Can Monitoring System State + Counting Custom Instruction Sequences Aid Malware Detection?

Abstract

Signature and behavior-based anti-virus systems (AVS) are traditionally used to detect Malware. However, these AVS fail to catch metamorphic and polymorphic Malware-which can reconstruct themselves every generation or every instance. We introduce two Machine learning (ML) approaches on system state + instruction sequences – which use hardware debug data – to detect such challenging Malware. Our experiments on hundreds of Intel Malware samples show that the techniques either alone or jointly detect Malware with ≥ 99.5% accuracy.