{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T07:13:10Z","timestamp":1760080390236,"version":"3.41.0"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2020,6,21]],"date-time":"2020-06-21T00:00:00Z","timestamp":1592697600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Embed. Comput. Syst."],"published-print":{"date-parts":[[2020,7,31]]},"abstract":"<jats:p>\n            Security is a critical aspect in many of the latest embedded and IoT systems. Malware is one of the severe threats of security for such devices. There have been enormous efforts in malware detection and analysis; however, occurrences of newer varieties of malicious codes prove that it is an extremely difficult problem given the nature of these surreptitious codes. In this article, instead of addressing a general solution, we aim at malware detection for platforms that have more than one core for performance enhancement. We investigate the utility of multiple cores from the point of view of security, where one of the cores operate as a watchdog. We define a notion of a new metric called\n            <jats:italic>LAMBDA<\/jats:italic>\n            (Lightweight Assessment of Malware for emBeddeD Architectures), denoted by \u03bb, indicating a conceptual boundary between the programs which are allowed to run on a given platform, with the codes that are suspected as malwares. The metric \u03bb is computed using carefully chosen monitors or features, which are tuples of high-level programs representing OS resources, along with low-level hardware performance counters. In comparison to heavy-weight machine learning techniques, we use an online hypothesis testing, in the form of\n            <jats:italic>t<\/jats:italic>\n            -test, to classify a given program-under-test. For applications where security is of prime concern, we propose an additional step based on multivariate analysis to classify the unknown programs that are closer to the threshold with a high degree of confidence. We present experimental results focusing on an ARM-based platform which validate that the proposed approach provides a lightweight, accurate assessment of malware codes for embedded platforms. In addition to it, we also present a security analysis to show the difficulty of a mimicry attack attempting to bypass LAMBDA.\n          <\/jats:p>","DOI":"10.1145\/3390855","type":"journal-article","created":{"date-parts":[[2020,6,22]],"date-time":"2020-06-22T02:39:31Z","timestamp":1592793571000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["LAMBDA"],"prefix":"10.1145","volume":"19","author":[{"given":"Sai Praveen","family":"Kadiyala","sequence":"first","affiliation":[{"name":"Nanyang Technological University, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Manaar","family":"Alam","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology Kharagpur, India"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yash","family":"Shrivastava","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology Kharagpur, India"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sikhar","family":"Patranabis","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology Kharagpur, India"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Muhamed Fauzi Bin","family":"Abbas","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Arnab Kumar","family":"Biswas","sequence":"additional","affiliation":[{"name":"National University of Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Debdeep","family":"Mukhopadhyay","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology Kharagpur, India"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thambipillai","family":"Srikanthan","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,6,21]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"volume-title":"Unsupervised Process Monitoring and Fault Diagnosis with Machine Learning Methods","author":"Aldrich Chris","key":"e_1_2_1_2_1","unstructured":"Chris Aldrich and Lidia Auret . 2013. Unsupervised Process Monitoring and Fault Diagnosis with Machine Learning Methods . Springer . Chris Aldrich and Lidia Auret. 2013. Unsupervised Process Monitoring and Fault Diagnosis with Machine Learning Methods. Springer."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2007183.2007189"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSUSC.2018.2809665"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCKE.2014.6993402"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201910)","author":"Balzarotti Davide","year":"2010","unstructured":"Davide Balzarotti , Marco Cova , Christoph Karlberger , Engin Kirda , Christopher Kruegel , and Giovanni Vigna . 