MarCNNet: A Markovian Convolutional Neural Network for Malware Detection and Monitoring Multi-Core Systems

Abstract

Leveraging side-channels enables zero-overhead detection of anomalies. These channels offer a non-instrumented program profiling capability by means of the distinct signatures generated by processing unintentional signals emitted during executions. In this paper, we propose a Markov based convolutional neural network (CNN) to monitor programs against anomalies on multi-core devices. We refer to the proposed framework as MarCNNet. In the model, the output of the CNN estimates the likelihood of the current state of the program, and the Markov Model tracks the process based on these estimates. If the estimates do not match the Markov model state diagram, it alerts anomaly, otherwise, it keeps monitoring. The framework also simplifies the training process because dependency among states is crucial for the Markov part of the model, but not for the CNN. Therefore, the neural network is trained by treating each state independent. However, for a test signal, both CNN and Markov parts of the framework are considered for malware detection to utilize the program flow. We tested the proposed model for various devices with different number of cores and threads of processes and demonstrated that the framework can detect malware with no false negatives, and a false positive rate less than 2%.