...
  • 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>Journal of supercomputing >HLMD: a signature-based approach to hardware-level behavioral malware detection and classification
【24h】

HLMD: a signature-based approach to hardware-level behavioral malware detection and classification

机译:HLMD:基于签名的硬件级行为恶意软件检测和分类方法

获取原文
获取原文并翻译 | 示例
   

获取外文期刊封面封底 >>

       
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Malicious programs, or malware, often use code obfuscation techniques to make static analysis difficult. To deal with this problem, various behavioral detection techniques have been proposed that focus on runtime behavior to distinguish between benign and malicious programs. The majority of them are based on the analysis and modeling of system call traces, which are a common type of audit data often used to describe the interaction between programs and the operating system. However, the techniques are not widely used in practice because of high performance overheads. An alternative approach is to perform behavioral detection at the hardware level. The basic idea is to use information that is accessible through hardware performance counters, which are a set of special purpose registers built into modern processors providing detailed information about hardware and software events. In this paper, we pursue this line of research by presenting HLMD, a novel approach that uses behavioral signatures generated from hardware performance counter traces to instantly detect and disable malicious programs at the beginning of their execution. HLMD is especially suitable for independent malicious programs that can be run standalone without having to be attached to a host program. Each behavioral signature is composed of some number of singular values and singular vectors, obtained by applying the singular value decomposition to the hardware performance counter traces of a known malware family. HLMD follows a two-stage heuristic matching strategy to increase the detection performance to an acceptable level while reducing the detection complexity to linear time. The results of our experiments performed on a dataset of benign and malicious programs show that HLMD can achieve an average precision, recall, and F-measure of 95.19%, 89.96%, and 92.50%, respectively.
机译:恶意程序或恶意软件通常使用代码混淆技术来使静态分析变得困难。为了解决这个问题,已经提出了各种行为检测技术,这些技术专注于运行时行为以区分良性程序和恶意程序。它们中的大多数基于系统调用跟踪的分析和建模,这是通常用于描述程序与操作系统之间的交互的常见审计数据类型。但是,由于高性能开销,该技术并未在实践中广泛使用。一种替代方法是在硬件级别执行行为检测。基本思想是使用可通过硬件性能计数器访问的信息,这些性能计数器是内置在现代处理器中的一组专用寄存器,可提供有关硬件和软件事件的详细信息。在本文中,我们通过介绍HLMD来进行这一研究,这是一种新颖的方法,该方法使用从硬件性能计数器跟踪生成的行为签名在执行开始时立即检测并禁用恶意程序。 HLMD特别适用于可以独立运行而无需附加到主机程序的独立恶意程序。每个行为签名均由一定数量的奇异值和奇异矢量组成,这些奇异值和奇异矢量是通过将奇异值分解应用于已知恶意软件家族的硬件性能计数器跟踪获得的。 HLMD遵循两阶段启发式匹配策略,以将检测性能提高到可接受的水平,同时将检测复杂度降低到线性时间。我们对良性和恶意程序的数据集进行的实验结果表明,HLMD可以分别达到95.19%,89.96%和92.50%的平均精度,召回率和F值。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号