Runtime Malware Detection Using Embedded Trace Buffers

Anti-virus software (AVS) tools are used to detect malware in a system. However, AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as hardware performance counters have been used for malware detection. In this article, we propose preempts malware by examining embedded processor traces (PREEMPT), a zero overhead, high-accuracy, low-latency technique to detect malware by repurposing embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for postsilicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the input/output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt malware before it causes damage. The benefits of reusing ETB for malware detection include the increased robustness against attacks and no performance penalties. PREEMPT can detect malware on an OpenSPARC T1 core running Linux operating system with a F1-score of 96.6%.