Towards malware detection based on performance counters using deep learning classification models

Abstract

Security exploits and subsequent malware is a challenge for computing systems. For detecting anomalies and discovering vulnerabilities in computing systems several methods are used: i) malware aware processors; ii) static program analysis; iii) dynamic program analysis. Malware aware processors require online hardware which is not always a practical and scalable solution. Static analysis methods imply automated static analysis tools that have a limited performance with a detection capability that not always meets the requirements of the project regarding the criticality of the application. Dynamic analysis on the other hand overcame static analysis in latest trends. In this trend performance counters analysis are used in several approaches. Operating system performance counters are collected and stored as time series in two contexts: i) in the presence and ii) in the absence of malware. Ten deep learning models are used for time series classification. From the experiments we learned that 2 models are able to detect accurately the presence of malware in an infested operating system, while the rest of the models tend to overfit the data.