走向精确的运行时硬件辅助隐形恶意软件检测:一种轻量级,但有效的基于cnn的时间序列方法

IF 1.8 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
H. Sayadi, Yifeng Gao, Hosein Mohammadi Makrani, Jessica Lin, Paulo Cesar G. da Costa, S. Rafatirad, H. Homayoun
{"title":"走向精确的运行时硬件辅助隐形恶意软件检测:一种轻量级,但有效的基于cnn的时间序列方法","authors":"H. Sayadi, Yifeng Gao, Hosein Mohammadi Makrani, Jessica Lin, Paulo Cesar G. da Costa, S. Rafatirad, H. Homayoun","doi":"10.3390/cryptography5040028","DOIUrl":null,"url":null,"abstract":"According to recent security analysis reports, malicious software (a.k.a. malware) is rising at an alarming rate in numbers, complexity, and harmful purposes to compromise the security of modern computer systems. Recently, malware detection based on low-level hardware features (e.g., Hardware Performance Counters (HPCs) information) has emerged as an effective alternative solution to address the complexity and performance overheads of traditional software-based detection methods. Hardware-assisted Malware Detection (HMD) techniques depend on standard Machine Learning (ML) classifiers to detect signatures of malicious applications by monitoring built-in HPC registers during execution at run-time. Prior HMD methods though effective have limited their study on detecting malicious applications that are spawned as a separate thread during application execution, hence detecting stealthy malware patterns at run-time remains a critical challenge. Stealthy malware refers to harmful cyber attacks in which malicious code is hidden within benign applications and remains undetected by traditional malware detection approaches. In this paper, we first present a comprehensive review of recent advances in hardware-assisted malware detection studies that have used standard ML techniques to detect the malware signatures. Next, to address the challenge of stealthy malware detection at the processor’s hardware level, we propose StealthMiner, a novel specialized time series machine learning-based approach to accurately detect stealthy malware trace at run-time using branch instructions, the most prominent HPC feature. StealthMiner is based on a lightweight time series Fully Convolutional Neural Network (FCN) model that automatically identifies potentially contaminated samples in HPC-based time series data and utilizes them to accurately recognize the trace of stealthy malware. Our analysis demonstrates that using state-of-the-art ML-based malware detection methods is not effective in detecting stealthy malware samples since the captured HPC data not only represents malware but also carries benign applications’ microarchitectural data. The experimental results demonstrate that with the aid of our novel intelligent approach, stealthy malware can be detected at run-time with 94% detection performance on average with only one HPC feature, outperforming the detection performance of state-of-the-art HMD and general time series classification methods by up to 42% and 36%, respectively.","PeriodicalId":36072,"journal":{"name":"Cryptography","volume":null,"pages":null},"PeriodicalIF":1.8000,"publicationDate":"2021-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Towards Accurate Run-Time Hardware-Assisted Stealthy Malware Detection: A Lightweight, yet Effective Time Series CNN-Based Approach\",\"authors\":\"H. Sayadi, Yifeng Gao, Hosein Mohammadi Makrani, Jessica Lin, Paulo Cesar G. da Costa, S. Rafatirad, H. Homayoun\",\"doi\":\"10.3390/cryptography5040028\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"According to recent security analysis reports, malicious software (a.k.a. malware) is rising at an alarming rate in numbers, complexity, and harmful purposes to compromise the security of modern computer systems. Recently, malware detection based on low-level hardware features (e.g., Hardware Performance Counters (HPCs) information) has emerged as an effective alternative solution to address the complexity and performance overheads of traditional software-based detection methods. Hardware-assisted Malware Detection (HMD) techniques depend on standard Machine Learning (ML) classifiers to detect signatures of malicious applications by monitoring built-in HPC registers during execution at run-time. Prior HMD methods though effective have limited their study on detecting malicious applications that are spawned as a separate thread during application execution, hence detecting stealthy malware patterns at run-time remains a critical challenge. Stealthy malware refers to harmful cyber attacks in which malicious code is hidden within benign applications and remains undetected by traditional malware detection approaches. In this paper, we first present a comprehensive review of recent advances in hardware-assisted malware detection studies that have used standard ML techniques to detect the malware signatures. Next, to address the challenge of stealthy malware detection at the processor’s hardware level, we propose StealthMiner, a novel specialized time series machine learning-based approach to accurately detect stealthy malware trace at run-time using branch instructions, the most prominent HPC feature. StealthMiner is based on a lightweight time series Fully Convolutional Neural Network (FCN) model that automatically identifies potentially contaminated samples in HPC-based time series data and utilizes them to accurately recognize the trace of stealthy malware. Our analysis demonstrates that using state-of-the-art ML-based malware detection methods is not effective in detecting stealthy malware samples since the captured HPC data not only represents malware but also carries benign applications’ microarchitectural data. The experimental results demonstrate that with the aid of our novel intelligent approach, stealthy malware can be detected at run-time with 94% detection performance on average with only one HPC feature, outperforming the detection performance of state-of-the-art HMD and general time series classification methods by up to 42% and 36%, respectively.\",\"PeriodicalId\":36072,\"journal\":{\"name\":\"Cryptography\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":1.8000,\"publicationDate\":\"2021-10-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Cryptography\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.3390/cryptography5040028\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cryptography","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3390/cryptography5040028","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 8

