Comprehensive assessment of run-time hardware-supported malware detection using general and ensemble learning

Sayadi, Hossein; D, Sai Manoj P; Houmansadr, Amir; Rafatirad, Setareh; Homayoun, Houman

doi:10.1145/3203217.3203264

Cited by 22 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1) Data collection: We used Intel Performance Counter Monitor tool (PCM) [19] to understand hardware (memory and processor) behavior. Several works used performance counters to estimate the performance and power consumption of processors [20], [21], [22] or employed performance counter for enhancing the security [23], [24], [25]. In this work we use performance counters to study the memory behavior.…”

Section: Methodsmentioning

confidence: 99%

Storage and Memory Characterization of Data Intensive Workloads for Bare Metal Cloud

Makrani¹

2018

Preprint

View full text Add to dashboard Cite

As the cost-per-byte of storage systems dramatically decreases, SSDs are finding their ways in emerging cloud infrastructure. Similar trend is happening for main memory subsystem, as advanced DRAM technologies with higher capacity, frequency and number of channels are deploying for cloud-scale solutions specially for non-virtualized environment where cloud subscribers can exactly specify the configuration of underling hardware. Given the performance sensitivity of standard workloads to the memory hierarchy parameters, it is important to understand the role of memory and storage for data intensive workloads. In this paper, we investigate how the choice of DRAM (high-end vs low-end) impacts the performance of Hadoop, Spark, and MPI based Big Data workloads in the presence of different storage types on bare metal cloud. Through a methodical experimental setup, we have analyzed the impact of DRAM capacity, operating frequency, the number of channels, storage type, and scale-out factors on the performance of these popular frameworks. Based on micro-architectural analysis, we classified data-intensive workloads into three groups namely I/O bound, compute bound, and memory bound. The characterization results show that neither DRAM capacity, frequency, nor the number of channels play a significant role on the performance of all studied Hadoop workloads as they are mostly I/O bound. On the other hand, our results reveal that iterative tasks (e.g. machine learning) in Spark and MPI are benefiting from a highend DRAM in particular high frequency and large number of channels, as they are memory or compute bound. Our results show that using SSD PCIe cannot shift the bottleneck from storage to memory, while it can change the workload behavior from I/O bound to compute bound.

show abstract

Section: Methodsmentioning

confidence: 99%

Storage and Memory Characterization of Data Intensive Workloads for Bare Metal Cloud

Makrani¹

2018

Preprint

View full text Add to dashboard Cite

show abstract

“…e DT demonstrates that this architecture is capable of preventing damage, but the TNR on the test set of the DT model is so low (66. 19) that this model cannot be preferred to the RF (81.53 TNR), which still prevents over 90% of file damage.…”

Section: Measuring Damage Prevention In Real Timementioning

confidence: 97%

Real-Time Malware Process Detection and Automated Process Killing

Rhode

Burnap

Wedgbury

2021

Security and Communication Networks

View full text Add to dashboard Cite

Perimeter-based detection is no longer sufficient for mitigating the threat posed by malicious software. This is evident as antivirus (AV) products are replaced by endpoint detection and response (EDR) products, the latter allowing visibility into live machine activity rather than relying on the AV to filter out malicious artefacts. This paper argues that detecting malware in real-time on an endpoint necessitates an automated response due to the rapid and destructive nature of some malware. The proposed model uses statistical filtering on top of a machine learning dynamic behavioural malware detection model in order to detect individual malicious processes on the fly and kill those which are deemed malicious. In an experiment to measure the tangible impact of this system, we find that fast-acting ransomware is prevented from corrupting 92% of files with a false positive rate of 14%. Whilst the false-positive rate currently remains too high to adopt this approach as-is, these initial results demonstrate the need for a detection model that is able to act within seconds of the malware execution beginning; a timescale that has not been addressed by previous work.

show abstract

“…ROC measures the Area Under the Curve (AUC) for evaluating the robustness of each ML classifier [1,4]. The ROC corresponds to the probability that the classifier correctly identified which application is malware and which is benign.…”

Section: Comparison Of Receiver Operating Characteristicsmentioning

confidence: 99%

“…These programs are used to compromise user data and cripple networks [2,3]. The recent proliferation of computing devices in mobile and Internet-of-Things (IoTs) domains further exacerbates the malware attacks and calls for eective malware detection techniques [1,4]. A recent survey showed that the number of security incidents in 2014 rose to 42.8 million incidents [5].…”

Section: Introductionmentioning

confidence: 99%

Malware Detection at the Microarchitecture Level using Machine Learning Techniques

Kwan

2020

Preprint

View full text Add to dashboard Cite

Spring 2020 Detection of malware cyber-attacks at the processor microarchitecture level has recently emerged as a promising solution to enhance the security of computer systems. Security mechanisms, such as hardware-based malware detection, use machine learning algorithms to classify and detect malware with the aid of Hardware Performance Counters (HPCs) information. The ML classifiers are fed microarchitectural data extracted from Hardware Performance Counters (HPCs), which contain behavioral data about a software program. These HPCs are captured at run-time to model the program's behavior. Since the amount of HPCs are limited per processor, many techniques employ feature reduction to reduce the amount of HPCs down to the most essential attributes. Previous studies have already used binary classification to implement their malware detection after doing extensive feature reduction. This results in a simple identification of software being either malware or benign. This research comprehensively analyzes different hardwarebased malware detectors by comparing different machine learning algorithms' accuracy with binary and multi-class classification models. Our experimental results indicate that when compared to complex machine learning models (e. g. Neural Network and Logistic), light-weight J48 and JRip algorithms perform better in detecting the malicious patterns even with the introduction of multiple types of malware. Although their detection accuracy slightly lowers, their robustness (Area Under the Curve) is still high enough that they deliver a reasonable false positive rate.

show abstract

Comprehensive assessment of run-time hardware-supported malware detection using general and ensemble learning

Cited by 22 publications

References 8 publications

Storage and Memory Characterization of Data Intensive Workloads for Bare Metal Cloud

Storage and Memory Characterization of Data Intensive Workloads for Bare Metal Cloud

Real-Time Malware Process Detection and Automated Process Killing

Malware Detection at the Microarchitecture Level using Machine Learning Techniques

Contact Info

Product

Resources

About