Skip to main content
SpringerLink
Log in

A novel method for malware detection based on hardware events using deep neural networks

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

With the increasing availability of internet access, the number of malware is growing dramatically. So, defence against malware is an important issue in the security of computers and networks. Hence, malware detection systems are important. The most common method for malware detection is a signature-based technique. Nowadays, malware attempt to deceive all kinds of anti-malware, using obfuscation mechanisms and polymorphic behaviours, thus this method is not able to detect such malware and is not very effective. One way to deal with these types of malware is through dynamic malware analysis that requires executing the malware and monitoring its behaviour. In this paper, a novel dynamic malware detection method is presented which utilizes hardware events during file execution such as hardware port status, CPU internal status, main memory status, etc., as features of the classification model. Then, two Deep Neural Network (DNN) based algorithms, Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM), are used to construct the machine learning model. Finally, the voting network is used between the outputs of CNNs and the LSTM network, and the label of the suspicious sample is determined. The results show that the combination of hardware events as feature inputs, with LSTM and voting network can be effective in detecting new malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Nash, T.: An Undirected Attack Against Critical Infrastructure. 1.2, 1–10 (2005)

  2. The AV-Test Institute. current malware statistics. https://www.av-test.org/en/statistics/malware (2019), Accessed 22 Jan 2020

  3. Idika, N., Mathur, A.P.: A Survey of Malware Detection Techniques. SERC Tech, Reports (2007)

    Google Scholar 

  4. Farrokhmanesh, M., Hamzeh, A.: Music classification as a new approach for malware detection. J. Comput. Virol. Hacking Tech. 15, 77–96 (2019)

    Article  Google Scholar 

  5. Rhode, M., Burnap, P., Jones, K.: Early-stage malware prediction using recurrent neural networks. Comput. Secur. 77, 578–594 (2018)

    Article  Google Scholar 

  6. Saleh, M., Li, T., Xu, S.: Multi-context features for detecting malicious programs. J. Comput. Virol. Hacking Tech. 14, 181–193 (2018)

    Article  Google Scholar 

  7. Bazrafshan, Z., Hashemi, H., Fard, S.M.H., Hamzeh, A.: A survey on heuristic malware detection techniques. In: IKT 2013–2013 5th Conference on Information and Knowledge Technology, pp. 113–120 (2013)

  8. Das, S., Xiao, H., Liu, Y., & Zhang, W.: Online malware defense using attack behavior model. In 2016 IEEE International Symposium on Circuits and Systems (ISCAS), 1322–1325 (2016)

  9. Mosli, R., Li, R., Yuan, B., Pan, Y.: Automated malware detection using artifacts in forensic memory images. 2016 IEEE Symp. Technol. Homel. Secur. HST 2016. (2016).

  10. Intel VTune Amplifier 2019. https://software.intel.com/en-us/intel-vtune-amplifier-xe (2019), Accessed 31 Dec 2019

  11. Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.S.: Malware images: Visualization and automatic classification. ACM Int. Conf. Proceeding Ser. (2011)

  12. Manavi, F., Hamzeh, A.: A new approach for malware detection based on evolutionary algorithm. GECCO 2019 Companion - Proc. 2019 Genet. Evol. Comput. Conf. Companion. 1619–1624 (2019)

  13. Cui, Z., Xue, F., Cai, X., Cao, Y., Wang, G.G., Chen, J.: Detection of malicious code variants based on deep learning. IEEE Trans. Ind. Informatics. 14, 3187–3196 (2018)

    Article  Google Scholar 

  14. Bakhshinejad, N., Hamzeh, A.: Parallel-CNN network for malware detection. IET Inf. Secur. 14, 210–219 (2020)

    Article  Google Scholar 

  15. Ghiasi, M., Sami, A., Salehi, Z.: Dynamic vsa: a framework for malware detection based on register contents. Eng. Appl. Artif. Intell. 44, 111–122 (2015)

    Article  Google Scholar 

  16. Guo, W., Wang, T., Wei, J.: Malware detection with convolutional neural network using hardware events. Commun. Comput. Inf. Sci. 600, 104–115 (2018)

