HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition

Malicious programs, also known as malware, often use code obfuscation techniques to make static analysis more difficult and to evade signature-based detection. To resolve this problem, various behavioral detection techniques have been proposed that focus on the run-time behaviors of programs in order to dynamically detect malicious ones. Most of these techniques describe the run-time behavior of a program on the basis of its data flow and/or its system call traces. Recent work in behavioral malware detection has shown promise in using hardware performance counters (HPCs), which are a set of special-purpose registers built into modern processors providing detailed information about hardware and software events. In this paper, we pursue this line of research by presenting HPCMalHunter, a novel approach for real-time behavioral malware detection. HPCMalHunter uses HPCs to collect a set of event vectors from the beginning of a program's execution. It also uses the singular value decomposition (SVD) to reduce these event vectors and generate a behavioral vector for the program. By applying support vector machines (SVMs) to the feature vectors of different programs, it is able to identify malicious programs in real-time. Our results of experiments show that HPCMalHunter can detect malicious programs at the beginning of their execution with a high detection rate and a low false alarm rate.

[1]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[2]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[3]  Jeffrey S. Chase,et al.  Correlating Instrumentation Data to System States: A Building Block for Automated Diagnosis and Control , 2004, OSDI.

[4]  Ingrid Verbauwhede,et al.  Exploiting Hardware Performance Counters , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[5]  Margaret Martonosi,et al.  Power prediction for Intel XScale/spl reg/ processors using performance monitoring unit events , 2005, ISLPED '05. Proceedings of the 2005 International Symposium on Low Power Electronics and Design, 2005..

[6]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[7]  Jack J. Dongarra,et al.  A Portable Programming Interface for Performance Evaluation on Modern Processors , 2000, Int. J. High Perform. Comput. Appl..

[8]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[9]  Claudia Eckert,et al.  Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture , 2012 .

[10]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[11]  Robert H. Halstead,et al.  Matrix Computations , 2011, Encyclopedia of Parallel Computing.

[12]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[13]  Gilberto Contreras,et al.  Power prediction for Intel XScale processors using performance monitoring unit events , 2005 .

[14]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[15]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[16]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[17]  Haibo Chen,et al.  Security breaches as PMU deviation: detecting and identifying security attacks using performance counters , 2011, APSys.

[18]  Mahdi Abadi,et al.  MalHunter: Automatic generation of multiple behavioral signatures for polymorphic malware detection , 2013, ICCKE 2013.

[19]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[20]  Gholamreza Anbarjafari,et al.  Lossy image compression using singular value decomposition and wavelet difference reduction , 2014, Digit. Signal Process..

[21]  Ian Pratt,et al.  Hyper-Threading Aware Process Scheduling Heuristics , 2005, USENIX Annual Technical Conference, General Track.

[22]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[23]  Mahdi Abadi,et al.  An energy-efficient anomaly detection approach for wireless sensor networks , 2010, 2010 5th International Symposium on Telecommunications.

[24]  Yuval Elovici,et al.  Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey , 2009, Inf. Secur. Tech. Rep..

[25]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[26]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[27]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.