Hardware performance counter (HPC) has been used for malware detection because of its lightweight overhead. Unfortunately, such detection models including their software implementation and hardware implementation suffer from performance decline in environments where resource competition among programs exists in the operating system. In this paper, we propose a framework called CarePlus, which enables two kinds of implementations of hardware performance counter-based malware detection (HMD) resilient to resource competition. The core idea is to detect malware by using invariants extracted from HPC-level behaviors in resource competition environments. To achieve this, a benchmark-based resource pressure generator is designed to generate controlled resource competition environments for observing typical HPC-level behavior of a program. Then, a behavior representation network is trained to map HPC-level behaviors in any competition environment into low-dimensional representations, which allows software-implemented HMD models built on them to detect malware regardless of resource competition. Finally, an adapter is introduced to project behavior representation in the competition environment into data that conforms to the training distribution of the hardware-implemented HMD model. Using three datasets collected in different application systems (e.g., server or desktop) with different resource competition types or levels, the experimental results show that compared with existing detection models, CarePlus is helpful to improve the performance of software-implemented HMD classifier and hardware-implemented HMD classifier in the competition environment. We also prove that the classifier using CarePlus is insensitive to different application systems. Finally, we demonstrate the computational overhead.
Read full abstract