Nowhere to Hide - How HW Telemetry and ML Can Make Life Tough for Exploits

Explore advanced techniques for detecting malware and exploits using hardware telemetry and machine learning in this 50-minute RSA Conference talk. Delve into the details of building scalable, deployable runtime threat and anomaly detection solutions leveraging CPU telemetry. Learn about telemetry sources, feature selection, overhead management, and platform-specific design considerations. Gain insights into profiling exploits with performance monitoring events, classification pipelines, and identifying relevant events through information gain. Examine sample telemetry, feature mapping, and training pipelines for various detection environments. Discover additional CPU-based techniques, including signature detection and hardware-based anomaly detection using control flow tracing. Understand the evolution of malware detection technologies and how CPU telemetry can reveal even the most concealed malicious code at an instruction level.

Intro
The Evolution of Malware Detection Technologies
CPU Telemetry To The Rescue...wait, what is it?
Profiling exploits with performance monitoring events
DEMO
Classification Pipeline
Which PMU Events?
Information Gain is the key
Sample Telemetry
Identifying Relevant Events
Feature Map Example
Training pipeline
Detection Environments
What else can we use from the CPU
Signature Detection
HW-based Anomaly Detection
What is Control Flow?
How does it work?
HW Telemetries for Control Flow Tracing
Training and detection phases