research-article

Open access

Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing

Authors:

Michael Isnardi,

Ramesh KarriAuthors Info & Claims

ACM Transactions on Architecture and Code Optimization (TACO), Volume 13, Issue 1

Article No.: 3, Pages 1 - 23

https://doi.org/10.1145/2857055

Published: 28 March 2016 Publication History

Abstract

Hardware Performance Counter-based (HPC) runtime checking is an effective way to identify malicious behaviors of malware and detect malicious modifications to a legitimate program’s control flow. To reduce the overhead in the monitored system which has limited storage and computing resources, we present a “sample-locally-analyze-remotely” technique. The sampled HPC data are sent to a remote server for further analysis. To minimize the I/O bandwidth required for transmission, the fine-grained HPC profiles are compressed into much smaller vectors with Compressive Sensing. The experimental results demonstrate an 80% I/O bandwidth reduction after applying Compressive Sensing, without compromising the detection and identification capabilities.

References

[1]

Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security. 340--353.

Digital Library

[2]

Shawkat Ali and Kate A. Smith. 2006. On learning algorithm selection for classification. Appl. Soft Comput. 6 (2006), 119--138.

Digital Library

[3]

T. Asha, U. M. Shravanthi, N. Nagashree, and M. Monika. 2013. Building machine learning algorithms on Hadoop for bigdata. Int. J. Eng. Technol. 3, 2 (2013), 143--147.

[4]

Thomas Ball and James R. Larus. 2000. Using paths to measure, explain, and enhance program behavior. IEEE Trans. Comput. 33, 7 (2000), 57--65.

Digital Library

[5]

Richard G. Baraniuk. 2007. Compressive sensing. Lect. Not. IEEE Signal Process. Mag. 24, 4 (2007), 118--121.

[6]

Emmanuel J. Candès. 2008. The restricted isometry property and its implications for compressed sensing. Compt. Rend. Math. 346, 9 (2008), 589--592.

[7]

cBench. 2010. Collective Benchmark (cBench). Retrieved from http://ctuning.org/wiki/index.php/CTools:CBench.

[8]

John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. In Proceedings of the 40th Annual International Symposium on Computer Architecture. 559--570.

Digital Library

[9]

Jiaqing Du, Nipun Sehrawat, and Willy Zwaenepoel. 2011. Performance profiling of virtual machines. ACM SIGPLAN Not. 46, 7 (2011), 3--14.

Digital Library

[10]

EEI-AEIC-UTC. 2011. Smart meters and smart meter systems: A metering industry perspective. Retrieved from http://www.eei.org/issuesandpolicy/grid-enhancements/Documents/smartmeters.pdf.

[11]

Yonina C. Eldar and Gitta Kutyniok. 2012. Compressed Sensing: Theory and Applications. Cambridge University Press, Cambridge.

[12]

A. Murat Fiskiran and Ruby B. Lee. 2004. Runtime execution monitoring (REM) to detect and prevent malicious code execution. In Proceedings of the 22nd International Conference on Computer Design. 452--457.

[13]

Irina F. Gorodnitsky and Bhaskar D. Rao. 1997. Sparse signal reconstruction from limited data using FOCUSS: A re-weighted minimum norm algorithm. IEEE Trans. Signal Process. 45, 3 (1997), 600--616.

Digital Library

[14]

Youngjune L. Gwon, H. T. Kung, and Dario Vlah. 2011. DISTROY: Detecting integrated circuit Trojans with compressive measurements. In Proceedings of 6th USENIX Workshop on Hot Topics in Security.

[15]

Intel Inc. 2010. Intel VTune Performance Analyzer. Retrieved from http://software.intel.con/en-us/intel-vtune.

[16]

Tapas Kanungo, David M. Mount, Nathan S. Netanyahu, Christine D. Piatko, Ruth Silverman, and Angela Y. Wu. 2002. An efficient k-means clustering algorithm: Analysis and implementation. IEEE Trans. Pattern Anal. Machine Intell. 24, 7 (2002), 881--892.

Digital Library

[17]

John Levon and Philippe Elie. 2010. Oprofile: A system profiler for Linux. Retrieved from http://oprofile.sourceforge.net.

