Low-overhead robust malware detection using hardware performance counters
The rapid growth of the mobile computer and smartphone market has spurred an increasing need for effective means of protecting users from malware. Existing antivirus (AV) software is only partially effective at combating malware because its heavy reliance on static analysis necessarily lags behind the rate at which new threats are developed or generated. The technology is a hardware method for detecting malware and side-channel attacks on computers and smartphones via software runtime data gathered from performance time varying counters found in most computing hardware. This method uses non-linear machine learning to classify whether the runtime behavior of executing software is abnormal, and thus indicative of present malware. This approach obviates the need to perform exhaustive searches for static malware signatures and enables detection of malware variations that would not be detected by traditional AV software.
Machine learning analysis of software runtime behavior enhances protection against unidentified malware and reduces detection overhead on computers and mobile devices
Scanning for static signatures of the vast array of identified malware software consumes valuable computing resources that can adversely impact performance on mobile devices. By using performance measurements obtained from existing hardware counters built into computing devices, the technology eliminates the high overhead associated with scanning for the static signatures of the vast array of identified malware. Detection of malware by classifying runtime behavior that is not appreciably altered by variations in the malware also increases robustness against unidentified versions of malware that are not yet known to traditional AV software.
The hardware performance data collection performed to train and test the technology has been developed for Linux and Android platforms. The technology’s malware detection engine has been implemented on Linux, and a hardware-based architecture for running the engine has been proposed.
Lead Inventor:
Applications:
- Detection of malware and side-channel attacks on computers and smartphones
- Hardware-based malware detection systems
- Malware-resistant computing and communication hardware for military and intelligence applications
Advantages:
- Use of existing performance counter data reduces computational overhead of malware detection
- Facilitates implementation of future hardware-based malware detectors that cannot be disabled or compromised by malware
- Capable of detecting rootkits and side-channel attacks
- Affords better protection against zero-day threats by detecting unidentified malware
Patent Information:
Tech Ventures Reference: IR CU13241