research-article

HLMD: a signature-based approach to hardware-level behavioral malware detection and classification

Authors:

Mohammad Bagher Bahador,

Asghar TajoddinAuthors Info & Claims

Volume 75, Issue 8

Pages 5551 - 5582

https://doi.org/10.1007/s11227-019-02810-z

Published: 01 August 2019 Publication History

Abstract

Malicious programs, or malware, often use code obfuscation techniques to make static analysis difficult. To deal with this problem, various behavioral detection techniques have been proposed that focus on runtime behavior to distinguish between benign and malicious programs. The majority of them are based on the analysis and modeling of system call traces, which are a common type of audit data often used to describe the interaction between programs and the operating system. However, the techniques are not widely used in practice because of high performance overheads. An alternative approach is to perform behavioral detection at the hardware level. The basic idea is to use information that is accessible through hardware performance counters, which are a set of special purpose registers built into modern processors providing detailed information about hardware and software events. In this paper, we pursue this line of research by presenting HLMD, a novel approach that uses behavioral signatures generated from hardware performance counter traces to instantly detect and disable malicious programs at the beginning of their execution. HLMD is especially suitable for independent malicious programs that can be run standalone without having to be attached to a host program. Each behavioral signature is composed of some number of singular values and singular vectors, obtained by applying the singular value decomposition to the hardware performance counter traces of a known malware family. HLMD follows a two-stage heuristic matching strategy to increase the detection performance to an acceptable level while reducing the detection complexity to linear time. The results of our experiments performed on a dataset of benign and malicious programs show that HLMD can achieve an average precision, recall, and F-measure of 95.19%, 89.96%, and 92.50%, respectively.

References

[1]

Abualigah LM, Khader AT, Hanandeh ES (2018) Hybrid clustering analysis using improved krill herd algorithm. Appl Intell 48(11):4047–4071. https://doi.org/10.1007/s10489-018-1190-6

[2]

Akhgar B, Saathoff GB, Arabnia HR, Hill R, Staniforth A, Bayerl PS (2015) Application of big data for national security: a practitioner’s guide to emerging technologies. Butterworth-Heinemann, Newton

[3]

Amamra A, Robert JM, Abraham A, Talhi C (2016) Generative versus discriminative classifiers for Android anomaly-based detection system using system calls filtering and abstraction process. Secur Commun Netw 9(16):3483–3495. https://doi.org/10.1002/sec.1555

Digital Library

[4]

Bahador MB, Abadi M, Tajoddin A (2014) HPCMalHunter: behavioral malware detection using hardware performance counters and singular value decomposition. In: Proceedings of the 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE), pp 703–708. IEEE, Piscataway. https://doi.org/10.1109/ICCKE.2014.6993402

[5]

Bayer U, Milani Comparetti P, Hlauschek C, Kruegel C, Kirda E (2009) Scalable, behavior-based malware clustering. In: Proceedings of the 2009 Network and Distributed System Security Symposium (NDSS), pp 1–18. The Internet Society

[6]

Bellard F (2005) QEMU, a fast and portable dynamic translator. In: Proceedings of the 2005 USENIX Annual Technical Conference, pp 41–46. USENIX Association, Berkeley

[7]

Browne S, Dongarra J, Garner N, Ho G, Mucci P (2000) A portable programming interface for performance evaluation on modern processors. Int J High Perform Comput Appl 14(3):189–204. https://doi.org/10.1177/109434200001400303

Digital Library

[8]

Canzanese R, Mancoridis S, Kam M (2015) System call-based detection of malicious processes. In: Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp 119–124. IEEE, Piscataway. https://doi.org/10.1109/QRS.2015.26

[9]

Christodorescu M, Jha S (2003) Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, pp 169–186. USENIX Association, Berkeley

[10]

Christodorescu M, Jha S, Kruegel C (2007) Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC-FSE), pp 5–14. ACM, New York. https://doi.org/10.1145/1287624.1287628

[11]

Das S, Chen B, Chandramohan M, Liu Y, Zhang W (2018) ROPSentry: runtime defense against ROP attacks using hardware performance counters. Comput Secur 73:374–388. https://doi.org/10.1016/j.cose.2017.11.011

[12]

Das S, Werner J, Antonakakis M, Polychronakis M, Monrose F (2019) The challenges, pitfalls, and perils of using hardware performance counters for security. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), pp 345–363. IEEE Computer Society, Washington. https://doi.org/10.1109/SP.2019.00021

[13]

Deligiannidis L, Arabnia HR (2015) Security surveillance applications utilizing parallel video-processing techniques in the spatial domain. In: Emerging Trends in Image Processing, Computer Vision and Pattern Recognition, pp 117–130. Morgan Kaufmann, Boston. https://doi.org/10.1016/B978-0-12-802045-6.00008-9

[14]

