Intelli-Dynamic Malware Detection Based on Processor Behaviors

Abstract

The number of malicious programs and potentially unwanted applications continues to rise annually with the total number of malwares approaching one billion in 2020. In addition, modern malwares use advanced obfuscation techniques such as polymorphism to avoid detection and continue the exploitation of user privacy. As a result, accurate and timely detection of malware is an urgent issue in the cybersecurity field. Existing hardware-based solutions have applied machine learning algorithms to distinguish between malicious and benign applications based on the readings from hardware performance counters (HPCs), and have accomplished high accuracy rates for malware detection. However, there are physical limitations for processors currently available in the market that cannot be ignored; such as, the number of HPCs available simultaneously. Also, due to the astronomical costs and complexity associated with malware annually, proposed HPC solutions require improvement in terms of real-time processing and intelligent learning model. Multiple representations of the hardware events as feature inputs need to be thoroughly investigated; in addition to, architectural optimization for the existing deep learning models. In this paper, we use the sum of total HPC accesses over a sampling interval and 28 × 28 × 1 images of the same sampling window as two representations of low-level processor behavioral events for input features. Through comprehensive feature selection analysis, we show that malware can be separated from benign applications with the sum of HPC accesses and the images using only five HPCs. We also propose a CNN architecture that reduces the complexity of LeNet5 and accomplishes higher accuracy than VGGNet. Our results show 97–99% classification rate for identifying executable malware with the proposed CNN and with ensemble learning models.