Harnessing performance counters to detect malware using deep learning models

Omar Mohamed; Ciprian-Bogdan Chirila

doi:10.52846/stccj.2022.2.2.42

Authors

Omar Mohamed Necmettin Erbakan University, Konya
Ciprian-Bogdan Chirila University Politehnica Timisoara

DOI:

https://doi.org/10.52846/stccj.2022.2.2.42

Keywords:

malware, software performance counters, hardware performance counters, program behaviour, time series classification, deep learning classification models, recurrent neural networks

Abstract

Computing systems are challenged by security exploits and malware. The following methods are used for detecting anomalies and discovering vulnerabilities in computing systems: malware aware processors, static program analysis, and dynamic program analysis. Online hardware to detect malware is not always a practical and scalable solution because of the costs. Automated static analysis tools have limited performance and detection capabilities that may not meet the criticality requirements of the project regarding static analysis methods. In the latest trends, dynamic analysis has overcome static analysis. Several approaches have been used to analyze performance counters in this sense. Performance counters are collected from both operating systems/software and processors/hardware and stored as time series: 1) in the presence and 2) in the absence of malware. For software performance counters (SPCs), fourteen deep learning models were used for time series classification, while for hardware perfornamce counters (HPCs), ten deep learning models were used. For SPCs two models were able to detect accurately malware in infected operating systems, while the rest tend to overfit the data. For HPCs three models were able to detect malware.

References

Shekoofeh Azizi, Sharareh Bayat, Pingkun Yan, Amir Tahmasebi, Jin Tae Kwak, Sheng Xu, Baris Turkbey, Peter Choyke, Peter Pinto, Bradford Wood, et al. Deep recurrent neural networks for prostate cancer detection: Analysis of temporal enhanced ultrasound. IEEE transactions on medical imaging, 2018.

Kanad Basu, Prashanth Krishnamurthy, Farshad Khorrami, and Ramesh Karri. A theoretical study of hardware performance counters-based malware detection. IEEE Transactions on Information Forensics and Security, 15:512–525, 2020.

Zhicheng Cui, Wenlin Chen, and Yixin Chen. Multi-scale convolutional neural networks for time series classification, 2016.

Sai Manoj Pudukotai Dinakarrao, Sairaj Amberkar, Sahil Bhat, Abhijitt Dhavlle, Hossein Sayadi, Avesta Sasan, Houman Homayoun, and Setareh Rafatirad. Adversarial attack on microarchitectural events based malware detectors. In In The 56th Annual Design Automation Conference 2019 (DAC ’19), pages 1–6, Las Vegas, NV, USA, June 2019. ACM, New York, NY, USA.

Amazon Inc. Amazon Web Services. https://aws.amazon.com, 2021.

Oracle Inc. Virtual Box. https://www.oracle.com, 2021.

Hassan Ismail Fawaz, Germain Forestier, Jonathan Weber, Lhassane Idoumghar, and Pierre-Alain Muller. Deep learning for time series classification: a review. Data Mining and Knowledge Discovery, 33(4):917–963, Jul 2019.

Hassan Ismail Fawaz, Benjamin Lucas, Germain Forestier, Charlotte Pelletier, Daniel F. Schmidt, Jonathan Weber, Geoffrey I. Webb, Lhassane Idoumghar, Pierre-Alain Muller, and Franc¸ois Petitjean. Inceptiontime: Finding alexnet for time series classification. Data Mining and Knowledge Discovery, 34(6):1936–1962, Sep 2020.

Sai Praveen Kadiyala, Akella Kartheek, and Tram Truong-Huu. Program behavior analysis and clustering using performance counters, 2021.

Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. Imagenet classification with deep convolutional neural networks. In F. Pereira, C. J. C. Burges, L. Bottou, and K. Q. Weinberger, editors, Advances in Neural Information Processing Systems, volume 25. Curran Associates, Inc., 2012.

Partha Pratim Kundu, Lux Anatharaman, and Tram Truong-Huu. An empirical evaluation of automated machine learning techniques for malware detection. In In Proceedings of the 2021 ACM International Workshop on Security and Privacy Analytics (IWSPA’21), pages 1–7. ACM, New York, NY, USA, April 2021.

Arthur Le Guennec, Simon Malinowski, and Romain Tavenard. Data Augmentation for Time Series Classification using Convolutional Neural Networks. In ECML/PKDD Workshop on Advanced Analytics and Learning on Temporal Data, Riva Del Garda, Italy, September 2016.

Omar Mohamed and Ciprian-Bogdan Chirila. Towards malware detection based on performance counters using deep learning classification models. In 2022 IEEE 16th International Symposium on Applied Computational Intelligence and Informatics (SACI), pages 000149–000154, 2022.

Nazarii, Taras Lutsiv, Mykola Maksymyuk, Orest Beshley, Volodymyr Lavriv, Anatoliy Andrushchak, Liberios Sachenko, Juraj Vokorokos, and Gazda. Deep semisupervised learning-based network anomaly detection in heterogeneous information systems. Computers, Materials & Continua, 70(1):413–431, 2022.

Nisarg Patel, Avesta Sasan, and Houman Homayoun. Analyzing hardware based malware detectors. In 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC), pages 1–6, June 2017.

Joan Serr`a, Santiago Pascual, and Alexandros Karatzoglou. Towards a universal neural network encoder for time series. CoRR, abs/1805.03908, 2018.

Rashid Tahir, Sultan Durrani, Faizan Ahmed, Hammas Saeed, Fareed Zaffar, and Saqib Ilyas. The browsers strike back: Countering cryptojacking and parasitic miners on the web. In IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, pages 703–711, April 2019.

Virus Total Enterprise. Virus collection. https://www.virustotal.com, 2021.

Zhiguang Wang, Weizhong Yan, and Tim Oates. Time series classification from scratch with deep neural networks: A strong baseline. In 2017 International Joint Conference on Neural Networks (IJCNN), pages 1578–1585, 2017.

Bendong Zhao, Huanzhang Lu, Shangfeng Chen, Junliang Liu, and DongyaWu. Convolutional neural networks for time series classification. Journal of Systems Engineering and Electronics, 28(1):162–169, 2017.

Yi Zheng, Qi Liu, Enhong Chen, Yong Ge, and J. Leon Zhao. Time series classification using multi-channels deep convolutional neural networks. In WAIM, 2014.

Boyou Zhou, Anmol Gupta, Rasoul Jahanshahi, Manuel Egele, and Ajay Joshi. Hardware performance counters can detect malware: Myth or fact? In Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS ’18, page 457–468, New York, NY, USA, 2018. Association for Computing Machinery.