2010 . Efficient detection of split personalities in malware . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201910) . Citeseer. Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201910). Citeseer."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2338965.2336768"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2013.6693090"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866370"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1016\/0167-4048(87)90122-2"},{"key":"e_1_2_1_11_1","volume-title":"Security considerations for code signing. NIST Cybersecurity White Paper","author":"Cooper David","year":"2018","unstructured":"David Cooper , Andrew Regenscheid , Murugiah Souppaya , Christopher Bean , Mike Boyle , Dorothy Cooley , and Michael Jenkins . 2018. Security considerations for code signing. NIST Cybersecurity White Paper ( 2018 ). David Cooper, Andrew Regenscheid, Murugiah Souppaya, Christopher Bean, Mike Boyle, Dorothy Cooley, and Michael Jenkins. 2018. Security considerations for code signing. NIST Cybersecurity White Paper (2018)."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2491300"},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of th 23rd USENIX Security Symposium USENIX Security 14","author":"Davi Lucas","year":"2014","unstructured":"Lucas Davi , Ahmad-Reza Sadeghi , Daniel Lehmann , and Fabian Monrose . 2014 . Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection . In Proceedings of th 23rd USENIX Security Symposium USENIX Security 14 . 401--416. Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of th 23rd USENIX Security Symposium USENIX Security 14. 401--416."},{"key":"e_1_2_1_14_1","first-page":"07257","article-title":"A survey of hardware-based control flow integrity (CFI)","volume":"1706","author":"de Clercq Ruan","year":"2017","unstructured":"Ruan de Clercq and Ingrid Verbauwhede . 2017 . A survey of hardware-based control flow integrity (CFI) . Arxiv Preprint Arxiv : 1706 . 07257 . Ruan de Clercq and Ingrid Verbauwhede. 2017. A survey of hardware-based control flow integrity (CFI). Arxiv Preprint Arxiv:1706.07257.","journal-title":"Arxiv Preprint Arxiv"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2485922.2485970"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2089125.2089126"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2723372.2751520"},{"volume-title":"Proceedings of the IEEE International Test Conference (ITC\u201917)","author":"Elnaggar Rana","key":"e_1_2_1_18_1","unstructured":"Rana Elnaggar , Krishnendu Chakrabarty , and Mehdi B. Tahoori . 2017. Run-time hardware trojan detection using performance counters . In Proceedings of the IEEE International Test Conference (ITC\u201917) . IEEE, 1--10. Rana Elnaggar, Krishnendu Chakrabarty, and Mehdi B. Tahoori. 2017. Run-time hardware trojan detection using performance counters. In Proceedings of the IEEE International Test Conference (ITC\u201917). IEEE, 1--10."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517315"},{"key":"e_1_2_1_20_1","unstructured":"GitHub. 2019. Bitcoin Core integration\/staging tree. Retrieved from https:\/\/github.com\/bitcoin\/bitcoin.  GitHub. 2019. Bitcoin Core integration\/staging tree. Retrieved from https:\/\/github.com\/bitcoin\/bitcoin."},{"volume-title":"Proceedings of the IEEE International Workshop on Workload Characterization (WWC\u201901)","author":"Guthaus Matthew R.","key":"e_1_2_1_21_1","unstructured":"Matthew R. Guthaus , Jeffrey S. Ringenberg , Dan Ernst , Todd M. Austin , Trevor Mudge , and Richard B. Brown . 2001. MiBench: A free, commercially representative embedded benchmark suite . In Proceedings of the IEEE International Workshop on Workload Characterization (WWC\u201901) . 3--14. Matthew R. Guthaus, Jeffrey S. Ringenberg, Dan Ernst, Todd M. Austin, Trevor Mudge, and Richard B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Proceedings of the IEEE International Workshop on Workload Characterization (WWC\u201901). 3--14."},{"key":"e_1_2_1_22_1","volume-title":"Proceedings of the IEEE International Symposium on Circuits and Systems. IEEE, 1192--1195","author":"Hara Yuko","year":"2008","unstructured":"Yuko Hara , Hiroyuki Tomiyama , Shinya Honda , Hiroaki Takada , and Katsuya Ishii . 