Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing

Wang, Xueyang; Chai, Sek; Isnardi, Michael; Lim, Sehoon; Karri, Ramesh

doi:10.1145/2857055

Cited by 50 publications

(17 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Initially, HPCs have been employed for investigating the static and dynamic analysis of programs to detect any malicious amendments as mentioned in Alam et al (2020) and Malone, Zahran & Karri (2011). Several studies (Das et al, 2019;Demme et al, 2013;Singh et al, 2017;Wang et al, 2016) discuss potential implications of using HPC for application analysis, and the majority of them suggest that hardware execution profile can effectuate the detection of malware (Demme et al, 2013;Singh et al, 2017;Wang et al, 2016;Kuruvila, Kundu & Basu, 2020). Another study (Xu et al, 2017) has utilized the hardware execution profiles to detect malware using machine learning algorithms, as malware changes data structures and control flow, leaving fingerprints on accesses to program memory.…”

Section: Introductionmentioning

confidence: 99%

On the classification of Microsoft-Windows ransomware using hardware profile

Aurangzeb

Rais

Aleem

et al. 2021

PeerJ Computer Science

View full text Add to dashboard Cite

Due to the expeditious inclination of online services usage, the incidents of ransomware proliferation being reported are on the rise. Ransomware is a more hazardous threat than other malware as the victim of ransomware cannot regain access to the hijacked device until some form of compensation is paid. In the literature, several dynamic analysis techniques have been employed for the detection of malware including ransomware; however, to the best of our knowledge, hardware execution profile for ransomware analysis has not been investigated for this purpose, as of today. In this study, we show that the true execution picture obtained via a hardware execution profile is beneficial to identify the obfuscated ransomware too. We evaluate the features obtained from hardware performance counters to classify malicious applications into ransomware and non-ransomware categories using several machine learning algorithms such as Random Forest, Decision Tree, Gradient Boosting, and Extreme Gradient Boosting. The employed data set comprises 80 ransomware and 80 non-ransomware applications, which are collected using the VirusShare platform. The results revealed that extracted hardware features play a substantial part in the identification and detection of ransomware with F-measure score of 0.97 achieved by Random Forest and Extreme Gradient Boosting.

show abstract

Section: Introductionmentioning

confidence: 99%

On the classification of Microsoft-Windows ransomware using hardware profile

Aurangzeb

Rais

Aleem

et al. 2021

PeerJ Computer Science

View full text Add to dashboard Cite

show abstract

“…Despite good accuracy, the computational overheads posed are high, and employs large number of HPCs for classification. One of the recent works [106] uses "samplelocally-analyze-remotely" technique, where the HPCs are collected locally, but analyzed on a server. Compressed sensing is utilized to minimize the communication bandwidth.…”

Section: E Malware Detection At Node-level: Comparison With the State-of-the-artmentioning

confidence: 99%

Cognitive and Scalable Technique for Securing IoT Networks Against Malware Epidemics

et al. 2020

View full text Add to dashboard Cite

The sheer volume of IoT networks being deployed today presents a major "attack surface" and poses significant security risks at a scale never encountered before. In other words, a single IoT device/node that gets infected with malware has the potential to spread the malicious activities across the network, eventually ceasing the network functionality or compromising the network. Simply detecting and quarantining the malware in IoT networks does not guarantee preventing malware propagation. On the other hand, use of traditional control theory for malware confinement is not effective, as most of the existing works do not consider real-time malware control strategies that can be implemented using uncertain infection information from the nodes in the network or have the containment problem decoupled from network performance. In response, in this work, we propose a two-pronged approach with malware detection at nodelevel, and confinement of malware at network-level. We deploy a recently proposed lightweight runtime malware detector at the node-level that employs Hardware Performance Counter (HPC) values for malware detection. This node-level malware information is combined with the malware propagation information and then fed during runtime to a stochastic predictive controller to confine the malware propagation without hampering the network performance. Synthesizing the node-level malware information with the model predictive containment strategy leads to achieving an average network throughput of nearly 200% of that of IoT network without any defense, and up to 160% of that of network with commonly employed state-ofthe-art heuristic approaches for malware confinement. Furthermore, to scale with ever-increasing network topology sizes, we introduce a novel multi-attribute graph translation that can predict the network topology and node state information when provided with a snapshot of topology and node-level malware infection. The proposed multi-attribute graph translation has <5.88 Root Mean Square Error (RMSE) compared to the model predictive containment strategy and has shown nearly constant graph translation time and limited resource utilization independent of the network size.

show abstract

“…Wang et al [32] have used hardware interaction based features for building malware detection system.…”

Section: H Hardware Featuresmentioning

confidence: 99%

Features for Detecting Malware on Computing Environments

Kumar¹,

Kuppusamy²,

Aghila³

2016

IJEACS

View full text Add to dashboard Cite

Abstract-Malware is the main threat for all computing environments. It also acts as launching platform for many other cyber threats. Traditional malware detection system is not able to detect "modern", "unknown" and "zero-day" malware. Recent developments in computing hardware and machine learning techniques have emerged as alternative solution for malware detection. The efficiency of any machine learning algorithm depends on the features extracted from the dataset. Various types of features are extracted and being researched with machine learning approach to detect malware that are targeted towards computing environments. In this work we have organized and summarized different feature types used to detect malware. This work will direct future researchers and industry to make decision on feature type selection regarding chosen computing environment for building an accurate malware classifier.

show abstract

Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing

Cited by 50 publications

References 28 publications

On the classification of Microsoft-Windows ransomware using hardware profile

On the classification of Microsoft-Windows ransomware using hardware profile

Cognitive and Scalable Technique for Securing IoT Networks Against Malware Epidemics

Features for Detecting Malware on Computing Environments

Contact Info

Product

Resources

About