On the feasibility of online malware detection with performance counters
Top Cited Papers
- 23 June 2013
- journal article
- research article
- Published by Association for Computing Machinery (ACM) in ACM SIGARCH Computer Architecture News
- Vol. 41 (3), 559-570
- https://doi.org/10.1145/2508148.2485970
Abstract
The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware, adware and other classes of malware. Despite the existence of anti-virus software, malware threats persist and are growing as there exist a myriad of ways to subvert anti-virus (AV) software. In fact, attackers today exploit bugs in the AV software to break into systems. In this paper, we examine the feasibility of building a malware detector in hardware using existing performance counters. We find that data from performance counters can be used to identify malware and that our detection techniques are robust to minor variations in malware programs. As a result, after examining a small set of variations within a family of malware on Android ARM and Intel Linux platforms, we can detect many variations within that family. Further, our proposed hardware modifications allow the malware detector to run securely beneath the system software, thus setting the stage for AV implementations that are simpler and less buggy than software AV. Combined, the robustness and security of hardware AV techniques have the potential to advance state-of-the-art online malware detection.Keywords
Funding Information
- Division of Computing and Communication Foundations (CCF/TC 1054844)
- Synopsys
- Microsoft Research
- Air Force Office of Scientific Research (FA 99500910389)
- WindRiver Corp
- Alfred P. Sloan Foundation
- Defense Advanced Research Projects Agency (FA 865011C7190, FA 87501020253)
- Xilinx
This publication has 12 references indexed in Scilit:
- Before we knew itPublished by Association for Computing Machinery (ACM) ,2012
- SICEPublished by Association for Computing Machinery (ACM) ,2011
- Are hardware performance counters a cost effective way for integrity checking of programsPublished by Association for Computing Machinery (ACM) ,2011
- Stuxnet: Dissecting a Cyberwarfare WeaponIEEE Security & Privacy, 2011
- Toward a standard benchmark for computer security researchPublished by Association for Computing Machinery (ACM) ,2011
- AccessMinerPublished by Association for Computing Machinery (ACM) ,2010
- Learning and Classification of Malware BehaviorLecture Notes in Computer Science, 2008
- Mining specifications of malicious behaviorPublished by Association for Computing Machinery (ACM) ,2007
- Live, Runtime Phase Monitoring and Prediction on Real Systems with Application to Dynamic Power Management40th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2007), 2006
- Discovering and exploiting program phasesIEEE Micro, 2003