2008 . Chstone: A benchmark program suite for practical c-based high-level synthesis . In Proceedings of the IEEE International Symposium on Circuits and Systems. IEEE, 1192--1195 . Yuko Hara, Hiroyuki Tomiyama, Shinya Honda, Hiroaki Takada, and Katsuya Ishii. 2008. Chstone: A benchmark program suite for practical c-based high-level synthesis. In Proceedings of the IEEE International Symposium on Circuits and Systems. IEEE, 1192--1195."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/2.869367"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2017.2759203"},{"volume-title":"Proceedings of the IEEE 30th International Conference on Computer Design (ICCD\u201912)","author":"Kanuparthi Arun K.","key":"e_1_2_1_25_1","unstructured":"Arun K. Kanuparthi , Ramesh Karri , Gaston Ormazabal , and Sateesh K. Addepalli . 2012. A high-performance, low-overhead microarchitecture for secure program execution . In Proceedings of the IEEE 30th International Conference on Computer Design (ICCD\u201912) . IEEE, 102--107. Arun K. Kanuparthi, Ramesh Karri, Gaston Ormazabal, and Sateesh K. Addepalli. 2012. A high-performance, low-overhead microarchitecture for secure program execution. In Proceedings of the IEEE 30th International Conference on Computer Design (ICCD\u201912). IEEE, 102--107."},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the USENIX Security Symposium","volume":"92","author":"Kiriansky Vladimir","year":"2002","unstructured":"Vladimir Kiriansky , Derek Bruening , Saman P. Amarasinghe , et\u00a0al. 2002 . Secure execution via program shepherding . In Proceedings of the USENIX Security Symposium , Vol. 92 . 84. Vladimir Kiriansky, Derek Bruening, Saman P. Amarasinghe, et\u00a0al. 2002. Secure execution via program shepherding. In Proceedings of the USENIX Security Symposium, Vol. 92. 84."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2008.69"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046582.2046596"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITC-Asia.2018.00017"},{"key":"e_1_2_1_30_1","volume-title":"Proceedings of the USENIX Annual Technical Conference. 279--294","author":"McVoy Larry W.","year":"1996","unstructured":"Larry W. McVoy , Carl Staelin , et\u00a0al. 1996 . lmbench: Portable tools for performance analysis .. In Proceedings of the USENIX Annual Technical Conference. 279--294 . Larry W. McVoy, Carl Staelin, et\u00a0al. 1996. lmbench: Portable tools for performance analysis.. In Proceedings of the USENIX Annual Technical Conference. 279--294."},{"key":"e_1_2_1_31_1","unstructured":"Brian Melewski. 2005. Roll Your Own Custom x86-Based Embedded Systems. Retrieved from http:\/\/www.electronicdesign.com\/boards\/roll-your-own-custom-x86-based-embedded-systems.  Brian Melewski. 2005. Roll Your Own Custom x86-Based Embedded Systems. Retrieved from http:\/\/www.electronicdesign.com\/boards\/roll-your-own-custom-x86-based-embedded-systems."},{"key":"e_1_2_1_32_1","first-page":"43","article-title":"Fuse: Accurate multiplexing of hardware performance counters across executions","volume":"14","author":"Neill Richard","year":"2017","unstructured":"Richard Neill , Andi Drebes , and Antoniu Pop . 2017 . Fuse: Accurate multiplexing of hardware performance counters across executions . ACM Trans. Archit. Code Optimiz. 14 , 4 (2017), 43 . Richard Neill, Andi Drebes, and Antoniu Pop. 2017. Fuse: Accurate multiplexing of hardware performance counters across executions. ACM Trans. Archit. Code Optimiz. 14, 4 (2017), 43.","journal-title":"ACM Trans. Archit. Code Optimiz."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2016.2540634"},{"key":"e_1_2_1_34_1","unstructured":"Samuel Phung. 2017. x86-Based Hardware and the Internet-of-Things Devices Market. Retrieved from http:\/\/www.embeddedintel.com\/technology_applications.php?article&equals;2350.  Samuel Phung. 2017. x86-Based Hardware and the Internet-of-Things Devices Market. Retrieved from http:\/\/www.embeddedintel.com\/technology_applications.php?article&equals;2350."},{"key":"e_1_2_1_35_1","unstructured":"QEMU. 2019. QEMU version 4.1.0 User Documentation. Retrieved from https:\/\/qemu.weilnetz.de\/doc\/qemu-doc.html.  QEMU. 2019. QEMU version 4.1.0 User Documentation. Retrieved from https:\/\/qemu.weilnetz.de\/doc\/qemu-doc.html."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/LES.2012.2218630"},{"key":"e_1_2_1_37_1","volume-title":"Onkar Randive, Sai Manoj P. D., Setareh Rafatirad, and Houman Homayoun.","author":"Sayadi Hossein","year":"2018","unstructured":"Hossein Sayadi , Hosein Mohammadi Makrani , Onkar Randive, Sai Manoj P. D., Setareh Rafatirad, and Houman Homayoun. 