A Theoretical Study of Hardware Performance Counters-Based Malware Detection

Kanad Basu; Prashanth Krishnamurthy; Farshad Khorrami; Ramesh Karri

doi:10.1109/TIFS.2019.2924549

A Theoretical Study of Hardware Performance Counters-Based Malware Detection

Kanad Basu, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri

Research output: Contribution to journal › Article › peer-review

Abstract

Malware can range from simple adware to stealthy kernel control-flow modifying rootkits. Although anti-virus software is popular, an ongoing cat-and-mouse cycle of anti-virus development and malware that thwarts the anti-virus has ensued. More recently, trusted hardware-based malware detection techniques are being developed on the premise that it is easier to bypass software-based defenses than hardware-based counterparts. One such approach is the use of hardware performance counters (HPCs) to detect malware for Linux and Android platforms. This paper, for the first time, presents an analytical framework to investigate the security provided by HPC-based malware detection techniques. The HPC readings are periodically monitored over the duration of the program execution for comparison with a golden HPC reading. We develop a mathematical framework to investigate the probability of malware detection, when HPCs are monitored at a pre-determined sampling interval. In other words, given a program, a set of HPCs, and a sampling rate, the framework can be employed to analyze the probability of malware detection.

Original language	English (US)
Article number	8744309
Pages (from-to)	512-525
Number of pages	14
Journal	IEEE Transactions on Information Forensics and Security
Volume	15
DOIs	https://doi.org/10.1109/TIFS.2019.2924549
State	Published - 2020

Keywords

Hardware performance counter (HPC)
code execution
code integrity verification
control flow graph (CFG)
cyber security
malware

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1109/TIFS.2019.2924549

Fingerprint Dive into the research topics of 'A Theoretical Study of Hardware Performance Counters-Based Malware Detection'. Together they form a unique fingerprint.

Cite this

@article{144f7bdee39143febf13802695c595bc,

title = "A Theoretical Study of Hardware Performance Counters-Based Malware Detection",

abstract = "Malware can range from simple adware to stealthy kernel control-flow modifying rootkits. Although anti-virus software is popular, an ongoing cat-and-mouse cycle of anti-virus development and malware that thwarts the anti-virus has ensued. More recently, trusted hardware-based malware detection techniques are being developed on the premise that it is easier to bypass software-based defenses than hardware-based counterparts. One such approach is the use of hardware performance counters (HPCs) to detect malware for Linux and Android platforms. This paper, for the first time, presents an analytical framework to investigate the security provided by HPC-based malware detection techniques. The HPC readings are periodically monitored over the duration of the program execution for comparison with a golden HPC reading. We develop a mathematical framework to investigate the probability of malware detection, when HPCs are monitored at a pre-determined sampling interval. In other words, given a program, a set of HPCs, and a sampling rate, the framework can be employed to analyze the probability of malware detection.",

keywords = "Hardware performance counter (HPC), code execution, code integrity verification, control flow graph (CFG), cyber security, malware",

author = "Kanad Basu and Prashanth Krishnamurthy and Farshad Khorrami and Ramesh Karri",

year = "2020",

doi = "10.1109/TIFS.2019.2924549",

language = "English (US)",

volume = "15",

pages = "512--525",

journal = "IEEE Transactions on Information Forensics and Security",

issn = "1556-6013",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - A Theoretical Study of Hardware Performance Counters-Based Malware Detection

AU - Basu, Kanad

AU - Krishnamurthy, Prashanth

AU - Khorrami, Farshad

AU - Karri, Ramesh

PY - 2020

Y1 - 2020

N2 - Malware can range from simple adware to stealthy kernel control-flow modifying rootkits. Although anti-virus software is popular, an ongoing cat-and-mouse cycle of anti-virus development and malware that thwarts the anti-virus has ensued. More recently, trusted hardware-based malware detection techniques are being developed on the premise that it is easier to bypass software-based defenses than hardware-based counterparts. One such approach is the use of hardware performance counters (HPCs) to detect malware for Linux and Android platforms. This paper, for the first time, presents an analytical framework to investigate the security provided by HPC-based malware detection techniques. The HPC readings are periodically monitored over the duration of the program execution for comparison with a golden HPC reading. We develop a mathematical framework to investigate the probability of malware detection, when HPCs are monitored at a pre-determined sampling interval. In other words, given a program, a set of HPCs, and a sampling rate, the framework can be employed to analyze the probability of malware detection.

AB - Malware can range from simple adware to stealthy kernel control-flow modifying rootkits. Although anti-virus software is popular, an ongoing cat-and-mouse cycle of anti-virus development and malware that thwarts the anti-virus has ensued. More recently, trusted hardware-based malware detection techniques are being developed on the premise that it is easier to bypass software-based defenses than hardware-based counterparts. One such approach is the use of hardware performance counters (HPCs) to detect malware for Linux and Android platforms. This paper, for the first time, presents an analytical framework to investigate the security provided by HPC-based malware detection techniques. The HPC readings are periodically monitored over the duration of the program execution for comparison with a golden HPC reading. We develop a mathematical framework to investigate the probability of malware detection, when HPCs are monitored at a pre-determined sampling interval. In other words, given a program, a set of HPCs, and a sampling rate, the framework can be employed to analyze the probability of malware detection.

KW - Hardware performance counter (HPC)

KW - code execution

KW - code integrity verification

KW - control flow graph (CFG)

KW - cyber security

KW - malware

UR - http://www.scopus.com/inward/record.url?scp=85077337693&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85077337693&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2019.2924549

DO - 10.1109/TIFS.2019.2924549

M3 - Article

AN - SCOPUS:85077337693

VL - 15

SP - 512

EP - 525

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

M1 - 8744309

ER -