Lowering the barrier to online malware detection through low frequency sampling of HPCs

Abstract

As mobile phones become more ubiquitous in our daily lives, many malware creators have shifted their focus to these mobile platforms. While a plethora of work exists to try and detect malware as it is uploaded to app stores and when it is downloaded to user devices, malware still slips through. A lesser body of work has suggested that Hardware Performance Counters (HPCs) can provide an insight into detecting malware as it runs. While these works have been successful, they typically require thread-level sampling rates every tens of thousands of instructions and hundreds of KB/s to MB/s of bus bandwidth, resulting in high power overhead in battery constrained mobile devices. Unlike previous works, this paper proposes a coarser grained approach, requiring system-wide sampling rates in the hundreds of Hz and less than 10 KB/s of bandwidth, all while achieving similar accuracy to previous works and identification of zero-day attacks. The proposed method focuses purely on background detection, that is, detection of malware when its parent application is inactive. This technique relies upon a multi-layer neural network to extract the higher order dependencies between different HPCs as processes are executed on multiple cores. Experiments are conducted on a Motorola G4 platform, and classifiers are trained with multiple families of malware and a multitude of clean system states.