    Google Scholar 

  17. Dictionary of Hardware. https://www.techopedia.com, Accessed 7 July 2019

  18. Intel Processor Events Reference. https://software.intel.com/en-us/vtune-help-intel-processor-events-reference, Accessed 23 July 2019

  19. Intel VTune Amplifier: Intel Processor Events Reference. https://scc.ustc.edu.cn/zlsc/tc4600/intel/2017.0.098/vtune_amplifier_xe/help/GUID-ECB96402-717C-4DAA-B127-85972AF4CB4F.html, Accessed 23 July 2019

  20. CS231n Convolutional Neural Networks for Visual Recognition. https://cs231n.github.io, Accessed 7 Dec 2019

  21. Camacho, C.: Convolutional Neural Networks. https://sezannec.github.io, Accessed 7 Dec 2019

  22. Haridas, R., Jyothi, R.L.: Convolutional neural networks: A comprehensive survey. Int. J. Appl. Eng. Res. 14, 780–789 (2019)

    Article  Google Scholar 

  23. Fully Connected Layers in Convolutional Neural Networks. https://missinglink.ai, Accessed 22 Nov 2019

  24. Ororbia, A., Mali, A., Giles, C. L., & Kifer, D.: Continual learning of recurrent neural networks by locally aligning distributed representations. IEEE Transactions on Neural Networks and Learning Systems. 1–13 (2018)

  25. Olah, C. Understanding LSTM Networks. http://colah.github.io (2018), Accessed by 8 Dec 2019

  26. Nguyen, M.: Illustrated Guide to LSTM's and GRU's: A step by step explanation. https://towardsdatascience.com (2018), Accessed 7 Dec 2019

  27. Cho, K., van Merrienboer, B., Gulcehre, C., Bahdanau, D., Bougares, F., Schwenk, H., Bengio, Y.: Supplementary Material Learning Phrase Representations using RNN Encoder–Decoder for Statistical Machine Translation. In: Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP). 1724–1734 (2014)

  28. Schmidhuber, J.: Deep Learning in neural networks: An overview. Neural Netw. 61, 85–117 (2015). https://doi.org/10.1016/j.neunet.2014.09.003

    Article  Google Scholar 

  29. Zhao, Z., Chen, W., Wu, X., Chen, P.C.V., Liu, J.: LSTM network: A deep learning approach for short-term traffic forecast. IET Image Process. 11, 68–75 (2017)

    Google Scholar 

  30. PortableApps.com. https://portableapps.com/2019, Accessed 13 Jan 2019

  31. SnapFiles.com. https://snapfiles.com/2019, Accessed 17 Jan 2019

  32. VirusShare.com. https://virusshare.com/2019, Accessed 19 Jan 2019

  33. VMware's Vix in python. https://pypi.org, Accessed 22 Feb 2019

  34. Keras Documentation. https://keras.io, Accessed 20 Feb 2019

  35. Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., Duchesnay, É.: Scikit-learn: Machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  36. kohavi, R.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In Ijacai, Stanford, CA. 14, 1137–1145 (1995)

  37. Powers, D.M.: Evaluation: from precision, recall and F-measure to ROC, informedness, markedness and correlation. J. Mach. Learn. Technol. 2(1), 37–39 (2011)

    MathSciNet  Google Scholar 

  38. Hashemi, H., Hamzeh, A.: Visual malware detection using local malicious pattern. J. Comput. Virol. Hacking Tech. 15, (2019)

Download references

Author information

Authors and Affiliations

  1. Computer Science and Engineering and Information Technology Department, Shiraz University, Shiraz, Iran

    Hadis Ghanei, Farnoush Manavi & Ali Hamzeh

Authors
  1. Hadis Ghanei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Farnoush Manavi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ali Hamzeh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hadis Ghanei.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ghanei, H., Manavi, F. & Hamzeh, A. A novel method for malware detection based on hardware events using deep neural networks. J Comput Virol Hack Tech 17, 319–331 (2021). https://doi.org/10.1007/s11416-021-00386-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-021-00386-y

Keywords

Search

Navigation