[18]

Chengbo Li, Wotao Yin, and Yin Zhang. 2009. TVAL3: TV Minimization by Augmented Lagrangian and Alternating Direction Algorithm. Retrieved from http://www.caam.rice.edu/&sim;optimization/L1/TVAL3/.

[19]

David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell, and Mark Horowitz. 2000. Architecturual support for copy and tamper resistant software. In Proceedings of 9th International Conference on Architectural Support for Programming Languages and Operating Systems. 168--177.

[20]

Hsuan-Tien Lin. 2008. Introduction to Adaptive Boosting. Retrieved from http://www.csie.ntu.edu.tw/&sim;htlin/course/ml08fall/doc/adaboost.pdf.

[21]

Linux. 2010. Performance Counters for Linux. Retrieved from http://lwn.net/Articles/310176.

[22]

K. Berker Loğoğlu and Tuğrul K. Ateş. 2010. Speeding-up Pearson correlation coefficient calculation on graphical processing units. In Proceedings of 18th IEEE Signal Processing and Communications Applications Conference. 840--843.

[23]

Corey Malone, Mohamed Zahran, and Ramesh Karri. 2011. Are hardware performance counters a cost effective way for integrity checking of programs? In Proceedings of the 6th ACM Workshop on Scalable Trusted Computing. 71--76.

Digital Library

[24]

Meltem Ozsoy, Caleb Donovick, Iakov Gorelik, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2015. Malware-aware processors: A framework for efficient online malware detection. In Proceedings of the 21st International Symposium on High Performance Computer Architecture. 651--661.

[25]

Philip Schniter, Lee C. Potter, and Justin Ziniel. 2008. Fast Bayesian matching pursuit. In Proceedings of Information Theory and Applications Workshop. 326--333.

[26]

Timothy Sherwood, Erez Perelman, Greg Hamerly, Suleyman Sair, and Brad Calder. 2003. Discovering and exploiting program phases. IEEE Micro 23, 6 (2003), 84--93.

Digital Library

[27]

Stress. 2010. Stress project. Retrieved from http://people.seas.harvard.edu/&sim;apw/stress/.

[28]

G. Edward Suh, Charles W. O’Donnell, Ishan Sachdev, and Srinivas Devadas. 2005. Design and implementation of the AEGIS single-chip secure processor using physical random functions. In Proceedings of 32nd Annual International Symposium on Computer Architecture. 25--36.

Digital Library

[29]

M. G. Matt Syal and Kweku Ofei-Amoh. 2013. Smart-grid technologies in housing. Cityscape 15, 2 (2013).

[30]

Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2014. Unsupervised anomaly-based malware detection using hardware features. In Proceedings of 17th International Symposium on Research in Attacks, Intrusions and Defenses. 109--129.

[31]

Joel Tropp and Anna Gilbert. 2007. Signal recovery from random measurements via orthogonal matching pursuit. IEEE Trans. Inform. Theor. 53, 12 (2007), 4655--4666.

Digital Library

[32]

Xueyang Wang and Ramesh Karri. 2013. Numchecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters. In Proceedings of the 50th Design Automation Conference. 1--7.

Digital Library

[33]

Xueyang Wang and Ramesh Karri. 2016. Re-using hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 35, 3 (2016), 485--498.

Digital Library

[34]

Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, and Ramesh Karri. 2015. ConFirm: Detecting firmware modifications in embedded systems using hardware performance counters. In Proceedings of the 34th International Conference on Computer-Aided Design. 544--551.

Digital Library

[35]

Rebecca M. Willett, Zachary T. Harmany, and Roummel F. Marcia. 2010. Poisson image reconstruction with total variation regularization. In Proceedings of the 17th IEEE International Conference on Image Processing. 4177--4180.

[36]

Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 42nd Annual International Conference on Dependable Systems and Networks. 1--12.

[37]

Feng Xue. 2008. Attacking the Antivirus. Retrieved from www.blackhat.com/presentations/bh-europe.../bh-eu-08-xue-WP.pdf.

