skip to main content
research-article

Hardware Performance Counter-Based Fine-Grained Malware Detection

Published:26 September 2020Publication History
Skip Abstract Section

Abstract

Detection of malicious programs using hardware-based features has gained prominence recently. The tamper-resistant hardware metrics prove to be a better security feature than the high-level software metrics, which can be easily obfuscated. Hardware Performance Counters (HPC), which are inbuilt in most of the recent processors, are often the choice of researchers amongst hardware metrics. However, a lack of determinism in their counts, thereby affecting the malware detection rate, minimizes the advantages of HPCs. To overcome this problem, in our work, we propose a three-step methodology for fine-grained malware detection. In the first step, we extract the HPCs of each system call of an unknown program. Later, we make a dimensionality reduction of the fine-grained data to identify the components that have maximum variance. Finally, we use a machine learning based approach to classify the nature of the unknown program into benign or malicious. Our proposed methodology has obtained a 98.4% detection rate, with a 3.1% false positive. It has improved the detection rate significantly when compared to other recent works in hardware-based anomaly detection.

References

  1. Mcaffe Labs. 2018. Mcaffe Lab, Threats Report. Technical Report.Google ScholarGoogle Scholar
  2. Min Zheng, Patrick P. C. Lee, and John C. S. Lui. 2012. ADAM: An automatic and extensible platform to stress test android anti-virus systems. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 82--101.Google ScholarGoogle Scholar
  3. Sevil Sen, Emre Aydogan, and Ahmet I. Aysan. 2018. Coevolution of mobile malware and anti-malware. IEEE Transactions on Information Forensics and Security 13, 10 (2018), 2563--2574.Google ScholarGoogle ScholarCross RefCross Ref
  4. Sanjeev Das, Yang Liu, Wei Zhang, and Mahintham Chandramohan. 2015. Semantics-based online malware detection: Towards efficient real-time protection against malware. IEEE Transactions on Information Forensics and Security 11, 2 (2015), 289--302.Google ScholarGoogle ScholarCross RefCross Ref
  5. Martina Lindorfer, Matthias Neugschwandtner, and Christian Platzer. 2015. Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. In 2015 IEEE 39th Annual Computer Software and Applications Conference, Vol. 2. IEEE, 422--433.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. CSAL_ARM. Core Sight Access Library. Retrieved October 23, 2019 from https://github.com/ARM-software/CSAL.Google ScholarGoogle Scholar
  7. J.-M. Roberts. Virus share. Retrieved August 2, 2019 from https://virusshare.com/.Google ScholarGoogle Scholar
  8. Open Malware. Open Malware—Community Malicious code research and analysis. Retrieved April 24, 2020 from http://malwarebenchmark.org/.Google ScholarGoogle Scholar
  9. EECS-UMich. MiBench. Retrieved April 24, 2020 from https://vhosts.eecs.umich.edu/mibench/.Google ScholarGoogle Scholar
  10. SPEC. SPEC CPU2017. Retrieved April 24, 2020 from https://www.spec.org/cpu2017/.Google ScholarGoogle Scholar
  11. Intel. LMbench. Retrieved April 24, 2020 from https://github.com/intel/lmbench/.Google ScholarGoogle Scholar
  12. kdlucas. UnixBench. Retrieved April 24, 2020 from https://github.com/kdlucas/byte-unixbench/.Google ScholarGoogle Scholar
  13. EEMBC Benchmarks. Retrieved April 24, 2020 from https://github.com/eembc.Google ScholarGoogle Scholar
  14. Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, Jake VanderPlas, Alexandre Passos, David Cournapeau, Matthieu Brucher, Matthieu Perrot, and Edouard Duchesnay. 2012. Scikit-learn: Machine learning in Python. CoRR abs/1201.0490 (2012). arxiv:1201.0490 http://arxiv.org/abs/1201.0490Google ScholarGoogle Scholar
  15. Xueyang Wang and Ramesh Karri. 2015. Reusing hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 35, 3 (2015), 485--498.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. ACM SIGARCH Computer Architecture News 41, 3 (2013), 559--570.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Meltem Ozsoy, Caleb Donovick, Iakov Gorelik, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2015. Malware-aware processors: A framework for efficient online malware detection. In 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA). IEEE, 651--661.Google ScholarGoogle ScholarCross RefCross Ref
  18. Nisarg Patel, Avesta Sasan, and Houman Homayoun. 2017. Analyzing hardware based malware detectors. In 54th Annual Design Automation Conference 2017. ACM, 25.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Huicheng Peng, Jizeng Wei, and Wei Guo. 2016. Micro-architectural features for malware detection. In Conference on Advanced Computer Architecture. Springer, 48--60.Google ScholarGoogle ScholarCross RefCross Ref
  20. Zahra Salehi, Ashkan Sami, and Mahboobe Ghiasi. 2017. MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values. Engineering Applications of Artificial Intelligence 59 (2017), 93--102.Google ScholarGoogle ScholarCross RefCross Ref
  21. Nir Nissim, Yuval Lapidot, Aviad Cohen, and Yuval Elovici. 2018. Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining. Knowledge-Based Systems 153 (2018), 147--175.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19, 4 (2011), 639--668.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Andrea Paudice, Luis Muñoz-González, and Emil C. Lupu. 2018. Label sanitization against label flipping poisoning attacks. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 5--15.Google ScholarGoogle Scholar
  24. Sanjeev Das, Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose. 2019. SoK: The challenges, pitfalls, and perils of using hardware performance counters for security. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 20--38.Google ScholarGoogle ScholarCross RefCross Ref
  25. Sarani Bhattacharya and Debdeep Mukhopadhyay. 2015. Who watches the watchmen?: Utilizing performance monitors for compromising keys of RSA on Intel platforms. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 248--266.Google ScholarGoogle ScholarCross RefCross Ref
  26. Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised anomaly-based malware detection using hardware features. In International Workshop on Recent Advances in Intrusion Detection. Springer, 109--129.Google ScholarGoogle Scholar
  27. Mohammad Bagher Bahador, Mahdi Abadi, and Asghar Tajoddin. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE). IEEE, 703--708.Google ScholarGoogle ScholarCross RefCross Ref
  28. Tianwei Zhang, Yinqian Zhang, and Ruby B. Lee. 2017. Dos attacks on your memory in cloud. In 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 253--265.Google ScholarGoogle Scholar
  29. Marco Chiappetta, Erkay Savas, and Cemal Yilmaz. 2016. Real time detection of cache-based side-channel attacks using hardware performance counters. Applied Soft Computing 49 (2016), 1162--1174.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Tianwei Zhang, Yinqian Zhang, and Ruby B. Lee. 2016. Cloudradar: A real-time side-channel attack detection system in clouds. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 118--140.Google ScholarGoogle Scholar
  31. Berk Gulmezoglu, Andreas Zankl, Thomas Eisenbarth, and Berk Sunar. 2017. PerfWeb: How to violate web privacy with hardware performance events. In European Symposium on Research in Computer Security. Springer, 80--97.Google ScholarGoogle ScholarCross RefCross Ref
  32. Zirak Allaf, Mo Adda, and Alexander Gegov. 2017. A comparison study on flush+ reload and prime+ probe attacks on AES using machine learning approaches. In UK Workshop on Computational Intelligence. Springer, 203--213.Google ScholarGoogle Scholar

Index Terms

  1. Hardware Performance Counter-Based Fine-Grained Malware Detection

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!