research-article

Quantifying and improving the efficiency of hardware-based mobile malware detectors

Authors:

Mikhail Kazdagli,

Vijay Janapa Reddi,

Mohit TiwariAuthors Info & Claims

MICRO-49: The 49th Annual IEEE/ACM International Symposium on Microarchitecture

Article No.: 37, Pages 1 - 13

Published: 15 October 2016 Publication History

Abstract

Hardware-based malware detectors (HMDs) are a key emerging technology to build trustworthy systems, especially mobile platforms. Quantifying the efficacy of HMDs against malicious adversaries is thus an important problem. The challenge lies in that real-world malware adapts to defenses, evades being run in experimental settings, and hides behind benign applications. Thus, realizing the potential of HMDs as a small and battery-efficient line of defense requires a rigorous foundation for evaluating HMDs.

We introduce Sherlock---a white-box methodology that quantifies an HMD's ability to detect malware and identify the reason why. Sherlock first deconstructs malware into atomic, orthogonal actions to synthesize a diverse malware suite. Sherlock then drives both malware and benign programs with real user-inputs, and compares their executions to determine an HMD's operating range, i.e., the smallest malware actions an HMD can detect.

We show three case studies using Sherlock to not only quantify HMDs' operating ranges but design better detectors. First, using information about concrete malware actions, we build a discrete-wavelet transform based unsupervised HMD that outperforms prior work based on power transforms by 24.7% (AUC metric). Second, training a supervised HMD using Sherlock's diverse malware dataset yields 12.5% better HMDs than past approaches that train on ad-hoc subsets of malware. Finally, Sherlock shows why a malware instance is detectable. This yields a surprising new result---obfuscation techniques used by malware to evade static analyses makes them more detectable using HMDs.

References

[1]

A. P. Felt and D. Wagner, "Phishing on mobile devices," in In W2SP, 2011.

[2]

"Vulnerable & aggressive adware," http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vulnerable-aggressive-adware-threatening-millions.html.

[3]

"Master key vulnerability," http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices.

[4]

N. Peiravian and X. Zhu, "Machine learning for android malware detection using permission and api calls," in Proceedings of the 2013 IEEE 25th International Conference on Tools with Artificial Intelligence, ser. ICTAI '13. Washington, DC, USA: IEEE Computer Society, 2013, pp. 300--305. {Online}. Available 53

Digital Library

[5]

J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, S. Sethumadhavan, and S. Stolfo, "On the feasibility of online malware detection with performance counters," in Proceedings of the 40th Annual International Symposium on Computer Architecture, ser. ISCA '13. New York, NY, USA: ACM, 2013, pp. 559--570. {Online}. Available

Digital Library

[6]

A. Tang, S. Sethumadhavan, and S. J. Stolfo, "Unsupervised anomaly-based malware detection using hardware features," in Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17--19, 2014. Proceedings, 2014, pp. 109--129.

[7]

M. Ozsoy, C. Donovick, I. Gorelik, N. Abu-Ghazaleh, and D. Ponomarev, "Malware-aware processors: A framework for efficient online malware detection," in Proceeding of the 21st International Symposium on High Performance Computer Architecture, 2015.

[8]

K. Khasawneh, M. Ozsoy, C. Donovick, N. Abu-Ghazaleh, and D. Ponomarev, "Ensemble learning for low-level hardware-supported malware detection," in 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2015.

Digital Library

[9]

Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu, "Flipping bits in memory without accessing them: An experimental study of dram disturbance errors," in Proceeding of the 41st Annual International Symposium on Computer Architecuture, ser. ISCA '14. Piscataway, NJ, USA: IEEE Press, 2014, pp. 361--372. {Online}. Available: http://dl.acm.org/citation.cfm?id=2665671.2665726

Digital Library

[10]

M. Seaborn and T. Dullien, "Exploiting the dram rowhammer bug to gain kernel privileges," in BlackHat, 2015.

[11]

Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis, "The spy in the sandbox: Practical cache attacks in javascript and their implications," in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '15. New York, NY, USA: ACM, 2015, pp. 1406--1418. {Online}. Available

Digital Library

[12]

M. Payer, "Hexpads: A platform to detect "stealth" attacks," in Engineering Secure Software and Systems - 8th International Symposium, ESSoS 2016, London, UK, April 6--8, 2016. Proceedings, 2016, pp. 138--154. {Online}. Available

Digital Library

[13]

E. Vasilomanolakis, S. Karuppayah, M. Mühlhäuser, and M. Fischer, "Taxonomy and survey of collaborative intrusion detection," ACM Comput. Surv., vol. 47, no. 4, pp. 55:1--55:33, May 2015.

Digital Library

[14]

C. V. Zhou, C. Leckie, and S. Karunasekera, "A survey of coordinated attacks and collaborative intrusion detection," Computers & Security, vol. 29, no. 1, pp. 124 -- 140, 2010.

