TY - JOUR
T1 - Accurate and Robust Malware Detection
T2 - Running XGBoost on Runtime Data from Performance Counters
AU - Elnaggar, Rana
AU - Servadei, Lorenzo
AU - Mathur, Shubham
AU - Wille, Robert
AU - Ecker, Wolfgang
AU - Chakrabarty, Krishnendu
N1 - Publisher Copyright:
© 1982-2012 IEEE.
PY - 2022/7/1
Y1 - 2022/7/1
N2 - Malware applications are one of the major threats that computing systems face today. While security researchers develop new defense mechanisms to detect malware, attackers continue to release new malware families that evade detection. New defense mechanisms must therefore be developed to effectively counter malware. Hardware performance counters (HPCs) have been recently proposed as a means to detect malware. However, recent work has also shown that malware detection is not effective when performance counters are sampled in realistic scenarios. We show how proper data preprocessing and the use of the XGBoost classifier can be used to improve the performance of malware detection using HPCs by at least 15%. We also show that the proposed method can detect malware early (shortly after its launch) by classifying HPC datastreams at short time intervals. In addition, we propose a multitemporal classification model that ensures the early detection of a high percentage of malware while maintaining overall low false positive rates. Finally, we show that through robust training, the XGBoost classifier shows up to 50x less vulnerability to adversarial attacks that are intended to undermine its malware detection performance.
AB - Malware applications are one of the major threats that computing systems face today. While security researchers develop new defense mechanisms to detect malware, attackers continue to release new malware families that evade detection. New defense mechanisms must therefore be developed to effectively counter malware. Hardware performance counters (HPCs) have been recently proposed as a means to detect malware. However, recent work has also shown that malware detection is not effective when performance counters are sampled in realistic scenarios. We show how proper data preprocessing and the use of the XGBoost classifier can be used to improve the performance of malware detection using HPCs by at least 15%. We also show that the proposed method can detect malware early (shortly after its launch) by classifying HPC datastreams at short time intervals. In addition, we propose a multitemporal classification model that ensures the early detection of a high percentage of malware while maintaining overall low false positive rates. Finally, we show that through robust training, the XGBoost classifier shows up to 50x less vulnerability to adversarial attacks that are intended to undermine its malware detection performance.
KW - Computer security
KW - Machine learning
KW - Microprocessors
UR - http://www.scopus.com/inward/record.url?scp=85112662558&partnerID=8YFLogxK
U2 - 10.1109/TCAD.2021.3102007
DO - 10.1109/TCAD.2021.3102007
M3 - Article
AN - SCOPUS:85112662558
SN - 0278-0070
VL - 41
SP - 2066
EP - 2079
JO - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
JF - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
IS - 7
ER -