural network classifiers. When implemented in hardware, the non-neural network classifiers could require less digital logic to implement compared to neural network models.