Digital Library

[15]

W. Xu, Y. Qi, and D. Evans, "Automatically evading classifiers a case study on pdf malware classifiers," in Network and Distributed Systems Symposium, 2016.

[16]

"Trendlabs a look at google bouncer," http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-google-bouncer.

[17]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, "Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones," in Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, ser. OSDI'10, 2010.

Digital Library

[18]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, "Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps," in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2014.

Digital Library

[19]

D. Dash, B. Kveton, J. M. Agosta, E. Schooler, J. Chandrashekar, A. Bachrach, and A. Newman, "When gossip is good: Distributed probabilistic inference for detection of slow network intrusions," in Proceedings of the 21st National Conference on Artificial Intelligence - Volume 2, ser. AAAI'06. AAAI Press, 2006, pp. 1115--1122.

Digital Library

[20]

Y. Xie, H.-A. Kim, D. R. O'Hallaron, M. K. Reiter, and H. Zhang, "Seurat: A pointillist approach to anomaly detection," in The International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2004.

[21]

D. Canali, A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda, "A quantitative study of accuracy in system call-based malre detection," in Proceedings of the 2012 International Symposium on Softre Testing and Analysis, ser. ISSTA 2012. Neork, NY, USA: ACM, 2012, pp. 122--132. {Online}. Available

Digital Library

[22]

Y. Aafer, W. Du, and H. Yin, "Droidapiminer: Mining api-level features for robust malware detection in android," in Security and Privacy in Communication Networks - 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25--28, 2013, Revised Selected Papers, 2013, pp. 86--103. {Online}. Available

[23]

L. Invernizzi, S. Miskovic, R. Torres, C. Kruegel, S. Saha, G. Vigna, S. Lee, and M. Mellia, "Nazca: Detecting malware distribution in large-scale networks," in 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2014, 2014. {Online}. Available: http://www.internetsociety.org/doc/nazca-detecting-malware-distribution-large-scale-networks

[24]

M. Hoekstra, R. Lal, P. Pappachan, V. Phegade, and J. Del Cuvillo, "Using innovative instructions to create trustworthy software solutions," in Proceedings of the 2Nd International Workshop on Hardware and Architectural Support for Security and Privacy, ser. HASP '13. New York, NY, USA: ACM, 2013, pp. 11:1--11:1. {Online}. Available

Digital Library

[25]

I. Anati, S. Gueron, S. P. Johnson, and V. R. Scarlata, "Innovative technology for cpu based attestation and sealing," ser. HASP '13, 2013.

[26]

K. Yang, M. Hicks, Q. Dong, T. Austin, and D. Sylvester, "A2: Analog malicious hardware," in Proceeding SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2016.

[27]

Y. Zhou and X. Jiang, "Dissecting android malware: Characterization and evolution," in Proceeding SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012, pp. 95--109. {Online}. Available: http://dl.acm.org/citation.cfm?id=2310710

Digital Library

[28]

"Mobile malware database," http://contagiominidump.blogspot.com.

[29]

"Obad malware," http://securityintelligence.com/diy-android-malware-analysis-taking-apart-obad-part-1.

[30]

"Geinimi malware," https://nakedsecurity.sophos.com/2010/12/31/geinimi-android-trojan-horse-discovered/.

[31]

"Malware database," http://malware.lu.

[32]

"Malware database," http://virusshare.com.

[33]

"Universal android rooting procedure (rage method)," http://theunlockr.com/2010/10/26/universal-android-rooting-procedure-rage-method/.

[34]

"Gingerbreak apk root," http://droidmodderx.com/gingerbreak-apk-root-your-gingerbread-device.

[35]

"Exploid," http://forum.xda-developers.com/showthread.php?t=739874.

[36]

E. Chin and D. Wagner, "Bifocals: Analyzing webview vulnerabilities in android applications," in Revised Selected Papers of the 14th International Workshop on Information Security Applications - Volume 8267, ser. WISA 2013. New York, NY, USA: Springer-Verlag New York, Inc., 2014, pp. 138--159.

Digital Library

[37]

"Evernote patches," http://blog.trendmicro.com/trendlabs-security-intelligence/evernote-patches-vulnerability-in-android-app/.

[38]

"Applock vulnerability," http://blog.trendmicro.com/trendlabs-security-intelligence/applock-vulnerability-leaves-configuration-files-open-for-exploit.

[39]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, "Android permissions demystified," in Proceedings of the 18th ACM Conference on Computer and Communications Security, ser. CCS '11. New York, NY, USA: ACM, 2011, pp. 627--638. {Online}. Available

Digital Library

[40]

"Android rat malware," http://www.itpro.co.uk/malware/22627/android-rat-malware-invades-mobile-banking-apps.

[41]

"Mobile bitcoin miner," https://blog.lookout.com/blog/2014/04/24/badlepricon-bitcoin.

