Improving accuracy of HPC-based malware classification for embedded platforms using gradient descent optimization

Abstract

Malware detection is still one of the difficult problems in computer security because of the daily occurrences of newer varieties of malware programs. There have been enormous efforts in developing a generalized solution to this critical security aspect, but a little has been done considering the security of resource constraint embedded devices. In this paper, we attempt to develop a lightweight malware detection tool explicitly designed for embedded platforms using micro-architectural side-channel information obtained through Hardware Performance Counters (HPCs) and high-level programs representing Operating System (OS) resources. The methodology uses statistical hypothesis testing, in the form of t-test, to develop a metric, called $$\lambda $$ , which indicates a conceptual boundary between the programs which are allowed to run on a given embedded platform, with the codes that are suspected as malwares. The metric is computed based on the observations obtained from carefully chosen features, which are tuples of high-level programs representing OS resources along with low-level HPCs. An ideal $$\lambda $$ -value for a malicious program is 1, as opposed to 0 for a benign application. However, in reality, the efficacy of $$\lambda $$ to classify a program as malware or benign largely depends on the proper assignment of weights to the tuples. We employ a gradient-descent-based learning mechanism to determine optimal choices for these weights. We present detailed experimental results on an embedded Linux running on an ARM processor which validates that the proposed lightweight side-channel-based learning mechanism improves the classification accuracy significantly compared to an ad-hoc selection of weights leading to significantly low false positives and false negatives in all our test cases.