Abstract
Detection of malicious programs using hardware-based features has gained prominence recently. The tamper-resistant hardware metrics prove to be a better security feature than the high-level software metrics, which can be easily obfuscated. Hardware Performance Counters (HPC), which are inbuilt in most of the recent processors, are often the choice of researchers amongst hardware metrics. However, a lack of determinism in their counts, thereby affecting the malware detection rate, minimizes the advantages of HPCs. To overcome this problem, in our work, we propose a three-step methodology for fine-grained malware detection. In the first step, we extract the HPCs of each system call of an unknown program. Later, we make a dimensionality reduction of the fine-grained data to identify the components that have maximum variance. Finally, we use a machine learning based approach to classify the nature of the unknown program into benign or malicious. Our proposed methodology has obtained a 98.4% detection rate, with a 3.1% false positive. It has improved the detection rate significantly when compared to other recent works in hardware-based anomaly detection.
- Mcaffe Labs. 2018. Mcaffe Lab, Threats Report. Technical Report.Google Scholar
- Min Zheng, Patrick P. C. Lee, and John C. S. Lui. 2012. ADAM: An automatic and extensible platform to stress test android anti-virus systems. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 82--101.Google Scholar
- Sevil Sen, Emre Aydogan, and Ahmet I. Aysan. 2018. Coevolution of mobile malware and anti-malware. IEEE Transactions on Information Forensics and Security 13, 10 (2018), 2563--2574.Google Scholar
Cross Ref
- Sanjeev Das, Yang Liu, Wei Zhang, and Mahintham Chandramohan. 2015. Semantics-based online malware detection: Towards efficient real-time protection against malware. IEEE Transactions on Information Forensics and Security 11, 2 (2015), 289--302.Google Scholar
Cross Ref
- Martina Lindorfer, Matthias Neugschwandtner, and Christian Platzer. 2015. Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. In 2015 IEEE 39th Annual Computer Software and Applications Conference, Vol. 2. IEEE, 422--433.Google Scholar
Digital Library
- CSAL_ARM. Core Sight Access Library. Retrieved October 23, 2019 from https://github.com/ARM-software/CSAL.Google Scholar
- J.-M. Roberts. Virus share. Retrieved August 2, 2019 from https://virusshare.com/.Google Scholar
- Open Malware. Open Malware—Community Malicious code research and analysis. Retrieved April 24, 2020 from http://malwarebenchmark.org/.Google Scholar
- EECS-UMich. MiBench. Retrieved April 24, 2020 from https://vhosts.eecs.umich.edu/mibench/.Google Scholar
- SPEC. SPEC CPU2017. Retrieved April 24, 2020 from https://www.spec.org/cpu2017/.Google Scholar
- Intel. LMbench. Retrieved April 24, 2020 from https://github.com/intel/lmbench/.Google Scholar
- kdlucas. UnixBench. Retrieved April 24, 2020 from https://github.com/kdlucas/byte-unixbench/.Google Scholar
- EEMBC Benchmarks. Retrieved April 24, 2020 from https://github.com/eembc.Google Scholar
- Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, Jake VanderPlas, Alexandre Passos, David Cournapeau, Matthieu Brucher, Matthieu Perrot, and Edouard Duchesnay. 2012. Scikit-learn: Machine learning in Python. CoRR abs/1201.0490 (2012). arxiv:1201.0490 http://arxiv.org/abs/1201.0490Google Scholar
- Xueyang Wang and Ramesh Karri. 2015. Reusing hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 35, 3 (2015), 485--498.Google Scholar
Digital Library
- John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. ACM SIGARCH Computer Architecture News 41, 3 (2013), 559--570.Google Scholar
Digital Library
- Meltem Ozsoy, Caleb Donovick, Iakov Gorelik, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2015. Malware-aware processors: A framework for efficient online malware detection. In 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA). IEEE, 651--661.Google Scholar
Cross Ref
- Nisarg Patel, Avesta Sasan, and Houman Homayoun. 2017. Analyzing hardware based malware detectors. In 54th Annual Design Automation Conference 2017. ACM, 25.Google Scholar
Digital Library
- Huicheng Peng, Jizeng Wei, and Wei Guo. 2016. Micro-architectural features for malware detection. In Conference on Advanced Computer Architecture. Springer, 48--60.Google Scholar
Cross Ref
- Zahra Salehi, Ashkan Sami, and Mahboobe Ghiasi. 2017. MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values. Engineering Applications of Artificial Intelligence 59 (2017), 93--102.Google Scholar
Cross Ref
- Nir Nissim, Yuval Lapidot, Aviad Cohen, and Yuval Elovici. 2018. Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining. Knowledge-Based Systems 153 (2018), 147--175.Google Scholar
Digital Library
- Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19, 4 (2011), 639--668.Google Scholar
Digital Library
- Andrea Paudice, Luis Muñoz-González, and Emil C. Lupu. 2018. Label sanitization against label flipping poisoning attacks. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 5--15.Google Scholar
- Sanjeev Das, Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose. 2019. SoK: The challenges, pitfalls, and perils of using hardware performance counters for security. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 20--38.Google Scholar
Cross Ref
- Sarani Bhattacharya and Debdeep Mukhopadhyay. 2015. Who watches the watchmen?: Utilizing performance monitors for compromising keys of RSA on Intel platforms. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 248--266.Google Scholar
Cross Ref
- Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised anomaly-based malware detection using hardware features. In International Workshop on Recent Advances in Intrusion Detection. Springer, 109--129.Google Scholar
- Mohammad Bagher Bahador, Mahdi Abadi, and Asghar Tajoddin. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE). IEEE, 703--708.Google Scholar
Cross Ref
- Tianwei Zhang, Yinqian Zhang, and Ruby B. Lee. 2017. Dos attacks on your memory in cloud. In 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 253--265.Google Scholar
- Marco Chiappetta, Erkay Savas, and Cemal Yilmaz. 2016. Real time detection of cache-based side-channel attacks using hardware performance counters. Applied Soft Computing 49 (2016), 1162--1174.Google Scholar
Digital Library
- Tianwei Zhang, Yinqian Zhang, and Ruby B. Lee. 2016. Cloudradar: A real-time side-channel attack detection system in clouds. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 118--140.Google Scholar
- Berk Gulmezoglu, Andreas Zankl, Thomas Eisenbarth, and Berk Sunar. 2017. PerfWeb: How to violate web privacy with hardware performance events. In European Symposium on Research in Computer Security. Springer, 80--97.Google Scholar
Cross Ref
- Zirak Allaf, Mo Adda, and Alexander Gegov. 2017. A comparison study on flush+ reload and prime+ probe attacks on AES using machine learning approaches. In UK Workshop on Computational Intelligence. Springer, 203--213.Google Scholar
Index Terms
Hardware Performance Counter-Based Fine-Grained Malware Detection
Recommendations
Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing
Hardware Performance Counter-based (HPC) runtime checking is an effective way to identify malicious behaviors of malware and detect malicious modifications to a legitimate program’s control flow. To reduce the overhead in the monitored system which has ...
Hardware Performance Counters Can Detect Malware: Myth or Fact?
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications SecurityThe ever-increasing prevalence of malware has led to the explorations of various detection mechanisms. Several recent works propose to use Hardware Performance Counters (HPCs) values with machine learning classification models for malware detection. ...
On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityRecent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine ...






Comments