Akoman: Hardware-Level Malware Detection Using Discrete Wavelet Transform

Abstract

Malware, short for malicious software, is a general collective term for any program that gains access to a system without the knowledge of the owner and fulfills the malicious intent of an attacker. Over the past few years, various techniques have been proposed that focus on the run-time behavior of programs in order to dynamically detect malware. Most of the techniques rely on the analysis of system call traces provided by the underlying operating system. An alternative and promising approach is to perform malware detection at the hardware level. In this paper, we pursue this line of research by presenting Akoman, a novel technique that uses hardware events in current modern processors to build behavioral models of malware. Akoman follows a two-stage heuristic matching strategy to rapidly determine whether or not a running program belongs to a known malware family. It first applies the singular value decomposition to select candidate malware families that the running program is most likely to belong to. Then, it applies the Haar-based discrete wavelet transform to determine whether the running program is benign or it is matched to one of the selected candidate malware families. Our proof-of-concept evaluations performed on a real dataset of benign programs and malware samples suggest Akoman achieves negligible overhead with acceptable detection performance.