Recent works have shown promise in detecting malware pro-grains based on their dynamic microarchitectural execution patterns. Compared to higher-level features like OS and application observables, these microarchitectural features are efficient to audit and harder for adversaries to control directly in evasion attacks. These data can be collected at low overheads using widely available hardware performance counters (HPC) in modern processors. In this work, we advance the use of hardware supported lower-level features to detecting malware exploitation in an anomaly-based detector. This allows us to detect a wider range of malware, even zero days. As we show empirically, the microarchitectural characteristics of benign programs are noisy, and the deviations exhibited by malware exploits are minute. We demonstrate that with careful selection and extraction of the features combined with unsupervised machine learning, we can build baseline models of benign program execution and use these profiles to detect deviations that occur as a result of malware exploitation. We show that detection of real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform works well in practice. We also examine the limits and challenges in implementing this approach in face of a sophisticated adversary attempting to evade anomaly-based detection. The proposed detector is complementary to previously proposed signature-based detectors and can be used together to improve security.
展开▼
机译:最近的工作已显示出根据其动态微体系结构执行模式检测恶意软件前兆的希望。与操作系统和应用程序可观察到的高级功能相比,这些微体系结构功能可以高效地进行审核,并且使对手更难直接在规避攻击中进行控制。使用现代处理器中广泛使用的硬件性能计数器(HPC),可以以低开销收集这些数据。在这项工作中,我们将使用硬件支持的较低级功能来在基于异常的检测器中检测恶意软件的利用。这使我们能够检测到更广泛的恶意软件,甚至是零天。如我们的经验所示,良性程序的微体系结构特征很嘈杂,恶意软件利用所表现出的偏差很小。我们证明,通过对功能的仔细选择和提取以及无监督的机器学习,我们可以构建良性程序执行的基线模型,并使用这些配置文件来检测由于恶意软件利用而发生的偏差。我们展示了在Windows / x86平台上检测流行的程序(例如IE和Adobe PDF Reader)在现实世界中的利用情况,效果很好。我们还面对复杂的对手试图逃避基于异常的检测的挑战,探讨了实施这种方法的局限性和挑战。所提出的检测器是对先前提出的基于签名的检测器的补充,并且可以一起使用以提高安全性。
展开▼
