Run-time Malware Detection Using Embedded Trace Buffers

Rana Elnaggar, Kanad Basu, Krishnendu Chakrabarty, Ramesh Karri

Research output: Contribution to journalArticlepeer-review


Anti-virus software (AVS) tools are used to detect Malware in a system. However, AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components like Hardware Performance Counters (HPC) have been used for Malware detection. In this paper, we propose PREEMPT, a zero overhead, high-accuracy, low-latency technique to detect Malware by re-purposing embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for post-silicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the Input/Output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt Malware before it causes damage. The benefits of re-using ETB for Malware detection include the increased robustness against attacks and no performance penalties. PREEMPT can detect Malware on an OpenSPARC T1 core running Linux operating system with a F1-score of 96.6%.


  • Detectors
  • Hardware
  • Malware
  • Monitoring
  • Program processors
  • Security
  • Software

ASJC Scopus subject areas

  • Software
  • Computer Graphics and Computer-Aided Design
  • Electrical and Electronic Engineering


Dive into the research topics of 'Run-time Malware Detection Using Embedded Trace Buffers'. Together they form a unique fingerprint.

Cite this