基于硬件性能计数器的恶意软件检测技术综述
A Survey on Malware Detection Technology Based on Hardware Performance Counter
DOI: 10.12677/CSA.2022.1212294, PDF,    国家科技经费支持
作者: 户彦飞:中国科学院大学网络空间安全学院,北京;中国科学院信息工程研究所,北京;文 雨:中国科学院信息工程研究所,北京
关键词: 恶意软件硬件性能计数器恶意软件检测Malware Hardware Performance Counter Malware Detection
摘要: 随着各种任务交由计算机系统或移动设备处理,大量应用软件走进人们的生活,与之而来的是恶意软件越来越多。对此,主流的恶意软件检测技术弊端凸显,基于硬件性能计数器的恶意软件检测以其独特的优势在安全领域越来越广。据此,本文首先介绍了当前恶意软件的组成及攻防趋势,然后讨论了基于硬件性能计数器的恶意软件检测技术的基本模块,并在此基础上对各项技术中的难点问题进行了阐释,接着梳理了基于硬件性能计数器的恶意软件检测技术的研究现状,最后对其未来发展趋势进行了总结和展望。
Abstract: With all kinds of tasks being handled by computer systems or mobile devices, a large number of applications have entered people’s lives, simultaneously with more and more malware. In this re-gard, the disadvantages of the mainstream malware detection technologies become prominent, and malware detection based on hardware performance counters is becoming more and more popular in the security field with its unique advantages. Therefore, in this paper we first introduce the definition and classification of current attack as well as the defense trend towards current malware, then discuss the basic modules of malware detection technology based on hardware performance counters, with explaining the difficult problems in various technologies, followed by surveying the research status of malware detection technology based on hardware performance counters, and finally summarize and prospect future development.
文章引用:户彦飞, 文雨. 基于硬件性能计数器的恶意软件检测技术综述[J]. 计算机科学与应用, 2022, 12(12): 2896-2909. https://doi.org/10.12677/CSA.2022.1212294

参考文献

[1] Ventures, C.
https://xueqiu.com/5525633543/174213926
[2] Center, C. I. N. I. http://www.cnnic.net.cn
[3] Cesare, S., Xiang, Y. and Zhou, W. (2013) Control Flow-Based Malware Variant Detec-tion. IEEE Transactions on Dependable and Secure Computing, 11, 307-317. [Google Scholar] [CrossRef
[4] Dinaburg, A., Royal, P., Sharif, M. and Lee, W. (2008) Ether: Mal-ware Analysis via Hardware Virtualization Extensions. Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, 27-31 October 2008, 51-62. [Google Scholar] [CrossRef
[5] Krishnamurthy, P., Karri, R. and Khorrami, F. (2019) Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters. IEEE Transactions on In-formation Forensics and Security, 15, 666-680. [Google Scholar] [CrossRef
[6] Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S. and Stolfo, S. (2013) On the Feasibility of Online Malware Detection with Performance Counters. ACM SIGARCH Computer Architecture News, 41, 559-570. [Google Scholar] [CrossRef
[7] Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Stei-gerwald, D.G. and Vigna, G. (2013) The Underground Economy of Fake Antivirus Software. In: Economics of Infor-mation Security and Privacy III, Springer, Berlin, 55-78. [Google Scholar] [CrossRef
[8] Caballero, J., Grier, C., Kreibich, C. and Paxson, V. (2011) Measuring Pay-per-Install: The Commoditization of Malware Distribution. 20th USENIX Security Symposium (USENIX Security 11), San Francisco, 8-12 August 2011.
[9] Goncharov, M. (2012) Russian Underground 101. Trend Micro Incorporated Research Paper, 51.
[10] Langner, R. (2011) Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Security & Privacy, 9, 49-51. [Google Scholar] [CrossRef
[11] Team, S.A., et al. (2012) Skywiper: A Complex Malware for Targeted Attacks. Technical Report.
[12] Chien, E., OMurchu, L. and Falliere, N. (2012) W32. Duqu: The Precursor to the Next Stuxnet. 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 12), San Jose, 24 April 2012.
[13] Or-Meir, O., Nissim, N., Elovici, Y. and Rokach, L. (2019) Dynamic Malware Analysis in the Modern Era—A State of the Art Survey. ACM Computing Surveys (CSUR), 52, 1-48. [Google Scholar] [CrossRef
[14] Ramzan, Z., Seshadri, V. and Nachenberg, C. (2009) Reputation-Based Se-curity: An Analysis of Real World Effectiveness. Symantec Corporation.