[42]

M. Kazdagli, L. Huang, V. Reddi, and M. Tiwari, "Morpheus: Bench-marking computational diversity in mobile malware," in Workshop on Hardware and Architectural Support for Security and Privacy, 2014.

Digital Library

[43]

"http://developer.android.com/tools/help/proguard.html." {Online}. Available: http://developer.android.com/tools/help/proguard.html

[44]

"Ui/application exerciser monkey," http://developer.android.com/tools/help/monkey.html.

[45]

A. Machiry, R. Tahiliani, and M. Naik, "Dynodroid: An input generation system for android apps," in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE 2013. New York, NY, USA: ACM, 2013, pp. 224--234. {Online}. Available

Digital Library

[46]

"Record and replay for android," http://www.androidreran.com.

[47]

"Jitbit macro recorder," http://www.jitbit.com/.

[48]

D. Pelleg and A. W. Moore, "X-means: Extending k-means with efficient estimation of the number of clusters," in Proceedings of the 7th International Conference on Machine Learning, 2000.

Digital Library

[49]

R. Schapire and Y. Freund, Boosting: Foundations and Algorithms. MIT Press, 2012.

Digital Library

[50]

"Slow loris attack," http://www.slashroot.in/slowloris-http-dosdenial-serviceattack-and-prevention.

[51]

"Dissecting android's bouncer," https://www.duosecurity.com/blog/dissecting-androids-bouncer.

[52]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, "Chex: Statically vetting android apps for component hijacking vulnerabilities," in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS '12. New York, NY, USA: ACM, 2012, pp. 229--240. {Online}. Available

Digital Library

[53]

R. Sommer and V. Paxson, "Outside the closed world: On using machine learning for network intrusion detection," in In Proceedings of the IEEE Symposium on Security and Privacy, 2010.

Digital Library

Cited By

Xu QNaghibijouybari HWang SAbu-Ghazaleh NAnnavaram MEigenmann RDing CMcKee S(2019)GPUGuardProceedings of the ACM International Conference on Supercomputing10.1145/3330345.3330389(497-509)Online publication date: 26-Jun-2019
https://dl.acm.org/doi/10.1145/3330345.3330389
Basu KElnaggar RChakrabarty KKarri R(2019)PREEMPTProceedings of the 56th Annual Design Automation Conference 201910.1145/3316781.3317883(1-6)Online publication date: 2-Jun-2019
https://dl.acm.org/doi/10.1145/3316781.3317883
Zhou BGupta AJahanshahi REgele MJoshi AKim JAhn GKim SKim YLopez JKim T(2018)Hardware Performance Counters Can Detect MalwareProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196515(457-468)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196515

Recommendations

Testing malware detectors
ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis

In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...
Testing malware detectors

In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...
Improving Malware Detection Response Time with Behavior-Based Statistical Analysis Techniques
SYNASC '15: Proceedings of the 2015 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC)

Detection of malicious software is a current problem which can be solved via several approaches. Among these are signature based detection, heuristic detection and behavioral analysis. In the last year the number of malicious files has increased ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MICRO-49: The 49th Annual IEEE/ACM International Symposium on Microarchitecture

October 2016

816 pages

General Chairs:
Wei-Chung Hsu
NTU, Taiwan
,
Chia-Lin Yang
NTU, Taiwan
,
Program Chairs:
Mikko Lipasti
Univ. Wisconsin
,
Hsien-Hsin Lee
TSMC, Taiwan

Sponsors

SIGMICRO: ACM Special Interest Group on Microarchitectural Research and Processing
IEEE-CS\DATC: IEEE Computer Society

Publisher

IEEE Press

Publication History

Published: 15 October 2016

Check for updates

Qualifiers

Research-article

Conference

MICRO-49

Sponsor:

SIGMICRO
IEEE-CS\DATC

MICRO-49: The 49th Annual IEEE/ACM International Symposium on Microarchitecture

October 15 - 19, 2016

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 484 of 2,242 submissions, 22%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
74
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xu QNaghibijouybari HWang SAbu-Ghazaleh NAnnavaram MEigenmann RDing CMcKee S(2019)GPUGuardProceedings of the ACM International Conference on Supercomputing10.1145/3330345.3330389(497-509)Online publication date: 26-Jun-2019
https://dl.acm.org/doi/10.1145/3330345.3330389
Basu KElnaggar RChakrabarty KKarri R(2019)PREEMPTProceedings of the 56th Annual Design Automation Conference 201910.1145/3316781.3317883(1-6)Online publication date: 2-Jun-2019
https://dl.acm.org/doi/10.1145/3316781.3317883
Zhou BGupta AJahanshahi REgele MJoshi AKim JAhn GKim SKim YLopez JKim T(2018)Hardware Performance Counters Can Detect MalwareProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196515(457-468)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196515

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents