Unsupervised Anomaly-Based Malware Detection Using Hardware Features

Recent works have shown promise in using microarchitectural execution patterns to detect malware programs. These detectors belong to a class of detectors known as signaturebased detectors as they catch malware by comparing a program’s execution pattern (signature) to execution patterns of known malware programs. In this work, we propose a new class of detectors — anomaly-based hardware malware detectors — that do not require signatures for malware detection, and thus can catch a wider range of malware including potentially novel ones. We use unsupervised machine learning to build profiles of normal program execution based on data from performance counters, and use these profiles to detect significant deviations in program behavior that occur as a result of malware exploitation. We show that real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can be detected with nearly perfect certainty. We also examine the limits and challenges in implementing this approach in face of a sophisticated adversary attempting to evade anomalybased detection. The proposed detector is complementary to previously proposed signature-based detectors and can be used together to improve security.