Malware Detection with Convolutional Neural Network Using Hardware Events

  • Wei Guo
  • Tenghai WangEmail author
  • Jizeng Wei
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 600)


Detection of malicious programs (i.e., malwares) is a great challenge due to increasing amount and variety of attacks. Recent works have shown that machine learning, especially neural network, performs well in malware detection. In this paper, convolution neural network (CNN) is used to build the malware classification model. Different from other works, our work uses hardware events to generate the feature image of programs. These hardware events, such as cache miss rate, branch misprediction rate, can be collected from the performance counter in the Intel CPUs. We train CNN with kinds of data sizes and kernel sizes, and evaluate the result by the area under a receiver operating characteristics (ROC) curve (AUC). The results show the proposed classification model can achieve AUC = 0.9973 in best case and the influence by the data size or kernel size is very little. Moreover, by comparison with other CNNs trained with software-based features, it is indicated that the proposed model has higher accuracy than the other ones.


Malware detection Hardware events Convolution neural network 



The work was supported in part by the National Nature Science Foundation of China, 61402321, by Natural Science Foundation of Tianjin, 15JCQNJC00100 and Tianjin Key Laboratory of Advanced Networking (TANK).


  1. 1.
    The AV-TEST Institute. Accessed 25 June 2017
  2. 2.
    Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the 1st India Software Engineering Conference, pp. 5–14. ACM (2008)Google Scholar
  3. 3.
    Das, S., Xiao, H., Liu, Y., et al.: Online malware defense using attack behavior model. In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1322–1325. IEEE (2016)Google Scholar
  4. 4.
    Kapoor, A., Dhavale, S.: Control flow graph based multiclass malware detection using bi-normal separation. Def. Sci. J. 66(2), 138–145 (2016)CrossRefGoogle Scholar
  5. 5.
    Tobiyama, S., Yamaguchi, Y., Shimada, H., et al.: Malware detection with deep neural network using process behavior. In: Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 577–582. IEEE (2016)Google Scholar
  6. 6.
    Intel VTune Amplifier 2016. Accessed 25 June 2017
  7. 7.
    Cesare, S., Xiang, Y.: Classification of malware using structured control flow. In: Eighth Australasian Symposium on Parallel and Distributed Computing, pp. 61–70. Australian Computer Society, Inc. (2010)Google Scholar
  8. 8.
    Cesare, S., Xiang, Y.: Malware variant detection using similarity search over sets of control flow graphs. In: IEEE International Conference on Trust, Security and Privacy in Computing and Communications, vol. 21, pp. 181–189. IEEE (2011)Google Scholar
  9. 9.
    Wu, W.C., Hung, S.H.: DroidDolphin: a dynamic Android malware detection framework using big data and machine learning. In: Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems. pp. 247–252. ACM (2014)Google Scholar
  10. 10.
    Yeh, C.W., Yeh, W.T., Hung, S.H., et al.: Flattened data in convolutional neural networks: using malware detection as case study. In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems. pp. 130–135. ACM (2016)Google Scholar
  11. 11.
    Das, S., Liu, Y., Zhang, W., et al.: Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans. Inf. Forensics Secur. 11(2), 289–302 (2016)CrossRefGoogle Scholar
  12. 12.
    Khasawneh, K.N., Ozsoy, M., Donovick, C., Abu-Ghazaleh, N., Ponomarev, D.: Ensemble learning for low-level hardware-supported malware detection. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 3–25. Springer, Cham (2015). CrossRefGoogle Scholar
  13. 13.
    Tang, A., Sethumadhavan, S., Stolfo, Salvatore J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Cham (2014). Google Scholar
  14. 14.
    Kompalli, S.: Using existing hardware services for malware detection. In: Security and Privacy Workshops (SPW), pp. 204–208. IEEE (2014)Google Scholar
  15. 15.
    Guide, P.: Intel 64 and IA-32 Architectures Software Developers Manual. Volume 3B: System programming Guide, Part 2. Chaps. 18, 19 (2011)Google Scholar
  16. 16.
    Hqx, Accessed 25 June 2017
  17. 17.
    VirusShare. Accessed 25 June 2017
  18. 18.
    MiBench Version 1.0. Accessed 25 June 2017
  19. 19.
    MediaBench Consortium. Accessed 25 June 2017
  20. 20.
    Training LeNet on MNIST with Caffe. Accessed 25 June 2017
  21. 21.
    Fawcett, T.: An introduction to ROC analysis. Pattern Recogn. Lett. 27(8), 861–874 (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.Tianjin Advanced Network Key Lab, School of Computer Science and TechnologyTianjin UniversityTianjinChina

Personalised recommendations