Khaled N. Khasawneh
Ph.D. Student in Computer Science at UCR


Computer Science & Engineering Department
University of California, Riverside
Riverside, CA 92521

Email: kkhas001 [at] ucr [dot] edu

Google Scholar

in



About Me

I am a PhD candidate at the Department of Computer Science & Engineering, University of California, Riverside. I am working with Prof. Nael Abu-Ghazaleh. My research interests are in architecture support for security, malware detection, adversarial machine learning, side channels, and covert channels.



News

Sep 15, 2017
Student travel grant to attend MICRO 2017!
Jul 14, 2017
Saba (my wife) & I won student travel grants to attend KDD 2017!
Jul 2, 2017
Two papers accepted to Micro 2017!
Feb 10, 2017
Our paper on mitigating LLC side-channel will appear on DAC 2017
Nov 11, 2016
Our hardware-based malware detection papers (RAID'15 & TC'16) are in the news!. Sample articles: Security Intelligence, Bleeping Computer, Digital Trends, HelpNetSecurity, Science Explorer


Teaching

CS161
Design and Architecture of Computer Systems (Fall 2016)


Publications

Conference Papers

C4

RHMD: Evasion-Resilient Hardware Malware Detectors MICRO '17

Khaled N. Khasawneh, Nael Abu-Ghazaleh, Dmitry Ponomarev, and Lei Yu
The 50th International Symposium on Microarchitecture (MICRO), 2017. (acceptance rate: 18.6%)

Hardware Malware Detectors (HMDs) have recently been proposed as a defense against the proliferation of malware. These detectors use low-level features, that can be collected by the hardware performance monitoring units on modern CPUs to detect malware as a computational anomaly. Several aspects of the detector construction have been explored, leading to detectors with high accuracy. In this paper, we explore the question of how well evasive malware can avoid detection by HMDs. We show that existing HMDs can be effectively reverse-engineered and subsequently evaded, allowing malware to hide from detection without substantially slowing it down (which is important for certain types of malware). This result demonstrates that the current generation of HMDs can be easily defeated by evasive malware. Next, we explore how well a detector can evolve if it is exposed to this evasive malware during training. We show that simple detectors, such as logistic regression, cannot detect the evasive malware even with retraining. More sophisticated detectors can be retrained to detect evasive malware, but the retrained detectors can be reverse-engineered and evaded again. To address these limitations, we propose a new type of Resilient HMDs (RHMDs) that stochastically switch between different detectors. These detectors can be shown to be provably more difficult to reverse engineer based on resent results in probably approximately correct (PAC) learnability theory. We show that indeed such detectors are resilient to both reverse engineering and evasion, and that the resilience increases with the number and diversity of the individual detectors. Our results demonstrate that these HMDs offer effective defense against evasive malware at low additional complexity.
@inproceedings{Khasawneh:2017:RHMD,
author = {Khasawneh, Khaled N. and Abu-Ghazaleh, Nael and Ponomarev, Dmitry and Yu, Lei},
title = {RHMD: Evasion-resilient Hardware Malware Detectors},
booktitle = {Proceedings of the 50th Annual IEEE/ACM International Symposium on Microarchitecture},
series = {MICRO-50 '17},
year = {2017},
isbn = {978-1-4503-4952-9},
location = {Cambridge, Massachusetts},
pages = {315--327},
numpages = {13},
url = {http://doi.acm.org/10.1145/3123939.3123972},
doi = {10.1145/3123939.3123972},
acmid = {3123972},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {HMDs, adversarial machine learning, malware detection},
}
C3

Constructing and Characterizing Covert Channels on GPGPUs MICRO '17

Hoda Naghibi, Khaled N. Khasawneh, and Nael Abu-Ghazaleh
The 50th International Symposium on Microarchitecture (MICRO), 2017. (acceptance rate: 18.6%)

General Purpose Graphics Processing Units (GPGPUs) are present in most modern computing platforms. They are also increasingly integrated as a computational resource on clusters, data centers, and cloud infrastructure, making them possible targets for attacks. We present a first study of covert channel attacks on GPGPUs. GPGPU attacks offer a number of attractive properties relative to CPU covert channels. These channels also have characteristics different from their counterparts on CPUs. To enable the attack, we first reverse engineer the hardware block scheduler as well as the warp to warp scheduler to characterize how co-location is established. We exploit this information to manipulate the scheduling algorithms to create co-residency between the trojan and the spy. We study contention on different resources including caches, functional units and memory, and construct operational covert channels on all these resources. We also investigate approaches to increase the bandwidth of the channel including: (1) using synchronization to reduce the communication cycle and increase robustness of the channel; (2) exploiting the available parallelism on the GPU to increase the bandwidth; and (3) exploiting the scheduling algorithms to create exclusive co-location to prevent interference from other possible applications. We demonstrate operational versions of all channels on three different Nvidia GPGPUs, obtaining error-free bandwidth of over 4 Mbps, making it the fastest known microarchitectural covert channel under realistic conditions.
@inproceedings{Naghibijouybari:2017:CCC:3123939.3124538,
author = {Naghibijouybari, Hoda and Khasawneh, Khaled N. and Abu-Ghazaleh, Nael},
title = {Constructing and Characterizing Covert Channels on GPGPUs},
booktitle = {Proceedings of the 50th Annual IEEE/ACM International Symposium on Microarchitecture},
series = {MICRO-50 '17},
year = {2017},
isbn = {978-1-4503-4952-9},
location = {Cambridge, Massachusetts}, pages = {354--366},
numpages = {13},
url = {http://doi.acm.org/10.1145/3123939.3124538},
doi = {10.1145/3123939.3124538},
acmid = {3124538},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {GPUs, covert channels, security},
}
C2

RIC: Relaxed Inclusion Caches for Mitigating LLC Side-Channel Attacks DAC '17

Mehmet Kayaalp, Khaled N. Khasawneh, Hodjat Esfeden, Jesse Elwell, Nael Abu-Ghazaleh, Dmitry Ponomarev, and Aamer Jaleel
54th Annual Design Automation Conference (ACM DAC '17). (acceptance rate: 24%)

Recently, side-channel attacks on Last Level Caches (LLCs) were demonstrated. The attacks require the ability to evict critical data from the cache hierarchy, making future accesses visible. We propose Relaxed Inclusion Caches (RIC), a low-complexity cache design protecting against LLC side channel attacks. RIC relaxes inclusion when it is not needed, preventing the attacker from replacing the victim's data from the local core caches thus protecting critical data from leakage. RIC improves performance (by about 10%) and retains snoop filtering capabilities of inclusive cache hierarchies, while requiring only minimal changes to the cache.
@inproceedings{kayaalp2017ric,
title={RIC: Relaxed Inclusion Caches for Mitigating LLC Side-Channel Attacks},
author={Kayaalp, Mehmet and Khasawneh, Khaled N and Esfeden, Hodjat Asghari and Elwell, Jesse and Abu-Ghazaleh, Nael and Ponomarev, Dmitry and Jaleel, Aamer},
booktitle={Proceedings of the 54th Annual Design Automation Conference 2017},
pages={7},
year={2017},
organization={ACM}
}
C1

Ensemble Learning for Low-level Hardware-supported Malware Detection RAID '15

Khaled N. Khasawneh, Meltem Ozsoy, Caleb Donovick, Nael Abu-Ghazaleh, and Dmitry Ponomarev
18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID-18), Kyoto, Japan, November 2015. (acceptance rate: 23.5%)

Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning techniques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.
@inproceedings{Khasawneh:2015:ELL:2939207.2939209, author = {Khasawneh, Khaled N. and Ozsoy, Meltem and Donovick, Caleb and Abu-Ghazaleh, Nael and Ponomarev, Dmitry}, title = {Ensemble Learning for Low-Level Hardware-Supported Malware Detection}, booktitle = {Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 9404}, series = {RAID 2015}, year = {2015}, isbn = {978-3-319-26361-8}, location = {Kyoto, Japan}, pages = {3--25}, numpages = {23}, url = {http://dx.doi.org/10.1007/978-3-319-26362-5_1}, doi = {10.1007/978-3-319-26362-5_1}, acmid = {2939209}, publisher = {Springer-Verlag New York, Inc.}, address = {New York, NY, USA}, }

Journal Article

J1

Hardware-based Malware Detection using Low-level Architectural Features TC '16

Meltem Ozsoy, Khaled N. Khasawneh, Caleb Donovick, Iakov Gorelik, Nael Abu-Ghazaleh, Dmitry Ponomarev
IEEE Transactions on Computers (TC), 2016. (extends HPCA'15)

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) - processors augmented with a hardware-based online malware detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. We explore the use of different features for classification and study both logistic regression and neural networks. We show that the detectors can achieve excellent performance, with little hardware overhead. We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

@article{ozsoy2016hardware,
title={Hardware-Based Malware Detection Using Low-Level Architectural Features},
author={Ozsoy, Meltem and Khasawneh, Khaled N and Donovick, Caleb and Gorelik, Iakov and Abu-Ghazaleh, Nael and Ponomarev, Dmitry},
journal={IEEE Transactions on Computers},
volume={65},
number={11},
pages={3332--3344},
year={2016},
publisher={IEEE}
}


Academic Professional Service


Awards/Honors

2014-2016
Dean’s Distinguished Fellowship, Bourns College of Engineering, University of California, Riverside.
2013
Student Travel Scholarship, Trusted Infrastructure Workshop, The Pennsylvania State University.
2011
Jordanian Representative, Annual International Microelectronics Olympiad of Armenia, hosted by Synopsys.
2009
Dean's Honor List, Computer & Information Technology College, Jordan University of Science & Technology.

Others

Welcome! you are the web counter free th vistor of my homepage.

Free Visitor Maps at VisitorMap.org