HUND: Enhancing Hardware Performance Counter Based Malware Detection Under System Resource Competition Using Explanation Method

2023 IEEE Symposium on Computers and Communications (ISCC) Pub Date : 2023-07-09 DOI:10.1109/ISCC58397.2023.10218007

Yanfei Hu, Shuailou Li, Boyang Zhang, Xu Cheng, Yu Wen

{"title":"HUND: Enhancing Hardware Performance Counter Based Malware Detection Under System Resource Competition Using Explanation Method","authors":"Yanfei Hu, Shuailou Li, Boyang Zhang, Xu Cheng, Yu Wen","doi":"10.1109/ISCC58397.2023.10218007","DOIUrl":null,"url":null,"abstract":"Hardware performance counter (HPC) has been widely used in malware detection because of its low access overhead and the ability of revealing dynamic behavior during program's execution. However, HPC based malware detection (HMD) suffers from performance decline due to HPC's non- determinism caused by resource competition. Current work enables malware detection under resource competition but still leaves misclassifications. In this paper, we propose HUND, a framework for improving the detection ability of HMD models under resource competition. To this end, we first introduce an explanation module to make the program's prediction interpretable and accurate on the whole. We then design a rectification module for troubleshooting HMDMs' errors by generating modified samples and lowering the effects of false classified instances on model decision. We evaluate HUND by performing HMD models two datasets of HPC-level behaviors. The experimental results show HUND explains HMDMs with high fidelity and HUND's effectiveness in troubleshooting the errors of HMDMs.","PeriodicalId":265337,"journal":{"name":"2023 IEEE Symposium on Computers and Communications (ISCC)","volume":"10 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Symposium on Computers and Communications (ISCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCC58397.2023.10218007","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Hardware performance counter (HPC) has been widely used in malware detection because of its low access overhead and the ability of revealing dynamic behavior during program's execution. However, HPC based malware detection (HMD) suffers from performance decline due to HPC's non- determinism caused by resource competition. Current work enables malware detection under resource competition but still leaves misclassifications. In this paper, we propose HUND, a framework for improving the detection ability of HMD models under resource competition. To this end, we first introduce an explanation module to make the program's prediction interpretable and accurate on the whole. We then design a rectification module for troubleshooting HMDMs' errors by generating modified samples and lowering the effects of false classified instances on model decision. We evaluate HUND by performing HMD models two datasets of HPC-level behaviors. The experimental results show HUND explains HMDMs with high fidelity and HUND's effectiveness in troubleshooting the errors of HMDMs.

查看原文本刊更多论文

基于解释方法的系统资源竞争下增强硬件性能计数器的恶意软件检测

硬件性能计数器(HPC)由于其访问开销低、能够揭示程序执行过程中的动态行为而被广泛应用于恶意软件检测中。然而，由于资源竞争导致的HPC不确定性，使得基于HPC的恶意软件检测(HMD)性能下降。目前的工作能够在资源竞争的情况下检测恶意软件，但仍然存在分类错误。本文提出了在资源竞争条件下提高HMD模型检测能力的框架HUND。为此，我们首先引入解释模块，使程序的预测整体上具有可解释性和准确性。然后，我们设计了一个纠正模块，通过生成修改样本和降低错误分类实例对模型决策的影响来排除HMDMs的错误。我们通过执行HMD模型两个hpc级行为数据集来评估HUND。实验结果表明，该方法能较好地解释HMDMs，并能有效地排除HMDMs的误差。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE Symposium on Computers and Communications (ISCC)

自引率

0.00%

发文量