2018 . Customized machine learning-based hardware-assisted malware detection in embedded devices. In Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/12th IEEE International Conference on Big Data Science and Engineering (TrustCom\/BigDataSE\u201918). IEEE , 1685--1688. Hossein Sayadi, Hosein Mohammadi Makrani, Onkar Randive, Sai Manoj P. D., Setareh Rafatirad, and Houman Homayoun. 2018. Customized machine learning-based hardware-assisted malware detection in embedded devices. In Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/12th IEEE International Conference on Big Data Science and Engineering (TrustCom\/BigDataSE\u201918). IEEE, 1685--1688."},{"key":"e_1_2_1_38_1","unstructured":"Peter Selinger. 2011. MD5 Collision Demo. Retrieved from https:\/\/www.mathstat.dal.ca\/ selinger\/md5collision\/.  Peter Selinger. 2011. MD5 Collision Demo. Retrieved from https:\/\/www.mathstat.dal.ca\/ selinger\/md5collision\/."},{"key":"e_1_2_1_39_1","volume-title":"Byte-unixbench: A unix benchmark suite. Technical Report","author":"Smith Ben","year":"2011","unstructured":"Ben Smith , Rick Grehan , Tom Yager , and DC Niemi . 2011 . Byte-unixbench: A unix benchmark suite. Technical Report (2011). Ben Smith, Rick Grehan, Tom Yager, and DC Niemi. 2011. Byte-unixbench: A unix benchmark suite. Technical Report (2011)."},{"key":"e_1_2_1_40_1","volume-title":"Stolfo","author":"Tang Adrian","year":"2014","unstructured":"Adrian Tang , Simha Sethumadhavan , and Salvatore J . Stolfo . 2014 . Unsupervised anomaly-based malware detection using hardware features. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer , 109--129. Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised anomaly-based malware detection using hardware features. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 109--129."},{"key":"e_1_2_1_41_1","first-page":"02667","article-title":"SIGDROP: Signature-based ROP detection using hardware performance counters","volume":"1609","author":"Wang Xueyang","year":"2016","unstructured":"Xueyang Wang and Jerry Backer . 2016 . SIGDROP: Signature-based ROP detection using hardware performance counters . Arxiv Preprint Arxiv : 1609 . 02667 . Xueyang Wang and Jerry Backer. 2016. SIGDROP: Signature-based ROP detection using hardware performance counters. Arxiv Preprint Arxiv:1609.02667.","journal-title":"Arxiv Preprint Arxiv"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2857055"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2463209.2488831"},{"volume-title":"Network Science and Cybersecurity","author":"Wang Xueyang","key":"e_1_2_1_44_1","unstructured":"Xueyang Wang and Ramesh Karri . 2014. Detecting kernel control-flow modifying Rootkits . In Network Science and Cybersecurity . Springer , 177--187. Xueyang Wang and Ramesh Karri. 2014. Detecting kernel control-flow modifying Rootkits. In Network Science and Cybersecurity. Springer, 177--187."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2015.2474374"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD.2015.7372617"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMSCS.2016.2569467"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1007\/11426639_2"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2422674"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-06320-1_14"}],"container-title":["ACM Transactions on Embedded Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3390855","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3390855","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:38:36Z","timestamp":1750199916000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3390855"}},"subtitle":["Lightweight Assessment of Malware for emBeddeD Architectures"],"short-title":[],"issued":{"date-parts":[[2020,6,21]]},"references-count":50,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,7,31]]}},"alternative-id":["10.1145\/3390855"],"URL":"https:\/\/doi.org\/10.1145\/3390855","relation":{},"ISSN":["1539-9087","1558-3465"],"issn-type":[{"type":"print","value":"1539-9087"},{"type":"electronic","value":"1558-3465"}],"subject":[],"published":{"date-parts":[[2020,6,21]]},"assertion":[{"value":"2019-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-03-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-06-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}