摘要

根据最近的安全分析报告,恶意软件(又名恶意软件)在数量、复杂性和危害目的方面正以惊人的速度增长,危及现代计算机系统的安全。最近,基于底层硬件特征(例如硬件性能计数器(hpc)信息)的恶意软件检测已经成为解决传统基于软件的检测方法的复杂性和性能开销的有效替代解决方案。硬件辅助恶意软件检测(HMD)技术依赖于标准的机器学习(ML)分类器,通过在运行时执行过程中监视内置的HPC寄存器来检测恶意应用程序的签名。先前的HMD方法虽然有效,但它们对检测在应用程序执行期间作为单独线程生成的恶意应用程序的研究有限,因此在运行时检测隐形恶意软件模式仍然是一个关键挑战。隐形恶意软件是指恶意代码隐藏在良性应用程序中,传统恶意软件检测方法无法检测到的有害网络攻击。在本文中,我们首先全面回顾了硬件辅助恶意软件检测研究的最新进展,这些研究使用标准机器学习技术来检测恶意软件签名。接下来,为了解决处理器硬件层面隐形恶意软件检测的挑战,我们提出了StealthMiner,这是一种新颖的专门的基于时间序列机器学习的方法,可以使用分支指令(HPC最突出的特征)在运行时准确检测隐形恶意软件跟踪。StealthMiner基于轻量级时间序列全卷积神经网络(FCN)模型,可自动识别基于hpc的时间序列数据中可能受污染的样本,并利用它们准确识别隐形恶意软件的踪迹。我们的分析表明,使用最先进的基于ml的恶意软件检测方法在检测隐形恶意软件样本方面并不有效,因为捕获的HPC数据不仅代表恶意软件,还携带良性应用程序的微架构数据。实验结果表明,在我们的新智能方法的帮助下,仅使用一个HPC特征就可以在运行时检测到隐身恶意软件,平均检测性能为94%,比最先进的HMD和一般时间序列分类方法的检测性能分别高出42%和36%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Towards Accurate Run-Time Hardware-Assisted Stealthy Malware Detection: A Lightweight, yet Effective Time Series CNN-Based Approach
According to recent security analysis reports, malicious software (a.k.a. malware) is rising at an alarming rate in numbers, complexity, and harmful purposes to compromise the security of modern computer systems. Recently, malware detection based on low-level hardware features (e.g., Hardware Performance Counters (HPCs) information) has emerged as an effective alternative solution to address the complexity and performance overheads of traditional software-based detection methods. Hardware-assisted Malware Detection (HMD) techniques depend on standard Machine Learning (ML) classifiers to detect signatures of malicious applications by monitoring built-in HPC registers during execution at run-time. Prior HMD methods though effective have limited their study on detecting malicious applications that are spawned as a separate thread during application execution, hence detecting stealthy malware patterns at run-time remains a critical challenge. Stealthy malware refers to harmful cyber attacks in which malicious code is hidden within benign applications and remains undetected by traditional malware detection approaches. In this paper, we first present a comprehensive review of recent advances in hardware-assisted malware detection studies that have used standard ML techniques to detect the malware signatures. Next, to address the challenge of stealthy malware detection at the processor’s hardware level, we propose StealthMiner, a novel specialized time series machine learning-based approach to accurately detect stealthy malware trace at run-time using branch instructions, the most prominent HPC feature. StealthMiner is based on a lightweight time series Fully Convolutional Neural Network (FCN) model that automatically identifies potentially contaminated samples in HPC-based time series data and utilizes them to accurately recognize the trace of stealthy malware. Our analysis demonstrates that using state-of-the-art ML-based malware detection methods is not effective in detecting stealthy malware samples since the captured HPC data not only represents malware but also carries benign applications’ microarchitectural data. The experimental results demonstrate that with the aid of our novel intelligent approach, stealthy malware can be detected at run-time with 94% detection performance on average with only one HPC feature, outperforming the detection performance of state-of-the-art HMD and general time series classification methods by up to 42% and 36%, respectively.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Cryptography
Cryptography Mathematics-Applied Mathematics
CiteScore
3.80
自引率
6.20%
发文量
53
审稿时长
11 weeks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信