Demme J, Maycock M, Schmitz J, Tang A, Waksman A, Sethumadhavan S, Stolfo SJ (2013) On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput Archit News 41(3):559–570. https://doi.org/10.1145/2508148.2485970

Digital Library

[15]

Demme J, Sethumadhavan S (2011) Rapid identification of architectural bottlenecks via precise event counting. ACM SIGARCH Comput Archit News 39(3):353–364. https://doi.org/10.1145/2024723.2000107

Digital Library

[16]

Garcia-Serrano A (2015) Anomaly detection for malware identification using hardware performance counters. CoRR arXiv:abs/1508.07482

[17]

Golub GH, Van Loan CF (2013) Matrix computations, 4th edn. Johns Hopkins University Press, Baltimore

[18]

Gupta S, Kumar P (2015) An immediate system call sequence based approach for detecting malicious program executions in cloud environment. Wireless Pers Commun 81(1):405–425. https://doi.org/10.1007/s11277-014-2136-x

Digital Library

[19]

Ibrahim A, Valle M, Noli L, Chible H (2015) Assessment of FPGA implementations of one sided Jacobi algorithm for singular value decomposition. In: Proceedings of the 2015 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pp 56–61. IEEE Computer Society, Washington. https://doi.org/10.1109/ISVLSI.2015.63

[20]

Intel Corporation: Intel 64 and IA-32 architectures software developer’s manuals (2019). https://software.intel.com/en-us/articles/intel-sdm

[21]

Jacob G, Debar H, Filiol E (2008) Behavioral detection of malware: from a survey towards an established taxonomy. J Comput Virol 4(3):251–266. https://doi.org/10.1007/s11416-008-0086-0

[22]

Kazdagli M, Reddi VJ, Tiwari M (2016) Quantifying and improving the efficiency of hardware-based mobile malware detectors. In: Proceedings of the 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pp 1–13. IEEE, Piscataway. https://doi.org/10.1109/MICRO.2016.7783740

[23]

Lanzi A, Balzarotti D, Kruegel C, Christodorescu M, Kirda E (2010) AccessMiner: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pp 399–412. ACM, New York. https://doi.org/10.1145/1866307.1866353

[24]

Möbius C, Dargie W, Schill A (2014) Power consumption estimation models for processors, virtual machines, and servers. IEEE Trans Parallel Distrib Syst 25(6):1600–1614. https://doi.org/10.1109/TPDS.2013.183

Digital Library

[25]

Moser A, Kruegel C, Kirda E (2007) Limits of static analysis for malware detection. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), pp 421–430. IEEE, Piscataway. https://doi.org/10.1109/ACSAC.2007.21

[26]

Ozsoy M, Donovick C, Gorelik I, Abu-Ghazaleh N, Ponomarev D (2015) Malware-aware processors: a framework for efficient online malware detection. In: Proceedings of the 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA), pp 651–661. IEEE Computer Society, Washington. https://doi.org/10.1109/HPCA.2015.7056070

[27]

Pappas V, Polychronakis M, Keromytis AD (2013) Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Security Symposium, pp 447–462. USENIX Association, Berkeley

[28]

Pfaff D, Hack S, Hammer C (2015) Learning how to prevent return-oriented programming efficiently. In: Piessens F, Caballero J, Bielova N (eds) Engineering secure software and systems, lecture notes in computer science, vol 8978. Springer, Cham, pp 68–85. https://doi.org/10.1007/978-3-319-15618-7_6

[29]

Sayadi H, Patel N, DinakarRao SMP, Sasan A, Rafatirad S, Homayoun H (2018) Ensemble learning for effective run-time hardware-based malware detection: a comprehensive analysis and classification. In: Proceedings of the 55th Annual Design Automation Conference (DAC), pp 1–6. ACM, New York. https://doi.org/10.1145/3195970.3196047

[30]

Singh B, Evtyushkin D, Elwell J, Riley R, Cervesato I (2017) On the detection of kernel-level rootkits using hardware performance counters. In: Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security (ASIA CCS), pp 483–493. ACM, New York. https://doi.org/10.1145/3052973.3052999

[31]

Sokolova M, Lapalme G (2009) A systematic analysis of performance measures for classification tasks. Inf Process Manag 45(4):427–437. https://doi.org/10.1016/j.ipm.2009.03.002

Digital Library

[32]

Tang A, Sethumadhavan S, Stolfo SJ (2014) Unsupervised anomaly-based malware detection using hardware features. In: Stavrou A, Bos H, Portokalidis G (eds) Research in attacks, intrusions and defenses, lecture notes in computer science, vol 8688. Springer, Cham, pp 109–129. https://doi.org/10.1007/978-3-319-11379-1_6

[33]

Uhsadel L, Georges A, Verbauwhede I (2008) Exploiting hardware performance counters. In: Proceedings of the 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp 59–67. IEEE, Piscataway. https://doi.org/10.1109/FDTC.2008.19

