[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2485922.2485970acmotherconferencesArticle/Chapter ViewAbstractPublication PagesiscaConference Proceedingsconference-collections
research-article

On the feasibility of online malware detection with performance counters

Published: 23 June 2013 Publication History

Abstract

The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware, adware and other classes of malware. Despite the existence of anti-virus software, malware threats persist and are growing as there exist a myriad of ways to subvert anti-virus (AV) software. In fact, attackers today exploit bugs in the AV software to break into systems.
In this paper, we examine the feasibility of building a malware detector in hardware using existing performance counters. We find that data from performance counters can be used to identify malware and that our detection techniques are robust to minor variations in malware programs. As a result, after examining a small set of variations within a family of malware on Android ARM and Intel Linux platforms, we can detect many variations within that family. Further, our proposed hardware modifications allow the malware detector to run securely beneath the system software, thus setting the stage for AV implementations that are simpler and less buggy than software AV. Combined, the robustness and security of hardware AV techniques have the potential to advance state-of-the-art online malware detection.

References

[1]
B. Stone-Gross, R. Abman, R. Kemmerer, C. Kruegel, D. Steigerwald, and G. Vigna, "The underground economy of fake antivirus software," in Economics of Information Security and Privacy III (B. Schneier, ed.), pp. 55--78, Springer New York, 2013.
[2]
J. Caballero, C. Grier, C. Kreibich, and V. Paxson, "Measuring Pay-per-Install: The commoditization of malware distribution," in Proc. of the 20th USENIX Security Symp., 2011.
[3]
Trend Micro Corporation, "Russian underground."
[4]
R. Langner, "Stuxnet: Dissecting a Cyberwarfare Weapon," Security & Privacy, IEEE, vol. 9, no. 3, pp. 49--51, 2011.
[5]
Laboratory of Cryptography and System Security (CrySyS Lab), "sKyWIper: A Complex Malware for Targeted Attacks," Tech. Rep. v1.05, Budapest University of Technology and Economics, May 2012.
[6]
E. Chien, L. OMurchu, and N. Falliere, "W32.Duqu: The Precursor to the Next Stuxnet," in Proc. of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2012.
[7]
Z. Ramzan, V. Seshadri, and C. Nachenberg, "Reputation-based security: An analysis of real world effectiveness," Sep 2009.
[8]
L. Bilge and T. Dumitras, "Before we knew it: an empirical study of zero-day attacks in the real world," in Proc. of the 2012 ACM conf. on Computer and communications security, pp. 833--844, 2012.
[9]
S. Jana and V. Shmatikov, "Abusing file processing in malware detectors for fun and profit," in IEEE Symposium on Security and Privacy, pp. 80--94, 2012.
[10]
P. SzÃűr and P. Ferrie, "Hunting for metamorphic," in In Virus Bulletin Conference, pp. 123--144, 2001.
[11]
A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda, "Accessminer: using system-centric models for malware protection," in Proc. of the 17th ACM conf. on Computer and communications security, pp. 399--412, 2010.
[12]
M. Christodorescu, S. Jha, and C. Kruegel, "Mining specifications of malicious behavior," in Proc. of the the 6th joint meeting of the European software engineering conf. and the ACM SIGSOFT symp. on The foundations of software engineering, ESEC-FSE '07, pp. 5--14, 2007.
[13]
S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for unix processes," in Proc. of the 1996 IEEE Symp. on Security and Privacy, pp. 120--135, 1996.
[14]
W. Lee, S. J. Stolfo, and K. W. Mok, "A data mining framework for building intrusion detection models," in In IEEE Symposium on Security and Privacy, pp. 120--132, 1999.
[15]
K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov, "Learning and classification of malware behavior," in Proc. of the 5th intl. conf. on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 108--125, Springer-Verlag, 2008.
[16]
M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, "Automated classification and analysis of internet malware," in Proc. of the 10th intl. conf. on Recent advances in intrusion detection, RAID'07, pp. 178--197, Springer-Verlag, 2007.
[17]
U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda, "Scalable, behavior-based malware clustering," in Network and Distributed System Security Symposium, 2009.
[18]
C. Malone, M. Zahran, and R. Karri, "Are hardware performance counters a cost effective way for integrity checking of programs," in Proc. of the sixth ACM workshop on Scalable trusted computing, pp. 71--76, 2011.
[19]
Y. Xia, Y. Liu, H. Chen, and B. Zang, "Cfimon: Detecting violation of control flow integrity using performance counters," in Proc. of the 2012 42nd Annual IEEE/IFIP Intl. Conf. on Dependable Systems and Networks (DSN), pp. 1--12, 2012.
[20]
T. Sherwood, E. Perelman, G. Hamerly, S. Sair, and B. Calder, "Discovering and exploiting program phases," Micro, IEEE, vol. 23, pp. 84--93, nov.-dec. 2003.
[21]
C. Isci, G. Contreras, and M. Martonosi, "Live, runtime phase monitoring and prediction on real systems with application too dynamic power management," in Proc. of the 39th Annual IEEE/ACM Intl. Symp. on Microarchitecture, pp. 359--370, 2006.
[22]
Y. Zhou and X. Jiang, "Dissecting android malware: Characterization and evolution," in Security and Privacy (SP), 2012 IEEE Symp. on, pp. 95--109, may 2012.
[23]
F. Matias, "Linux rootkit implementation," Dec 2011.
[24]
BlackHat Library, "Jynx rootkit2.0," Mar 2012.
[25]
T. Dumitras and D. Shou, "Toward a standard benchmark for computer security research: the worldwide intelligence network environment (wine)," in Proc. of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 89--96, ACM, 2011.
[26]
J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan, "Side-Channel Vulnerability Factor: A Metric for Measuring Information Leakage," in The 39th Intl. Symp. on Computer Architecture, pp. 106--117, 2012.
[27]
A. M. Azab, P. Ning, and X. Zhang, "Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms," in Proc. of the 18th ACM conf. on Computer and communications security, (New York, NY, USA), pp. 375--388, ACM, 2011.

