John Demme
Adam Waksman
Salvatore Stolfo
ABSTRACT
The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware, adware and other classes of malware. Despite the existence of anti-virus software, malware threats persist and are growing as there exist a myriad of ways to subvert anti-virus (AV) software. In fact, attackers today exploit bugs in the AV software to break into systems.
In this paper, we examine the feasibility of building a malware detector in hardware using existing performance counters. We find that data from performance counters can be used to identify malware and that our detection techniques are robust to minor variations in malware programs. As a result, after examining a small set of variations within a family of malware on Android ARM and Intel Linux platforms, we can detect many variations within that family. Further, our proposed hardware modifications allow the malware detector to run securely beneath the system software, thus setting the stage for AV implementations that are simpler and less buggy than software AV. Combined, the robustness and security of hardware AV techniques have the potential to advance state-of-the-art online malware detection.
- B. Stone-Gross, R. Abman, R. Kemmerer, C. Kruegel, D. Steigerwald, and G. Vigna, "The underground economy of fake antivirus software," in Economics of Information Security and Privacy III (B. Schneier, ed.), pp. 55--78, Springer New York, 2013.Google Scholar
- J. Caballero, C. Grier, C. Kreibich, and V. Paxson, "Measuring Pay-per-Install: The commoditization of malware distribution," in Proc. of the 20th USENIX Security Symp., 2011. Google ScholarDigital Library
- Trend Micro Corporation, "Russian underground."Google Scholar
- R. Langner, "Stuxnet: Dissecting a Cyberwarfare Weapon," Security & Privacy, IEEE, vol. 9, no. 3, pp. 49--51, 2011. Google ScholarDigital Library
- Laboratory of Cryptography and System Security (CrySyS Lab), "sKyWIper: A Complex Malware for Targeted Attacks," Tech. Rep. v1.05, Budapest University of Technology and Economics, May 2012.Google Scholar
- E. Chien, L. OMurchu, and N. Falliere, "W32.Duqu: The Precursor to the Next Stuxnet," in Proc. of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2012. Google ScholarDigital Library
- Z. Ramzan, V. Seshadri, and C. Nachenberg, "Reputation-based security: An analysis of real world effectiveness," Sep 2009.Google Scholar
- L. Bilge and T. Dumitras, "Before we knew it: an empirical study of zero-day attacks in the real world," in Proc. of the 2012 ACM conf. on Computer and communications security, pp. 833--844, 2012. Google ScholarDigital Library
- S. Jana and V. Shmatikov, "Abusing file processing in malware detectors for fun and profit," in IEEE Symposium on Security and Privacy, pp. 80--94, 2012. Google ScholarDigital Library
- P. SzÃűr and P. Ferrie, "Hunting for metamorphic," in In Virus Bulletin Conference, pp. 123--144, 2001.Google Scholar
- A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda, "Accessminer: using system-centric models for malware protection," in Proc. of the 17th ACM conf. on Computer and communications security, pp. 399--412, 2010. Google ScholarDigital Library
- M. Christodorescu, S. Jha, and C. Kruegel, "Mining specifications of malicious behavior," in Proc. of the the 6th joint meeting of the European software engineering conf. and the ACM SIGSOFT symp. on The foundations of software engineering, ESEC-FSE '07, pp. 5--14, 2007. Google ScholarDigital Library
- S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for unix processes," in Proc. of the 1996 IEEE Symp. on Security and Privacy, pp. 120--135, 1996. Google ScholarDigital Library
- W. Lee, S. J. Stolfo, and K. W. Mok, "A data mining framework for building intrusion detection models," in In IEEE Symposium on Security and Privacy, pp. 120--132, 1999.Google Scholar
- K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov, "Learning and classification of malware behavior," in Proc. of the 5th intl. conf. on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 108--125, Springer-Verlag, 2008. Google ScholarDigital Library
- M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, "Automated classification and analysis of internet malware," in Proc. of the 10th intl. conf. on Recent advances in intrusion detection, RAID'07, pp. 178--197, Springer-Verlag, 2007. Google ScholarDigital Library
- U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda, "Scalable, behavior-based malware clustering," in Network and Distributed System Security Symposium, 2009.Google Scholar
- C. Malone, M. Zahran, and R. Karri, "Are hardware performance counters a cost effective way for integrity checking of programs," in Proc. of the sixth ACM workshop on Scalable trusted computing, pp. 71--76, 2011. Google ScholarDigital Library
- Y. Xia, Y. Liu, H. Chen, and B. Zang, "Cfimon: Detecting violation of control flow integrity using performance counters," in Proc. of the 2012 42nd Annual IEEE/IFIP Intl. Conf. on Dependable Systems and Networks (DSN), pp. 1--12, 2012. Google ScholarDigital Library
- T. Sherwood, E. Perelman, G. Hamerly, S. Sair, and B. Calder, "Discovering and exploiting program phases," Micro, IEEE, vol. 23, pp. 84--93, nov.-dec. 2003. Google ScholarDigital Library
- C. Isci, G. Contreras, and M. Martonosi, "Live, runtime phase monitoring and prediction on real systems with application too dynamic power management," in Proc. of the 39th Annual IEEE/ACM Intl. Symp. on Microarchitecture, pp. 359--370, 2006. Google ScholarDigital Library
- Y. Zhou and X. Jiang, "Dissecting android malware: Characterization and evolution," in Security and Privacy (SP), 2012 IEEE Symp. on, pp. 95--109, may 2012. Google ScholarDigital Library
- F. Matias, "Linux rootkit implementation," Dec 2011.Google Scholar
- BlackHat Library, "Jynx rootkit2.0," Mar 2012.Google Scholar
- T. Dumitras and D. Shou, "Toward a standard benchmark for computer security research: the worldwide intelligence network environment (wine)," in Proc. of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 89--96, ACM, 2011. Google ScholarDigital Library
- J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan, "Side-Channel Vulnerability Factor: A Metric for Measuring Information Leakage," in The 39th Intl. Symp. on Computer Architecture, pp. 106--117, 2012. Google ScholarDigital Library
- A. M. Azab, P. Ning, and X. Zhang, "Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms," in Proc. of the 18th ACM conf. on Computer and communications security, (New York, NY, USA), pp. 375--388, ACM, 2011. Google ScholarDigital Library
Index Terms
- On the feasibility of online malware detection with performance counters
Recommendations
On the feasibility of online malware detection with performance counters
ICSA '13The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware, adware and other classes of malware. Despite the ...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISecA popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
Comments