Cited By

Gajjar AKashyap PAysu AFranzon PChoi YCheng CPedretti GIgnowski J(2024)RD-FAXID: Ransomware Detection with FPGA-Accelerated XGBoostACM Transactions on Reconfigurable Technology and Systems10.1145/3688396Online publication date: 12-Aug-2024
https://doi.org/10.1145/3688396
Hill JOwens Walker TBlanco JIves RRakvic RJacob B(2024)Ransomware Classification Using Hardware Performance Counters on a Non-Virtualized SystemIEEE Access10.1109/ACCESS.2024.339549112(63865-63884)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3395491
Leal ECheng BNguyen TGarcia ACabero NMing J(2023)Leveraging Hardware Performance Counters for Efficient Classification of Binary Packers2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00252(1859-1864)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00252
Show More Cited By

Index Terms

Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine ...
Hardware Performance Counters Can Detect Malware: Myth or Fact?
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

The ever-increasing prevalence of malware has led to the explorations of various detection mechanisms. Several recent works propose to use Hardware Performance Counters (HPCs) values with machine learning classification models for malware detection. ...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISec

A popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Architecture and Code Optimization

ACM Transactions on Architecture and Code Optimization Volume 13, Issue 1

April 2016

347 pages

ISSN:1544-3566

EISSN:1544-3973

DOI:10.1145/2899032

Editor:
Koen De Bosschere
Ghent University

Issue’s Table of Contents

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 March 2016

Accepted: 01 December 2015

Revised: 01 November 2015

Received: 01 February 2015

Published in TACO Volume 13, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

41
Total Citations
View Citations
1,348
Total Downloads

Downloads (Last 12 months)143
Downloads (Last 6 weeks)13

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gajjar AKashyap PAysu AFranzon PChoi YCheng CPedretti GIgnowski J(2024)RD-FAXID: Ransomware Detection with FPGA-Accelerated XGBoostACM Transactions on Reconfigurable Technology and Systems10.1145/3688396Online publication date: 12-Aug-2024
https://doi.org/10.1145/3688396
Hill JOwens Walker TBlanco JIves RRakvic RJacob B(2024)Ransomware Classification Using Hardware Performance Counters on a Non-Virtualized SystemIEEE Access10.1109/ACCESS.2024.339549112(63865-63884)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3395491
Leal ECheng BNguyen TGarcia ACabero NMing J(2023)Leveraging Hardware Performance Counters for Efficient Classification of Binary Packers2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00252(1859-1864)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00252
Yan TXu QLuo JSun JSun G(2023)Scalable Tracing of MPI Events and Performance Metrics2023 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW)10.1109/IPDPSW59300.2023.00123(714-723)Online publication date: May-2023
https://doi.org/10.1109/IPDPSW59300.2023.00123
Polychronou NThevenon PPuys MBeroulle V(2023)A Hybrid Solution for Constrained Devices to Detect Microarchitectural Attacks2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00033(259-269)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00033
Pan ZMishra PPan ZMishra P(2023)Malware Detection Using Explainable AIExplainable AI for Cybersecurity10.1007/978-3-031-46479-9_3(55-73)Online publication date: 28-Sep-2023
https://doi.org/10.1007/978-3-031-46479-9_3
户彦(2022)A Survey on Hardware Performance Counter Based Malware Detection TechnologyComputer Science and Application10.12677/CSA.2022.121229412:12(2896-2909)Online publication date: 2022
https://doi.org/10.12677/CSA.2022.1212294
Karapoola SSingh NRebeiro CVeezhinathan K(2022)JUGAAD: Comprehensive Malware Behavior-as-a-ServiceProceedings of the 15th Workshop on Cyber Security Experimentation and Test10.1145/3546096.3546108(39-48)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.1145/3546096.3546108
Zareen FFernandes Amador MKaram R(2022)Hardware Immune System for Embedded IoTIEEE Transactions on Circuits and Systems II: Express Briefs10.1109/TCSII.2022.318731269:10(4118-4122)Online publication date: Oct-2022
https://doi.org/10.1109/TCSII.2022.3187312
Elnaggar RServadei LMathur SWille REcker WChakrabarty K(2022)Accurate and Robust Malware Detection: Running XGBoost on Runtime Data From Performance CountersIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2021.310200741:7(2066-2079)Online publication date: Jul-2022
https://doi.org/10.1109/TCAD.2021.3102007
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents