Abstract
As the variety and complexity of attacks continue to increase, software-based malware detection can impose significant performance overhead. Recent works have demonstrated the feasibility of malware detection using hardware performance counters. Therefore, equipping a malware detector to collect and analyze micro-architecture features of CPUs to recognize malware at running time has become a promising method. In comparison to the software-based malware detection, hardware-based malware detection not only reduces the cost of system performance, but also possesses better detection capacity. However, hundreds of micro-architecture events can be monitored by hardware performance counters (HPCs) which are widely available in prevailing CPUs, such as Intel, ARM and so on. In this paper, we take Intel ivy bridge i3 processor as an example and examine most of these micro-architectural features. Instead of relying on experience, the Lasso algorithm is employed to reduce the dimensionality of feature vector to 6 elements. Furthermore, 4 classification methods based on supervised learning are applied for the selected features. We improve the classification accuracy rate of 15 % on average. The results show that the micro-architectural features of this paper can reveal the behaviors of malware better.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Demme, J., Maycock, M., Schmitz, J., et al.: On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Archit. News 41(3), 559–570 (2013)
Ozsoy, M., Donovick, C., Gorelik, I., et al.: Malware-aware processors: a framework for efficient online malware detection. In: 2015 IEEE 21st International Symposium on High Performance Computer Architecture, pp. 651–661 (2015)
Stone-Gross, B., Abman, R., Kemmerer, R., Kruegel, C., Steigerwald, D., Vigna, G.: The underground economy of fake antivirus software. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 55–78. Springer, New York (2013)
Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Accessminer: using system-centric models for malware protection. In: Proceeding of the 17th ACM Conference on Computer and Communications Security, pp. 399–412 (2010)
Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC-FSE 07, p. 514 (2007)
McAfee Labs Report 2016 Threats Predictions. http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
Tibshirani, R.: Regression shrinkage and selection via the lasso. J. Roy. Stat. Soc.: Ser. B (Methodol.) 58, 267–288 (1996)
Bulpin, J.R., Pratt, I.: Hyper-threading aware process scheduling heuristics. In: USENIX Annual Technical Conference, General Track, pp. 399–402 (2005)
Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing, pp. 71–76. ACM (2011)
Contreras, G., Martonosi, M.: Power prediction for intel XScale processors using performance monitoring unit events. In: Proceedings of the 2005 International Symposium on Low Power Electronics and Design, ISLPED 2005, pp. 221–226. IEEE (2005)
Cohen, I., Chase, J.S., Goldszmidt, M., et al.: Correlating instrumentation data to system states: a building block for automated diagnosis and control. In: OSDI, p. 16 (2004)
Guide, P.: Intel 64 and IA-32 Architectures Software Developers Manual. Volume 3B: System programming Guide, Part 2. Chaps. 18,19 (2011)
VirusSign. http://www.virussign.com/index.html
VirusTotal. https://www.virustotal.com/
Intel VTune Amplifier 2016. https://software.intel.com/en-us/intel-vtune-amplifier-xe
Tang, A., Sethumadhavan, S., Stolfo, S.J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Heidelberg (2014)
Guyon, I., Elisseeff, A.: An introduction to variable and feature selection. J. Mach. Learn. Res. 3, 1157–1182 (2003)
Shen, K., Zhong, M., Dwarkadas, S., et al.: Hardware counter driven on-the-fly request signatures. ACM SIGARCH Comput. Archit. News 36(1), 189–200 (2008)
Hoste, K., Eeckhout, L.: Comparing benchmarks using key microarchitecture-independent characteristics. In: 2006 IEEE International Symposium on Workload Characterization, pp. 83–92. IEEE (2006)
Ihaka, R., Gentleman, R.: R: a language for data analysis and graphics. J. Comput. Graph. Stat. 5(3), 299–314 (1996)
Friedman, J., Hastie, T., Tibshirani, R.: The Elements of Statistical Learning. Springer Series in Statistics. Springer, New York (2001)
Acknowledgment
This work is supported by the Natural Science Foundation of China (No. 61402321) and the Natural Science Foundation of Tianjin (No. 15JCQNJC00100).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer Science+Business Media Singapore
About this paper
Cite this paper
Peng, H., Wei, J., Guo, W. (2016). Micro-architectural Features for Malware Detection. In: Wu, J., Li, L. (eds) Advanced Computer Architecture. ACA 2016. Communications in Computer and Information Science, vol 626. Springer, Singapore. https://doi.org/10.1007/978-981-10-2209-8_5
Download citation
DOI: https://doi.org/10.1007/978-981-10-2209-8_5
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-2208-1
Online ISBN: 978-981-10-2209-8
eBook Packages: Computer ScienceComputer Science (R0)
