Adaptive-HMD: Accurate and Cost-Efficient Machine Learning-Driven Malware Detection using Microarchitectural Events

To address the high complexity and computational overheads of conventional software-based detection techniques, Hardware Malware Detection (HMD) has shown promising results as an alternative anomaly detection solution. HMD methods apply Machine Learning (ML) classifiers on microarchitectural events monitored by built-in Hardware Performance Counter (HPC) registers available in modern microprocessors to recognize the patterns of anomalies (e.g., signatures of malicious applications). Existing hardware malware detection solutions have mainly focused on utilizing standard ML algorithms to detect the existence of malware without considering an adaptive and cost-efficient approach for online malware detection. Our comprehensive analysis across a wide range of malicious software applications and different branches of machine learning algorithms indicates that the type of adopted ML algorithm to detect malicious applications at the hardware level highly correlates with the type of the examined malware, and the ultimate performance evaluation metric (F-measure, robustness, latency, detection rate/cost, etc.) to select the most efficient ML model for distinguishing the target malware from benign program. Therefore, in this work we propose Adaptive-HMD, an accurate and cost-efficient machine learning-driven framework for online malware detection using low-level microarchitectural events collected from HPC registers. Adaptive-HMD is equipped with a lightweight tree-based decision-making algorithm that accurately selects the most efficient ML model to be used for the inference in online malware detection according to the users' preference and optimal performance vs. cost (hardware overhead and latency) criteria. The experimental results demonstrate that Adaptive-HMD achieves up to 94% detection rate (F-measure) while improving the cost-efficiency of ML-based malware detection by more than 5X as compared to existing ensemble-based malware detection methods.