[34]

Vogl S, Eckert C (2012) Using hardware performance events for instruction-level monitoring on the x86 architecture. In: Proceedings of the 2012 European Workshop on System Security (EuroSec), pp 1–6

[35]

Wang X, Karri R (2016) Reusing hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Trans Comput Aided Des Integr Circuits Syst 35(3):485–498. https://doi.org/10.1109/TCAD.2015.2474374

Digital Library

[36]

Wang X, Zambreno J (2014) An FPGA implementation of the Hestenes-Jacobi algorithm for singular value decomposition. In: Proceedings of the 2014 IEEE International Parallel & Distributed Processing Symposium Workshops (IPDPSW), pp 220–227. IEEE Computer Society, Washington. https://doi.org/10.1109/IPDPSW.2014.29

[37]

Watson MR, Shirazi N, Marnerides AK, Mauthe A, Hutchison D (2016) Malware detection in cloud computing infrastructures. IEEE Trans Dependable Secure Comput 13(2):192–205. https://doi.org/10.1109/TDSC.2015.2457918

Digital Library

[38]

Xie M, Hu J, Guo S (2015) Segment-based anomaly detection with approximated sample covariance matrix in wireless sensor networks. IEEE Trans Parallel Distrib Syst 26(2):574–583. https://doi.org/10.1109/TPDS.2014.2308198

Digital Library

[39]

Yin H, Song D, Egele M, Kruegel C, Kirda E (2007) Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp 116–127. ACM, New York. https://doi.org/10.1145/1315245.1315261

[40]

Zhang Y, Du B, Zhang L, Wang S (2016) A low-rank and sparse matrix decomposition-based Mahalanobis distance method for hyperspectral anomaly detection. IEEE Trans Geosci Remote Sens 54(3):1376–1389. https://doi.org/10.1109/TGRS.2015.2479299

Cited By

Zhou BHuang HXia JTian D(2024)A novel malware detection method based on API embedding and API parametersThe Journal of Supercomputing10.1007/s11227-023-05556-x80:2(2748-2766)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1007/s11227-023-05556-x
Anand PCharan PShukla S(2023)HiPeR - Early Detection of a Ransomware Attack using Hardware Performance CountersDigital Threats: Research and Practice10.1145/36084844:3(1-24)Online publication date: 6-Oct-2023
https://dl.acm.org/doi/10.1145/3608484
Putrevu MPutrevu VShukla S(2023)Early Detection of Ransomware Activity based on Hardware Performance CountersProceedings of the 2023 Australasian Computer Science Week10.1145/3579375.3579377(10-17)Online publication date: 30-Jan-2023
https://dl.acm.org/doi/10.1145/3579375.3579377
Show More Cited By

Index Terms

HLMD: a signature-based approach to hardware-level behavioral malware detection and classification

Index terms have been assigned to the content through auto-classification.

Recommendations

Disk-level behavioral malware detection
Deep Learning for Zero-day Malware Detection and Classification: A Survey
Zero-day malware is malware that has never been seen before or is so new that no anti-malware software can catch it. This novelty and the lack of existing mitigation strategies make zero-day malware challenging to detect and defend against. In recent ...
Multi-level sandboxing techniques for execution-based stealthy malware detection

Comments

Information & Contributors

Information

Published In

cover image The Journal of Supercomputing

The Journal of Supercomputing Volume 75, Issue 8

Aug 2019

1600 pages

ISSN:0920-8542

Issue’s Table of Contents

Copyright © 2019 Springer Science+Business Media, LLC, part of Springer Nature.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 August 2019

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou BHuang HXia JTian D(2024)A novel malware detection method based on API embedding and API parametersThe Journal of Supercomputing10.1007/s11227-023-05556-x80:2(2748-2766)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1007/s11227-023-05556-x
Anand PCharan PShukla S(2023)HiPeR - Early Detection of a Ransomware Attack using Hardware Performance CountersDigital Threats: Research and Practice10.1145/36084844:3(1-24)Online publication date: 6-Oct-2023
https://dl.acm.org/doi/10.1145/3608484
Putrevu MPutrevu VShukla S(2023)Early Detection of Ransomware Activity based on Hardware Performance CountersProceedings of the 2023 Australasian Computer Science Week10.1145/3579375.3579377(10-17)Online publication date: 30-Jan-2023
https://dl.acm.org/doi/10.1145/3579375.3579377
Botacin MAlves MOliveira DGrégio A(2022)HEAVENExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.117083201:COnline publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1016/j.eswa.2022.117083
Banin SDyrkolbotn G(2020)Detection of Running Malware Before it Becomes MaliciousAdvances in Information and Computer Security10.1007/978-3-030-58208-1_4(57-73)Online publication date: 2-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-58208-1_4

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents