Skip to main content
SpringerLink
Log in

Unsupervised Anomaly-Based Malware Detection Using Hardware Features

  • Conference paper
Research in Attacks, Intrusions and Defenses (RAID 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8688))

Included in the following conference series:

Abstract

Recent works have shown promise in detecting malware programs based on their dynamic microarchitectural execution patterns. Compared to higher-level features like OS and application observables, these microarchitectural features are efficient to audit and harder for adversaries to control directly in evasion attacks. These data can be collected at low overheads using widely available hardware performance counters (HPC) in modern processors. In this work, we advance the use of hardware supported lower-level features to detecting malware exploitation in an anomaly-based detector. This allows us to detect a wider range of malware, even zero days. As we show empirically, the microarchitectural characteristics of benign programs are noisy, and the deviations exhibited by malware exploits are minute. We demonstrate that with careful selection and extraction of the features combined with unsupervised machine learning, we can build baseline models of benign program execution and use these profiles to detect deviations that occur as a result of malware exploitation. We show that detection of real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform works well in practice. We also examine the limits and challenges in implementing this approach in face of a sophisticated adversary attempting to evade anomaly-based detection. The proposed detector is complementary to previously proposed signature-based detectors and can be used together to improve security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Borello, J.M., Mé, L.: Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology 4(3), 211–220 (2008)

    Article  Google Scholar 

  2. Clark, S.S., Ransford, B., Rahmati, A., Guineau, S., Sorber, J., Fu, K., Xu, W.: WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices. In: USENIX Workshop on Health Information Technologies (August 2013)

    Google Scholar 

  3. Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. In: Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA 2013, pp. 559–570. ACM, New York (2013)

    Chapter  Google Scholar 

  4. Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification. John Wiley & Sons, New York (2001), J. Classif. 24(2), 305–307, pp. xx + 654 (2007)

    Google Scholar 

  5. Fewer, S.: Reflective DLL injection (October 2008), http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

  6. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: 1996 IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

    Google Scholar 

  7. Gonzalez, C.R.A., Reed, J.H.: Detecting unauthorized software execution in sdr using power fingerprinting. In: Military Communications Conference, MILCOM 2010, pp. 2211–2216. IEEE (2010)

    Google Scholar 

  8. Hoffmann, J., Neumann, S., Holz, T.: Mobile Malware Detection Based on Energy Fingerprints A Dead End? In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 348–368. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  9. Hoste, K., Eeckhout, L.: Comparing Benchmarks Using Key Microarchitecture-Independent Characteristics. In: 2006 IEEE International Symposium on Workload Characterization, pp. 83–92. IEEE (October 2006)

    Google Scholar 

  10. Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.B.: SCRAP: Architecture for signature-based protection from Code Reuse Attacks. In: HPCA, pp. 258–269 (2013)

    Google Scholar 

  11. Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of the 6th International Conference on Mobile Systems, Applications, and services. pp. 239–252. ACM (2008)

    Google Scholar 

  12. Kong, D., Tian, D., Liu, P., Wu, D.: SA3: Automatic semantic aware attribution analysis of remote exploits. In: Security and Privacy in Communication Networks, pp. 190–208. Springer (2012)

    Google Scholar 

  13. Mahoney, M.V.: Network traffic anomaly detection based on packet bytes. In: Proceedings of the 2003 ACM Symposium on Applied Computing, pp. 346–350 (2003)

    Google Scholar 

  14. Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing, STC 2011, pp. 71–76. ACM (2011)

    Google Scholar 

  15. Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proceedings of the 2000 Workshop on New Security Paradigms, pp. 101–110. ACM (2001)

    Google Scholar 

  16. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 447–462. USENIX Association, Berkeley (2013)

    Google Scholar 

  17. Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of computer intrusions using sequences of function calls. IEEE Transactions on Dependable and Secure Computing 4(2), 137–150 (2007)

    Article  Google Scholar 

  18. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 287–296. ACM (2010)

    Google Scholar 

  20. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 144–155. IEEE (2001)

    Google Scholar 

  21. Shen, K., Zhong, M., Dwarkadas, S., Li, C., Stewart, C., Zhang, X.: Hardware counter driven on-the-fly request signatures. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XIII, pp. 189–200. ACM, New York (2008)

    Chapter  Google Scholar 

  22. Somayaji, A., Forrest, S.: Automated response using system-call delays. In: Proceedings of the 9th USENIX Security Symposium, vol. 70 (2000)

    Google Scholar 

  23. Stewin, P.: A primitive for revealing stealthy peripheral-based attacks on the computing platforms main memory. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 1–20. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  24. Szor, P.: The art of computer virus research and defense. Pearson Education (2005)

    Google Scholar 

  25. TrendMicro: The crimeware evolution (research whitepaper) (2012)

    Google Scholar 

  26. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  27. Wang, X., Karri, R.: NumChecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters. In: Proceedings of the 50th Annual Design Automation Conference, DAC 2013, pp. 79:1–79:7. ACM, NY (2013)

    Google Scholar 

  28. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: Detecting violation of control flow integrity using performance counters. In: Proceedings of the 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2012, pp. 1–12. IEEE Computer Society, Washington, DC (2012)

    Chapter  Google Scholar 

  29. Yuan, L., Xing, W., Chen, H., Zang, B.: Security breaches as PMU deviation: detecting and identifying security attacks using performance counters. In: APSys, p. 6 (2011)

    Google Scholar 

  30. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: NDSS, vol. 3 (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Columbia University, New York, USA

    Adrian Tang, Simha Sethumadhavan & Salvatore J. Stolfo

Authors
  1. Adrian Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simha Sethumadhavan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Angelos Stavrou

  2. VU University Amsterdam, The Netherlands

    Herbert Bos

  3. Stevens Institute of Technology, NJ, USA

    Georgios Portokalidis

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Tang, A., Sethumadhavan, S., Stolfo, S.J. (2014). Unsupervised Anomaly-Based Malware Detection Using Hardware Features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11379-1_6

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11378-4

  • Online ISBN: 978-3-319-11379-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation