Towards Accurate Run-Time Hardware-Assisted Stealthy Malware Detection: A Lightweight, yet Effective Time Series CNN-Based Approach

IF 1.8 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Cryptography Pub Date : 2021-10-17 DOI:10.3390/cryptography5040028

H. Sayadi, Yifeng Gao, Hosein Mohammadi Makrani, Jessica Lin, Paulo Cesar G. da Costa, S. Rafatirad, H. Homayoun

{"title":"Towards Accurate Run-Time Hardware-Assisted Stealthy Malware Detection: A Lightweight, yet Effective Time Series CNN-Based Approach","authors":"H. Sayadi, Yifeng Gao, Hosein Mohammadi Makrani, Jessica Lin, Paulo Cesar G. da Costa, S. Rafatirad, H. Homayoun","doi":"10.3390/cryptography5040028","DOIUrl":null,"url":null,"abstract":"According to recent security analysis reports, malicious software (a.k.a. malware) is rising at an alarming rate in numbers, complexity, and harmful purposes to compromise the security of modern computer systems. Recently, malware detection based on low-level hardware features (e.g., Hardware Performance Counters (HPCs) information) has emerged as an effective alternative solution to address the complexity and performance overheads of traditional software-based detection methods. Hardware-assisted Malware Detection (HMD) techniques depend on standard Machine Learning (ML) classifiers to detect signatures of malicious applications by monitoring built-in HPC registers during execution at run-time. Prior HMD methods though effective have limited their study on detecting malicious applications that are spawned as a separate thread during application execution, hence detecting stealthy malware patterns at run-time remains a critical challenge. Stealthy malware refers to harmful cyber attacks in which malicious code is hidden within benign applications and remains undetected by traditional malware detection approaches. In this paper, we first present a comprehensive review of recent advances in hardware-assisted malware detection studies that have used standard ML techniques to detect the malware signatures. Next, to address the challenge of stealthy malware detection at the processor’s hardware level, we propose StealthMiner, a novel specialized time series machine learning-based approach to accurately detect stealthy malware trace at run-time using branch instructions, the most prominent HPC feature. StealthMiner is based on a lightweight time series Fully Convolutional Neural Network (FCN) model that automatically identifies potentially contaminated samples in HPC-based time series data and utilizes them to accurately recognize the trace of stealthy malware. Our analysis demonstrates that using state-of-the-art ML-based malware detection methods is not effective in detecting stealthy malware samples since the captured HPC data not only represents malware but also carries benign applications’ microarchitectural data. The experimental results demonstrate that with the aid of our novel intelligent approach, stealthy malware can be detected at run-time with 94% detection performance on average with only one HPC feature, outperforming the detection performance of state-of-the-art HMD and general time series classification methods by up to 42% and 36%, respectively.","PeriodicalId":36072,"journal":{"name":"Cryptography","volume":null,"pages":null},"PeriodicalIF":1.8000,"publicationDate":"2021-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cryptography","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3390/cryptography5040028","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 8

Abstract

According to recent security analysis reports, malicious software (a.k.a. malware) is rising at an alarming rate in numbers, complexity, and harmful purposes to compromise the security of modern computer systems. Recently, malware detection based on low-level hardware features (e.g., Hardware Performance Counters (HPCs) information) has emerged as an effective alternative solution to address the complexity and performance overheads of traditional software-based detection methods. Hardware-assisted Malware Detection (HMD) techniques depend on standard Machine Learning (ML) classifiers to detect signatures of malicious applications by monitoring built-in HPC registers during execution at run-time. Prior HMD methods though effective have limited their study on detecting malicious applications that are spawned as a separate thread during application execution, hence detecting stealthy malware patterns at run-time remains a critical challenge. Stealthy malware refers to harmful cyber attacks in which malicious code is hidden within benign applications and remains undetected by traditional malware detection approaches. In this paper, we first present a comprehensive review of recent advances in hardware-assisted malware detection studies that have used standard ML techniques to detect the malware signatures. Next, to address the challenge of stealthy malware detection at the processor’s hardware level, we propose StealthMiner, a novel specialized time series machine learning-based approach to accurately detect stealthy malware trace at run-time using branch instructions, the most prominent HPC feature. StealthMiner is based on a lightweight time series Fully Convolutional Neural Network (FCN) model that automatically identifies potentially contaminated samples in HPC-based time series data and utilizes them to accurately recognize the trace of stealthy malware. Our analysis demonstrates that using state-of-the-art ML-based malware detection methods is not effective in detecting stealthy malware samples since the captured HPC data not only represents malware but also carries benign applications’ microarchitectural data. The experimental results demonstrate that with the aid of our novel intelligent approach, stealthy malware can be detected at run-time with 94% detection performance on average with only one HPC feature, outperforming the detection performance of state-of-the-art HMD and general time series classification methods by up to 42% and 36%, respectively.

查看原文本刊更多论文

走向精确的运行时硬件辅助隐形恶意软件检测:一种轻量级，但有效的基于cnn的时间序列方法

根据最近的安全分析报告，恶意软件(又名恶意软件)在数量、复杂性和危害目的方面正以惊人的速度增长，危及现代计算机系统的安全。最近，基于底层硬件特征(例如硬件性能计数器(hpc)信息)的恶意软件检测已经成为解决传统基于软件的检测方法的复杂性和性能开销的有效替代解决方案。硬件辅助恶意软件检测(HMD)技术依赖于标准的机器学习(ML)分类器，通过在运行时执行过程中监视内置的HPC寄存器来检测恶意应用程序的签名。先前的HMD方法虽然有效，但它们对检测在应用程序执行期间作为单独线程生成的恶意应用程序的研究有限，因此在运行时检测隐形恶意软件模式仍然是一个关键挑战。隐形恶意软件是指恶意代码隐藏在良性应用程序中，传统恶意软件检测方法无法检测到的有害网络攻击。在本文中，我们首先全面回顾了硬件辅助恶意软件检测研究的最新进展，这些研究使用标准机器学习技术来检测恶意软件签名。接下来，为了解决处理器硬件层面隐形恶意软件检测的挑战，我们提出了StealthMiner，这是一种新颖的专门的基于时间序列机器学习的方法，可以使用分支指令(HPC最突出的特征)在运行时准确检测隐形恶意软件跟踪。StealthMiner基于轻量级时间序列全卷积神经网络(FCN)模型，可自动识别基于hpc的时间序列数据中可能受污染的样本，并利用它们准确识别隐形恶意软件的踪迹。我们的分析表明，使用最先进的基于ml的恶意软件检测方法在检测隐形恶意软件样本方面并不有效，因为捕获的HPC数据不仅代表恶意软件，还携带良性应用程序的微架构数据。实验结果表明，在我们的新智能方法的帮助下，仅使用一个HPC特征就可以在运行时检测到隐身恶意软件，平均检测性能为94%，比最先进的HMD和一般时间序列分类方法的检测性能分别高出42%和36%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Cryptography Mathematics-Applied Mathematics

CiteScore

3.80

自引率

6.20%

发文量

审稿时长

11 weeks