Security is a critical aspect in many of the latest embedded and IoT systems. Malware is one of the severe threats of security for such devices. There have been enormous efforts in malware detection and analysis; however, occurrences of newer varieties of malicious codes prove that it is an extremely difficult problem given the nature of these surreptitious codes. In this article, instead of addressing a general solution, we aim at malware detection for platforms that have more than one core for performance enhancement. We investigate the utility of multiple cores from the point of view of security, where one of the cores operate as a watchdog. We define a notion of a new metric called LAMBDA (Lightweight Assessment of Malware for emBeddeD Architectures), denoted by λ, indicating a conceptual boundary between the programs which are allowed to run on a given platform, with the codes that are suspected as malwares. The metric λ is computed using carefully chosen monitors or features, which are tuples of high-level programs representing OS resources, along with low-level hardware performance counters. In comparison to heavy-weight machine learning techniques, we use an online hypothesis testing, in the form of t -test, to classify a given program-under-test. For applications where security is of prime concern, we propose an additional step based on multivariate analysis to classify the unknown programs that are closer to the threshold with a high degree of confidence. We present experimental results focusing on an ARM-based platform which validate that the proposed approach provides a lightweight, accurate assessment of malware codes for embedded platforms. In addition to it, we also present a security analysis to show the difficulty of a mimicry attack attempting to bypass LAMBDA.

中文翻译：

---

兰姆达

在许多最新的嵌入式和物联网系统中，安全性是一个关键方面。恶意软件是此类设备的严重安全威胁之一。在恶意软件检测和分析方面付出了巨大的努力；然而，鉴于这些隐秘代码的性质，新品种恶意代码的出现证明这是一个极其困难的问题。在本文中，我们的目标不是解决通用解决方案，而是针对具有多个核心以增强性能的平台进行恶意软件检测。我们从安全的角度研究多核的效用，其中一个核作为看门狗运行。我们定义了一个新度量的概念，称为兰姆达（嵌入式架构的恶意软件轻量级评估），用 λ 表示，表示允许在给定平台上运行的程序与被怀疑为恶意软件的代码之间的概念边界。度量 λ 是使用精心挑选的监视器或特性计算的，它们是表示操作系统资源的高级程序的元组，以及低级硬件性能计数器。与重量级机器学习技术相比，我们使用在线假设检验，形式为吨-test，对给定的被测程序进行分类。对于安全性是首要考虑的应用程序，我们提出了一个基于多变量分析的附加步骤，以高度置信度对接近阈值的未知程序进行分类。我们展示了针对基于 ARM 的平台的实验结果，该结果验证了所提出的方法为嵌入式平台提供了轻量级、准确的恶意软件代码评估。除此之外，我们还提供了一项安全分析，以显示试图绕过 LAMBDA 的模仿攻击的难度。