TY - JOUR
T1 - A Theoretical Study of Hardware Performance Counters-Based Malware Detection
AU - Basu, Kanad
AU - Krishnamurthy, Prashanth
AU - Khorrami, Farshad
AU - Karri, Ramesh
N1 - Funding Information:
Manuscript received October 31, 2018; revised May 10, 2019 and June 16, 2019; accepted June 17, 2019. Date of publication June 24, 2019; date of current version September 16, 2019. This work was supported in part by the National Science Foundation under Award 1526405 and Award 1513130, in part by the U.S. Office of Naval Research under Award N00014-15-1-2182 and Award N00014-17-1-2006, and in part by Defense Advanced Research Projects Agency through the Air Force Research Laboratory (AFRL) under Contract FA8750-16-C-0179. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Chip-Hong Chang. (Corresponding author: Kanad Basu.) The authors are with the Department of Electrical and Computer Engineering, NYU Tandon School of Engineering, Brooklyn, NY 11201 USA (e-mail: [email protected]). Digital Object Identifier 10.1109/TIFS.2019.2924549
Publisher Copyright:
© 2005-2012 IEEE.
PY - 2020
Y1 - 2020
N2 - Malware can range from simple adware to stealthy kernel control-flow modifying rootkits. Although anti-virus software is popular, an ongoing cat-and-mouse cycle of anti-virus development and malware that thwarts the anti-virus has ensued. More recently, trusted hardware-based malware detection techniques are being developed on the premise that it is easier to bypass software-based defenses than hardware-based counterparts. One such approach is the use of hardware performance counters (HPCs) to detect malware for Linux and Android platforms. This paper, for the first time, presents an analytical framework to investigate the security provided by HPC-based malware detection techniques. The HPC readings are periodically monitored over the duration of the program execution for comparison with a golden HPC reading. We develop a mathematical framework to investigate the probability of malware detection, when HPCs are monitored at a pre-determined sampling interval. In other words, given a program, a set of HPCs, and a sampling rate, the framework can be employed to analyze the probability of malware detection.
AB - Malware can range from simple adware to stealthy kernel control-flow modifying rootkits. Although anti-virus software is popular, an ongoing cat-and-mouse cycle of anti-virus development and malware that thwarts the anti-virus has ensued. More recently, trusted hardware-based malware detection techniques are being developed on the premise that it is easier to bypass software-based defenses than hardware-based counterparts. One such approach is the use of hardware performance counters (HPCs) to detect malware for Linux and Android platforms. This paper, for the first time, presents an analytical framework to investigate the security provided by HPC-based malware detection techniques. The HPC readings are periodically monitored over the duration of the program execution for comparison with a golden HPC reading. We develop a mathematical framework to investigate the probability of malware detection, when HPCs are monitored at a pre-determined sampling interval. In other words, given a program, a set of HPCs, and a sampling rate, the framework can be employed to analyze the probability of malware detection.
KW - Hardware performance counter (HPC)
KW - code execution
KW - code integrity verification
KW - control flow graph (CFG)
KW - cyber security
KW - malware
UR - http://www.scopus.com/inward/record.url?scp=85077337693&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85077337693&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2019.2924549
DO - 10.1109/TIFS.2019.2924549
M3 - Article
AN - SCOPUS:85077337693
SN - 1556-6013
VL - 15
SP - 512
EP - 525
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
M1 - 8744309
ER -