Online malware defense using attack behavior model

Abstract

Malware detection is one central topic in cybersecurity, which ideally requires an accurate, efficient and robust (to malware variants) solution. In this work, we propose a hardwareassisted architecture to perform online malware detection with two phases. In the offline phase, we learn the attack model of malware in the form of Deterministic Finite Automaton (DFA). During the runtime phase, we implement a DFA-based detection approach in hardware to check whether a program's execution contains the malicious behavior specified in the DFA. We evaluate our method using real world data of 168 Linux malware samples and 370 benign applications. The results show that our DFA-based approach can recognize malware variants of same family with the potential to detect zero-day attacks. Implemented in hardware, our architecture offers a real time detection with low performance and resource overhead, and more importantly, it cannot be bypassed by malware using sophisticated evasion techniques.