Runtime Malware Detection Using Embedded Trace Buffers

Rana Elnaggar, Kanad Basu, Krishnendu Chakrabarty, Ramesh Karri

Research output: Contribution to journalArticlepeer-review


Anti-virus software (AVS) tools are used to detect malware in a system. However, AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as hardware performance counters have been used for malware detection. In this article, we propose preempts malware by examining embedded processor traces (PREEMPT), a zero overhead, high-accuracy, low-latency technique to detect malware by repurposing embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for postsilicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the input/output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt malware before it causes damage. The benefits of reusing ETB for malware detection include the increased robustness against attacks and no performance penalties. PREEMPT can detect malware on an OpenSPARC T1 core running Linux operating system with a F1-score of 96.6%.

Original languageEnglish (US)
Pages (from-to)35-48
Number of pages14
JournalIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
Issue number1
StatePublished - Jan 1 2022


  • Machine learning
  • System security
  • System validation

ASJC Scopus subject areas

  • Software
  • Computer Graphics and Computer-Aided Design
  • Electrical and Electronic Engineering


Dive into the research topics of 'Runtime Malware Detection Using Embedded Trace Buffers'. Together they form a unique fingerprint.

Cite this