Malware-aware processors: A framework for efficient online malware detection

Abstract: Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) -process… Show more

“…This dataset is sufficiently large to establish the feasibility and provide a reasonable evaluation of the proposed approach. The features were collected once every 10,000 committed instructions of the program, consistent with the methodology used by earlier works that use this approach [6,23]. These prior studies demonstrated that classification at this frequency effectively balances complexity and detection accuracy for offline [6] and online [23] detection.…”

“…The features were collected once every 10,000 committed instructions of the program, consistent with the methodology used by earlier works that use this approach [6,23]. These prior studies demonstrated that classification at this frequency effectively balances complexity and detection accuracy for offline [6] and online [23] detection. For each program we maintained a sequence of these feature vectors collected every 10K instructions, labeled as either malware or normal.…”

“…We build on Ozsoy et al [23] work that uses low level features to provide a first line of defense to detect suspicious processes. This detector then prioritizes the effort of a heavy weight software detector to look only at programs that are deemed suspicious, forming a two-level detector (TLD).…”

“…We call such features sub-semantic because they do not rely on a semantic model of the monitored program. In recent work, a classifier trained using supervised learning to differentiate malware from normal programs while the programs run was introduced [23]. To tolerate false positives, this system is envisioned as a first step in malware detection to prioritize which processes should be dynamically monitored using a more sophisticated but more expensive second level of protection.…”

“…Subsequently, Ozsoy et al [23] explored a number of low-level features, not only those available through performance counters, and built an online hardware-supported, low-complexity, malware detector. Such low-level features are called sub-semantic since they do not require knowledge of the semantics of the executing program.…”

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

“…This dataset is sufficiently large to establish the feasibility and provide a reasonable evaluation of the proposed approach. The features were collected once every 10,000 committed instructions of the program, consistent with the methodology used by earlier works that use this approach [6,23]. These prior studies demonstrated that classification at this frequency effectively balances complexity and detection accuracy for offline [6] and online [23] detection.…”

“…The features were collected once every 10,000 committed instructions of the program, consistent with the methodology used by earlier works that use this approach [6,23]. These prior studies demonstrated that classification at this frequency effectively balances complexity and detection accuracy for offline [6] and online [23] detection. For each program we maintained a sequence of these feature vectors collected every 10K instructions, labeled as either malware or normal.…”

“…We build on Ozsoy et al [23] work that uses low level features to provide a first line of defense to detect suspicious processes. This detector then prioritizes the effort of a heavy weight software detector to look only at programs that are deemed suspicious, forming a two-level detector (TLD).…”

“…We call such features sub-semantic because they do not rely on a semantic model of the monitored program. In recent work, a classifier trained using supervised learning to differentiate malware from normal programs while the programs run was introduced [23]. To tolerate false positives, this system is envisioned as a first step in malware detection to prioritize which processes should be dynamically monitored using a more sophisticated but more expensive second level of protection.…”

“…Subsequently, Ozsoy et al [23] explored a number of low-level features, not only those available through performance counters, and built an online hardware-supported, low-complexity, malware detector. Such low-level features are called sub-semantic since they do not require knowledge of the semantics of the executing program.…”

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Online Malware Detection in Cloud Auto-scaling Systems Using Shallow Convolutional Neural Networks

A Deep Malware Detection Method Based on General-Purpose Register Features