Cited By

View all
  • (2024)CMD: Co-analyzed IoT Malware Detection and Forensics via Network and Hardware DomainsIEEE Transactions on Mobile Computing10.1109/TMC.2023.3311012(1-15)Online publication date: 2024
  • (2024)A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracingScientific Reports10.1038/s41598-024-65374-w14:1Online publication date: 26-Jun-2024
  • (2024)Guarding Against the Unknown: Deep Transfer Learning for Hardware Image-Based Malware DetectionJournal of Hardware and Systems Security10.1007/s41635-024-00146-68:2(61-78)Online publication date: 15-Mar-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences
ISCA '13: Proceedings of the 40th Annual International Symposium on Computer Architecture
June 2013
686 pages
ISBN:9781450320795
DOI:10.1145/2485922
  • cover image ACM SIGARCH Computer Architecture News
    ACM SIGARCH Computer Architecture News  Volume 41, Issue 3
    ICSA '13
    June 2013
    666 pages
    ISSN:0163-5964
    DOI:10.1145/2508148
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • IEEE CS

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 June 2013

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. machine learning
  2. malware and its mitigation
  3. malware detection
  4. performance counters
  5. security in hardware

Qualifiers

  • Research-article

Funding Sources

Conference

ISCA'13
Sponsor:

Acceptance Rates

ISCA '13 Paper Acceptance Rate 56 of 288 submissions, 19%;
Overall Acceptance Rate 543 of 3,203 submissions, 17%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)148
  • Downloads (Last 6 weeks)9
Reflects downloads up to 04 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)CMD: Co-analyzed IoT Malware Detection and Forensics via Network and Hardware DomainsIEEE Transactions on Mobile Computing10.1109/TMC.2023.3311012(1-15)Online publication date: 2024
  • (2024)A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracingScientific Reports10.1038/s41598-024-65374-w14:1Online publication date: 26-Jun-2024
  • (2024)Guarding Against the Unknown: Deep Transfer Learning for Hardware Image-Based Malware DetectionJournal of Hardware and Systems Security10.1007/s41635-024-00146-68:2(61-78)Online publication date: 15-Mar-2024
  • (2024)Profiling with trust: system monitoring from trusted execution environmentsDesign Automation for Embedded Systems10.1007/s10617-024-09283-128:1(23-44)Online publication date: 1-Mar-2024
  • (2024)MARF: A Memory-Aware CLFLUSH-Based Intra- and Inter-CPU Side-Channel AttackComputer Security – ESORICS 202310.1007/978-3-031-51479-1_7(120-140)Online publication date: 12-Jan-2024
  • (2023)RansomShield: A Visualization Approach to Defending Mobile Systems Against RansomwareACM Transactions on Privacy and Security10.1145/357982226:3(1-30)Online publication date: 13-Mar-2023
  • (2023)Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance CountersDigital Threats: Research and Practice10.1145/35196014:1(1-24)Online publication date: 7-Mar-2023
  • (2023)Revisiting ARM Debugging Features: Nailgun and its DefenseIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313984020:1(574-589)Online publication date: 1-Jan-2023
  • (2023)SoCurity: A Design Approach for Enhancing SoC SecurityIEEE Computer Architecture Letters10.1109/LCA.2023.330144822:2(105-108)Online publication date: 1-Jul-2023
  • (2023)Image-Based Zero-Day Malware Detection in IoMT Devices: A Hybrid AI-Enabled Method2023 24th International Symposium on Quality Electronic Design (ISQED)10.1109/ISQED57927.2023.10129348(1-8)Online publication date: 5-Apr-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media