Abstract
Detection of malicious programs (i.e., malwares) is a great challenge due to increasing amount and variety of attacks. Recent works have shown that machine learning, especially neural network, performs well in malware detection. In this paper, convolution neural network (CNN) is used to build the malware classification model. Different from other works, our work uses hardware events to generate the feature image of programs. These hardware events, such as cache miss rate, branch misprediction rate, can be collected from the performance counter in the Intel CPUs. We train CNN with kinds of data sizes and kernel sizes, and evaluate the result by the area under a receiver operating characteristics (ROC) curve (AUC). The results show the proposed classification model can achieve AUC = 0.9973 in best case and the influence by the data size or kernel size is very little. Moreover, by comparison with other CNNs trained with software-based features, it is indicated that the proposed model has higher accuracy than the other ones.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The AV-TEST Institute. http://www.av-test.org/en/statistics/malware/. Accessed 25 June 2017
Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the 1st India Software Engineering Conference, pp. 5–14. ACM (2008)
Das, S., Xiao, H., Liu, Y., et al.: Online malware defense using attack behavior model. In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1322–1325. IEEE (2016)
Kapoor, A., Dhavale, S.: Control flow graph based multiclass malware detection using bi-normal separation. Def. Sci. J. 66(2), 138–145 (2016)
Tobiyama, S., Yamaguchi, Y., Shimada, H., et al.: Malware detection with deep neural network using process behavior. In: Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 577–582. IEEE (2016)
Intel VTune Amplifier 2016. https://software.intel.com/en-us/intel-vtune-amplifier-xe. Accessed 25 June 2017
Cesare, S., Xiang, Y.: Classification of malware using structured control flow. In: Eighth Australasian Symposium on Parallel and Distributed Computing, pp. 61–70. Australian Computer Society, Inc. (2010)
Cesare, S., Xiang, Y.: Malware variant detection using similarity search over sets of control flow graphs. In: IEEE International Conference on Trust, Security and Privacy in Computing and Communications, vol. 21, pp. 181–189. IEEE (2011)
Wu, W.C., Hung, S.H.: DroidDolphin: a dynamic Android malware detection framework using big data and machine learning. In: Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems. pp. 247–252. ACM (2014)
Yeh, C.W., Yeh, W.T., Hung, S.H., et al.: Flattened data in convolutional neural networks: using malware detection as case study. In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems. pp. 130–135. ACM (2016)
Das, S., Liu, Y., Zhang, W., et al.: Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans. Inf. Forensics Secur. 11(2), 289–302 (2016)
Khasawneh, K.N., Ozsoy, M., Donovick, C., Abu-Ghazaleh, N., Ponomarev, D.: Ensemble learning for low-level hardware-supported malware detection. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 3–25. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_1
Tang, A., Sethumadhavan, S., Stolfo, Salvatore J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_6
Kompalli, S.: Using existing hardware services for malware detection. In: Security and Privacy Workshops (SPW), pp. 204–208. IEEE (2014)
Guide, P.: Intel 64 and IA-32 Architectures Software Developers Manual. Volume 3B: System programming Guide, Part 2. Chaps. 18, 19 (2011)
Hqx, https://code.google.com/archive/p/hqx/. Accessed 25 June 2017
VirusShare. https://virusshare.com/. Accessed 25 June 2017
MiBench Version 1.0. http://vhosts.eecs.umich.edu/mibench//. Accessed 25 June 2017
MediaBench Consortium. http://mathstat.slu.edu/~fritts/mediabench/. Accessed 25 June 2017
Training LeNet on MNIST with Caffe. http://caffe.berkeleyvision.org/gathered/examples/mnist.html. Accessed 25 June 2017
Fawcett, T.: An introduction to ROC analysis. Pattern Recogn. Lett. 27(8), 861–874 (2016)
Acknowledgement
The work was supported in part by the National Nature Science Foundation of China, 61402321, by Natural Science Foundation of Tianjin, 15JCQNJC00100 and Tianjin Key Laboratory of Advanced Networking (TANK).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Guo, W., Wang, T., Wei, J. (2018). Malware Detection with Convolutional Neural Network Using Hardware Events. In: Xu, W., Xiao, L., Li, J., Zhang, C., Zhu, Z. (eds) Computer Engineering and Technology. NCCET 2017. Communications in Computer and Information Science, vol 600. Springer, Singapore. https://doi.org/10.1007/978-981-10-7844-6_11
Download citation
DOI: https://doi.org/10.1007/978-981-10-7844-6_11
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-7843-9
Online ISBN: 978-981-10-7844-6
eBook Packages: Computer ScienceComputer Science (R0)
