Hardware performance counters can detect malware: Myth or fact?
Published in AsiaCSS, 2018
Recommended citation: B Zhou, A Gupta, R Jahanshahi, M Egele, and A Joshi. Hardware performance counters can detect malware: myth or fact?. Proceedings of Asia conference on computer and communications security (Asia CCS). 2018 https://dl.acm.org/doi/pdf/10.1145/3196494.3196515
The ever-increasing prevalence of malware has led to the explorations of various detection mechanisms. Several recent works propose to use Hardware Performance Counters (HPCs) values with machine learning classification models for malware detection. HPCs are hardware units that record low-level micro-architectural behavior, such as cache hits/misses, branch (mis prediction, and load/store operations. However, this information does not reliably capture the nature of the application, i.e., whether it is benign or malicious.
In this paper, we claim and experimentally support that using the micro-architectural level information obtained from HPCs cannot distinguish between benignware and malware. We evaluate the idelity of malware detection using HPCs. We perform quantitative analysis using Principal Component Analysis (PCA) to systematically select micro-architectural events that have the most predictive powers. We then run 1,924 programs, 962 benignware and 962 malware, on our experimental setups. We achieve 83.39%, 84.84%, 83.59%, 75.01%, 78.75%, and 14.32% F1-score (a metric of detection rates) of Decision Tree (DT), Random Forest (RF), K Near- est Neighbors (KNN), Adaboost, Neural Net (NN), and Naive Bayes, respectively. We cross-validate our models 1,000 times to show the distributions of detection rates in various models. Our cross- validation analysis shows that many of the experiments produce low F1-scores. The F1-score of models in DT, RF, KNN, Adaboost, NN, and Naive Bayes is 80.22%, 81.29%, 80.22%, 70.32%, 35.66%, and 9.903%, respectively. To further highlight the incapability of malware detection using HPCs, we show that one benignware (Notepad++) infused with malware (ransomware) cannot be de- tected by HPC-based malware detection.
Recommended citation: B Zhou, A Gupta, R Jahanshahi, M Egele, and A Joshi. Hardware performance counters can detect malware: myth or fact?. Proceedings of Asia conference on computer and communications security (Asia CCS). 2018.