TY - GEN
T1 - Malware detection using machine learning based analysis of virtual memory access patterns
AU - Xu, Zhixing
AU - Ray, Sayak
AU - Subramanyan, Pramod
AU - Malik, Sharad
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/5/11
Y1 - 2017/5/11
N2 - Malicious software, referred to as malware, continues to grow in sophistication. Past proposals for malware detection have primarily focused on software-based detectors which are vulnerable to being compromised. Thus, recent work has proposed hardware-assisted malware detection. In this paper, we introduce a new framework for hardware-assisted malware detection based on monitoring and classifying memory access patterns using machine learning. This provides for increased automation and coverage through reducing user input on specific malware signatures. The key insight underlying our work is that malware must change control flow and/or data structures, which leaves fingerprints on program memory accesses. Building on this, we propose an online framework for detecting malware that uses machine learning to classify malicious behavior based on virtual memory access patterns. Novel aspects of the framework include techniques for collecting and summarizing per-function/system-call memory access patterns, and a two-level classification architecture. Our experimental evaluation focuses on two important classes of malware (i) kernel rootkits and (ii) memory corruption attacks on user programs. The framework has a detection rate of 99.0% with less than 5% false positives and outperforms previous proposals for hardware-assisted malware detection.
AB - Malicious software, referred to as malware, continues to grow in sophistication. Past proposals for malware detection have primarily focused on software-based detectors which are vulnerable to being compromised. Thus, recent work has proposed hardware-assisted malware detection. In this paper, we introduce a new framework for hardware-assisted malware detection based on monitoring and classifying memory access patterns using machine learning. This provides for increased automation and coverage through reducing user input on specific malware signatures. The key insight underlying our work is that malware must change control flow and/or data structures, which leaves fingerprints on program memory accesses. Building on this, we propose an online framework for detecting malware that uses machine learning to classify malicious behavior based on virtual memory access patterns. Novel aspects of the framework include techniques for collecting and summarizing per-function/system-call memory access patterns, and a two-level classification architecture. Our experimental evaluation focuses on two important classes of malware (i) kernel rootkits and (ii) memory corruption attacks on user programs. The framework has a detection rate of 99.0% with less than 5% false positives and outperforms previous proposals for hardware-assisted malware detection.
UR - http://www.scopus.com/inward/record.url?scp=85020184448&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85020184448&partnerID=8YFLogxK
U2 - 10.23919/DATE.2017.7926977
DO - 10.23919/DATE.2017.7926977
M3 - Conference contribution
AN - SCOPUS:85020184448
T3 - Proceedings of the 2017 Design, Automation and Test in Europe, DATE 2017
SP - 169
EP - 174
BT - Proceedings of the 2017 Design, Automation and Test in Europe, DATE 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 20th Design, Automation and Test in Europe, DATE 2017
Y2 - 27 March 2017 through 31 March 2017
ER -