HLMD: a signature-based approach to hardware-level behavioral malware detection and classification

Malicious programs, or malware, often use code obfuscation techniques to make static analysis difficult. To deal with this problem, various behavioral detection techniques have been proposed that focus on runtime behavior to distinguish between benign and malicious programs. The majority of them are based on the analysis and modeling of system call traces, which are a common type of audit data often used to describe the interaction between programs and the operating system. However, the techniques are not widely used in practice because of high performance overheads. An alternative approach is to perform behavioral detection at the hardware level. The basic idea is to use information that is accessible through hardware performance counters, which are a set of special purpose registers built into modern processors providing detailed information about hardware and software events. In this paper, we pursue this line of research by presenting HLMD, a novel approach that uses behavioral signatures generated from hardware performance counter traces to instantly detect and disable malicious programs at the beginning of their execution. HLMD is especially suitable for independent malicious programs that can be run standalone without having to be attached to a host program. Each behavioral signature is composed of some number of singular values and singular vectors, obtained by applying the singular value decomposition to the hardware performance counter traces of a known malware family. HLMD follows a two-stage heuristic matching strategy to increase the detection performance to an acceptable level while reducing the detection complexity to linear time. The results of our experiments performed on a dataset of benign and malicious programs show that HLMD can achieve an average precision, recall, and F-measure of 95.19%, 89.96%, and 92.50%, respectively.

[1]  Hamid R. Arabnia,et al.  Security surveillance applications utilizing parallel video-processing techniques in the spatial domain , 2015, CVPR 2015.

[2]  Avesta Sasan,et al.  Ensemble Learning for Effective Run-Time Hardware-Based Malware Detection: A Comprehensive Analysis and Classification , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[3]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[4]  Vijay Janapa Reddi,et al.  Quantifying and improving the efficiency of hardware-based mobile malware detectors , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[5]  Padam Kumar,et al.  An Immediate System Call Sequence Based Approach for Detecting Malicious Program Executions in Cloud Environment , 2015, Wirel. Pers. Commun..

[6]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[7]  Manos Antonakakis,et al.  SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Leonidas Deligiannidis,et al.  Emerging Trends in Image Processing, Computer Vision and Pattern Recognition , 2014 .

[9]  Song Guo,et al.  Segment-Based Anomaly Detection with Approximated Sample Covariance Matrix in Wireless Sensor Networks , 2015, IEEE Transactions on Parallel and Distributed Systems.

[10]  Simha Sethumadhavan,et al.  Rapid identification of architectural bottlenecks via precise event counting , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[11]  Jack J. Dongarra,et al.  A Portable Programming Interface for Performance Evaluation on Modern Processors , 2000, Int. J. High Perform. Comput. Appl..

[12]  Alexander Schill,et al.  Power Consumption Estimation Models for Processors, Virtual Machines, and Servers , 2014, IEEE Transactions on Parallel and Distributed Systems.

[13]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[14]  Maurizio Valle,et al.  Assessment of FPGA Implementations of One Sided Jacobi Algorithm for Singular Value Decomposition , 2015, 2015 IEEE Computer Society Annual Symposium on VLSI.

[15]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[16]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[17]  Sebastian Hack,et al.  Learning How to Prevent Return-Oriented Programming Efficiently , 2015, ESSoS.

[18]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[19]  B. Akhgar,et al.  Application of Big Data for National Security: A Practitioner’s Guide to Emerging Technologies , 2015 .

[20]  Ingrid Verbauwhede,et al.  Exploiting Hardware Performance Counters , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[21]  Wei Zhang,et al.  ROPSentry: Runtime defense against ROP attacks using hardware performance counters , 2018, Comput. Secur..

[22]  Guy Lapalme,et al.  A systematic analysis of performance measures for classification tasks , 2009, Inf. Process. Manag..

[23]  S. Parik,et al.  Malware Detection in Cloud Computing Infrastructures , 2015 .

[24]  Nael B. Abu-Ghazaleh,et al.  Malware-aware processors: A framework for efficient online malware detection , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[25]  Laith Mohammad Abualigah,et al.  Hybrid clustering analysis using improved krill herd algorithm , 2018, Applied Intelligence.

[26]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[27]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[28]  Moshe Kam,et al.  System Call-Based Detection of Malicious Processes , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security.

[29]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[30]  Alberto Garcia-Serrano,et al.  Anomaly Detection for malware identification using Hardware Performance Counters , 2015, ArXiv.

[31]  Gene H. Golub,et al.  Matrix computations , 1983 .

[32]  Jean-Marc Robert,et al.  Generative versus discriminative classifiers for android anomaly-based detection system using system calls filtering and abstraction process , 2016, Secur. Commun. Networks.

[33]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[34]  Mahdi Abadi,et al.  HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition , 2014, 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE).

[35]  Bo Du,et al.  A Low-Rank and Sparse Matrix Decomposition-Based Mahalanobis Distance Method for Hyperspectral Anomaly Detection , 2016, IEEE Transactions on Geoscience and Remote Sensing.

[36]  Claudia Eckert,et al.  Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture , 2012 .

[37]  Joseph Zambreno,et al.  An FPGA Implementation of the Hestenes-Jacobi Algorithm for Singular Value Decomposition , 2014, 2014 IEEE International Parallel & Distributed Processing Symposium Workshops.

[38]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[39]  Ramesh Karri,et al.  Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.