MicroArchitectural events and image processing-based hybrid approach for robust malware detection: work-in-progress

Abstract

To thwart the detection of malware through traditional and emerging approaches, malware development has seen a paradigm of embedding the malware into benign applications. This calls for a localized feature extraction scheme for detecting stealthy malware with more robustness. To address this challenge, we introduce a hybrid approach which utilizes the microarchitectural traces obtained through on-chip embedded hardware performance counters (HPCs) and the application binary for malware detection. The obtained HPCs are fed to multi-stage machine learning (ML) classifier for detecting and classifying the malware. To overcome the challenge of detecting the stealthy malware, image processing based approach is applied in parallel. In this approach, the malware binaries are converted into images, which is further converted into sequences and fed to recurrent neural networks to recognize patterns of stealthy malware. Based on the localized patterns, sequence classification is further applied to perform binary classification and further discover the variation of the identified malware family. Our proposed framework exhibits high resilience to popular obfuscation techniques such as code relocation.