On the feasibility of online malware detection with performance counters

Proceedings - International Symposium on Computer Architecture

Volumn , Issue , 2013, Pages 559-570

  Demme, John ^a   Maycock, Matthew ^a   Schmitz, Jared ^a   Tang, Adrian ^a   Waksman, Adam ^a   Sethumadhavan, Simha ^a   Stolfo, Salvatore ^a  

^a Columbia University ^*  (United States)

Author keywords

Machine learning; Malware detection; Performance counters

Indexed keywords

ANTI VIRUS; ANTIVIRUS SOFTWARES; HARDWARE MODIFICATIONS; LINUX PLATFORM; MALWARE DETECTION; MOBILE PLATFORM; PERFORMANCE COUNTERS; SYSTEM SOFTWARES;

COMPUTER ARCHITECTURE; COMPUTER HARDWARE; COMPUTER OPERATING SYSTEMS; COMPUTER VIRUSES; DETECTORS; HARDWARE; LEARNING SYSTEMS;

PROGRAM DEBUGGING;

EID: 84881191238     PISSN: 10636897     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2485922.2485970     Document Type: Conference Paper

References (27)

1. B. Stone-Gross, R. Abman, R. Kemmerer, C. Kruegel, D. Steigerwald, and G. Vigna, "The underground economy of fake antivirus software," in Economics of Information Security and Privacy III (B. Schneier, ed.), pp. 55-78, Springer New York, 2013.
2. J. Caballero, C. Grier, C. Kreibich, and V. Paxson, "Measuring Pay-per-Install: The commoditization of malware distribution," in Proc. of the 20th USENIX Security Symp., 2011.
3. Trend Micro Corporation, "Russian underground.,"
4. R. Langner, "Stuxnet: Dissecting a Cyberwarfare Weapon," Security & Privacy, IEEE, Vol. 9, no. 3, pp. 49-51, 2011.
5. Laboratory of Cryptography and System Security (CrySyS Lab), "sKyWIper: A Complex Malware for Targeted Attacks," Tech. Rep. v1.05, Budapest University of Technology and Economics, May 2012.
6. E. Chien, L. OMurchu, and N. Falliere, "W32. Duqu: The Precursor to the Next Stuxnet," in Proc. of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2012.
7. Z. Ramzan, V. Seshadri, and C. Nachenberg, "Reputation-based security: An analysis of real world effectiveness," Sep 2009.
8. L. Bilge and T. Dumitras, "Before we knew it: an empirical study of zero-day attacks in the real world," in Proc. of the 2012 ACM conf. on Computer and communications security, pp. 833-844, 2012.
9. S. Jana and V. Shmatikov, "Abusing file processing in malware detectors for fun and profit," in IEEE Symposium on Security and Privacy, pp. 80-94, 2012.
10. P. SzÃur and P. Ferrie, "Hunting for metamorphic," in In Virus Bulletin Conference, pp. 123-144, 2001.
11. A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda, "Accessminer: using system-centric models for malware protection," in Proc. of the 17th ACM conf. on Computer and communications security, pp. 399-412, 2010.
12. M. Christodorescu, S. Jha, and C. Kruegel, "Mining specifications of malicious behavior," in Proc. of the the 6th joint meeting of the European software engineering conf. and the ACM SIGSOFT symp. on The foundations of software engineering, ESEC-FSE '07, pp. 5-14, 2007.
13. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for unix processes," in Proc. of the 1996 IEEE Symp. on Security and Privacy, pp. 120-135, 1996.
14. W. Lee, S. J. Stolfo, and K. W. Mok, "A data mining framework for building intrusion detection models," in In IEEE Symposium on Security and Privacy, pp. 120-132, 1999.
15. K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov, "Learning and classification of malware behavior," in Proc. of the 5th intl. conf. on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 108-125, Springer-Verlag, 2008.
16. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, "Automated classification and analysis of internet malware," in Proc. of the 10th intl. conf. on Recent advances in intrusion detection, RAID'07, pp. 178-197, Springer-Verlag, 2007.
17. U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda, "Scalable, behavior-based malware clustering," in Network and Distributed System Security Symposium, 2009.
18. C. Malone, M. Zahran, and R. Karri, "Are hardware performance counters a cost effective way for integrity checking of programs," in Proc. of the sixth ACM workshop on Scalable trusted computing, pp. 71-76, 2011.
19. Y. Xia, Y. Liu, H. Chen, and B. Zang, "Cfimon: Detecting violation of control flow integrity using performance counters," in Proc. of the 2012 42nd Annual IEEE/IFIP Intl. Conf. on Dependable Systems and Networks (DSN), pp. 1-12, 2012.
20. T. Sherwood, E. Perelman, G. Hamerly, S. Sair, and B. Calder, "Discovering and exploiting program phases," Micro, IEEE, Vol. 23, pp. 84-93, nov.-dec. 2003.
21. C. Isci, G. Contreras, and M. Martonosi, "Live, runtime phase monitoring and prediction on real systems with application too dynamic power management," in Proc. of the 39th Annual IEEE/ACM Intl. Symp. on Microarchitecture, pp. 359-370, 2006.
22. Y. Zhou and X. Jiang, "Dissecting android malware: Characterization and evolution," in Security and Privacy (SP), 2012 IEEE Symp. on, pp. 95-109, may 2012.
23. F. Matias, "Linux rootkit implementation," Dec 2011.
24. BlackHat Library, "Jynx rootkit2.0," Mar 2012.
25. T. Dumitras and D. Shou, "Toward a standard benchmark for computer security research: the worldwide intelligence network environment (wine)," in Proc. of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 89-96, ACM, 2011.
26. J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan, "Side-Channel Vulnerability Factor: A Metric for Measuring Information Leakage," in The 39th Intl. Symp. on Computer Architecture, pp. 106-117, 2012.
27. A. M. Azab, P. Ning, and X. Zhang, "Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms," in Proc. of the 18th ACM conf. on Computer and communications security, (New York, NY, USA), pp. 375-388, ACM, 2011.