[Paper Review] Anomaly Detection for malware identification using Hardware Performance Counters
This paper proposes an unsupervised anomaly detection method for malware identification using hardware performance counters (HPCs) in modern processors. By monitoring low-level CPU events such as cache misses and branch prediction faults, the approach detects abnormal program behavior indicative of exploits like buffer overflows or return-oriented programming (ROP), achieving effective detection of unknown malware and advanced persistent threats (APTs) without prior training on malicious samples.
Computers are widely used today by most people. Internet based applications, like ecommerce or ebanking attracts criminals, who using sophisticated techniques, tries to introduce malware on the victim computer. But not only computer users are in risk, also smartphones or smartwatch users, smart cities, Internet of Things devices, etc. Different techniques has been tested against malware. Currently, pattern matching is the default approach in antivirus software. Also, Machine Learning is successfully being used. Continuing this trend, in this article we propose an anomaly based method using the hardware performance counters (HPC) available in almost any modern computer architecture. Because anomaly detection is an unsupervised process, new malware and APTs can be detected even if they are unknown.
Motivation & Objective
- To address the limitation of signature-based antivirus tools in detecting unknown or zero-day malware.
- To explore the feasibility of using hardware performance counters (HPCs) as low-level system features for malware detection.
- To develop an unsupervised anomaly detection approach that identifies deviations from normal program behavior without requiring labeled malware data.
- To evaluate whether HPC-based features can effectively detect sophisticated attack techniques such as buffer overflows and ROP attacks.
Proposed method
- The method leverages hardware performance counters (HPCs) available in modern CPUs to collect low-level metrics such as instruction executed, cycles, data cache misses, and branch prediction faults.
- HPC events are collected during program execution using standard tools like 'perf' or libraries such as PAPI, enabling cross-platform compatibility.
- Anomaly detection techniques—specifically unsupervised learning—are applied to identify outliers in the HPC feature space, indicating potential exploitation attempts.
- The approach uses clustering and outlier detection algorithms to flag execution patterns that deviate significantly from normal behavior.
- The method does not require prior knowledge of malware signatures, making it suitable for detecting previously unknown threats like APTs.
- The system is trained only on benign program executions, and anomalies are detected based on statistical deviation from normal HPC profiles.
Experimental results
Research questions
- RQ1Can hardware performance counters serve as effective features for detecting malicious program behavior, even when the malware is unknown?
- RQ2How well can unsupervised anomaly detection techniques identify malware exploits such as buffer overflows and ROP chains using HPC data?
- RQ3To what extent do HPC-based features improve detection of advanced persistent threats (APTs) compared to traditional signature-based methods?
- RQ4Can the method detect subtle behavioral anomalies caused by memory corruption attacks without requiring labeled malware samples?
Key findings
- The use of hardware performance counters enables detection of malicious behavior at the CPU level, capturing low-level anomalies caused by exploits such as buffer overflows and ROP attacks.
- Unsupervised anomaly detection using HPC features successfully identifies unknown malware and APTs without requiring prior training on malicious samples.
- The method demonstrates effectiveness in detecting attacks that alter normal program execution flow, as evidenced by significant deviations in HPC metrics like cache misses and branch mispredictions.
- Performance counters are accurate and widely available across modern architectures, making the approach practical and portable across different systems.
- The approach outperforms traditional signature-based methods in detecting zero-day and polymorphic malware by focusing on behavioral anomalies rather than known patterns.
- Empirical results show that HPC-based anomaly detection can detect malicious activity with high sensitivity, even when the malware uses obfuscation techniques to evade traditional detection.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.