Malware detection using machine learning based analysis of virtual memory access patterns

Zhixing Xu, Sayak Ray, Pramod Subramanyan, Sharad Malik

Research output: Chapter in Book/Report/Conference proceedingConference contribution

104 Scopus citations

Abstract

Malicious software, referred to as malware, continues to grow in sophistication. Past proposals for malware detection have primarily focused on software-based detectors which are vulnerable to being compromised. Thus, recent work has proposed hardware-assisted malware detection. In this paper, we introduce a new framework for hardware-assisted malware detection based on monitoring and classifying memory access patterns using machine learning. This provides for increased automation and coverage through reducing user input on specific malware signatures. The key insight underlying our work is that malware must change control flow and/or data structures, which leaves fingerprints on program memory accesses. Building on this, we propose an online framework for detecting malware that uses machine learning to classify malicious behavior based on virtual memory access patterns. Novel aspects of the framework include techniques for collecting and summarizing per-function/system-call memory access patterns, and a two-level classification architecture. Our experimental evaluation focuses on two important classes of malware (i) kernel rootkits and (ii) memory corruption attacks on user programs. The framework has a detection rate of 99.0% with less than 5% false positives and outperforms previous proposals for hardware-assisted malware detection.

Original languageEnglish (US)
Title of host publicationProceedings of the 2017 Design, Automation and Test in Europe, DATE 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages169-174
Number of pages6
ISBN (Electronic)9783981537093
DOIs
StatePublished - May 11 2017
Event20th Design, Automation and Test in Europe, DATE 2017 - Swisstech, Lausanne, Switzerland
Duration: Mar 27 2017Mar 31 2017

Publication series

NameProceedings of the 2017 Design, Automation and Test in Europe, DATE 2017

Other

Other20th Design, Automation and Test in Europe, DATE 2017
Country/TerritorySwitzerland
CitySwisstech, Lausanne
Period3/27/173/31/17

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Hardware and Architecture
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Malware detection using machine learning based analysis of virtual memory access patterns'. Together they form a unique fingerprint.

Cite this