[15] Bilge, L. and Dumitras, T. (2012) Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World. Proceedings of the 2012 ACM Conference on Computer and Communications Security, Raleigh, 16-18 October 2012, 833-844. [Google Scholar] [CrossRef
[16] Szor, P. and Ferrie, P. (2001) Hunting for Metamorphic. Proceed-ings of the Virus Bulletin Conference 2001, Prague, 27-28 September 2001, 521-541.
[17] Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M. and Kirda, E. (2010) Accessminer: Using System-Centric Models for Malware Protec-tion. Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, 4-8 October 2010, 399-412. [Google Scholar] [CrossRef
[18] Christodorescu, M., Jha, S. and Kruegel, C. (2007) Min-ing Specifications of Malicious Behavior. Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, Cavtat near Dubrovnik, 3-7 September 2007, 5-14. [Google Scholar] [CrossRef
[19] Forrest, S., Hofmeyr, S.A., Somayaji, A. and Longstaff, T.A. (1996) A Sense of Self for Unix Processes. Proceedings 1996 IEEE Symposium on Security and Privacy, Oakland, 6-8 May 1996, 120-128. [Google Scholar] [CrossRef
[20] Lee, W., Stolfo, S.J. and Mok, K.W. (1999) A Data Mining Framework for Building Intrusion Detection Models. Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, 9-12 May 1999, 120-132. [Google Scholar] [CrossRef
[21] Rieck, K., Holz, T., Willems, C., Dussel, P. and Laskov, P. (2008) Learning and Classification of Malware Behavior. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, Berlin, 108-125.
[22] Bailey, M., Oberheide, J. andersen, J., Mao, Z.M., Jahanian, F. and Nazario, J. (2007) Automated Classification and Analysis of Internet Malware. In: International Workshop on Recent Advances in Intrusion Detection, Springer, Berlin, 178-197. [Google Scholar] [CrossRef
[23] Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C. and Kirda, E. (2009) Scalable, Behavior-Based Malware Clustering. NDSS, Vol. 9, 8-11.
[24] Jana, S. and Shmatikov, V. (2012) Abusing File Processing in Malware Detectors for Fun and Profit. 2012 IEEE Symposium on Security and Pri-vacy, San Francisco, 24-25 May 2012, 80-94. [Google Scholar] [CrossRef
[25] Chen, D., Vachharajani, N., Hundt, R., Li, X., Eranian, S., Chen, W. and Zheng, W. (2011) Taming Hardware Event Samples for Precise and Versa-tile Feedback Directed Optimizations. IEEE Transactions on Computers, 62, 376-389. [Google Scholar] [CrossRef
[26] Zhou, X., Lu, K., Wang, X. and Li, X. (2012) Exploiting Parallelism in Deterministic Shared Memory Multiprocessing. Journal of Parallel and Distributed Computing, 72, 716-727. [Google Scholar] [CrossRef
[27] O’Callahan, R., Jones, C., Froyd, N., Huey, K., Noll, A. and Par-tush, N. (2017) Engineering Record and Replay for Deployability. 2017 USENIX Annual Technical Conference (USENIX ATC 17), Santa Clara, 12-14 July 2017, 377-389.
[28] Intel. Intel® 64 and ia-32 Architectures Software Developer’s Manual.
https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3a-part-1-manual.pdf
[29] AMD (2020) Developer Guides, Manuals & Isa Documents.
https://developer.amd.com/resources/developer-guides-manuals
[30] Wang, S., Zhang, W., Wu, H., et al. (2015) Approach of Quantifying Virtual Machine Performance Interference Based on Hardware Performance Counter. Journal of Software, 6, 2074-2090. [Google Scholar] [CrossRef
[31] Patel, N., Sasan, A. and Homayoun, H. (2017) Analyzing Hardware Based Malware Detectors. 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC), Austin, 18-22 June 2017, 1-6. [Google Scholar] [CrossRef
[32] Ahmad, B.A. (2020) Real Time Detection of Spectre and Meltdown Attacks Using Machine Learning.
[33] Li, C. and Gaudiot, J.-L. (2021) Detecting Spectre Attacks Using Hardware Per-formance Counters. IEEE Transactions on Computers, 71, 1320-1331. [Google Scholar] [CrossRef
[34] Das, S., Werner, J., Antonakakis, M., Polychronakis, M. and Monrose, F. (2019) Sok: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security. 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, 19-23 May 2019, 20-38. [Google Scholar] [CrossRef
[35] Weaver, V.M., Terpstra, D. and Moore, S. (2013) Non-Determinism and Overcount on Modern Hardware Performance Counter Implementations. 2013 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), Austin, 21-23 April 2013, 215-224. [Google Scholar] [CrossRef
[36] Yang, L., Guo, W., Hao, Q., Ciptadi, A., Ahmadzadeh, A., Xing, X. and Wang, G. (2021) CADE: Detecting and Explaining Concept Drift Samples for Security Applications. 30th USENIX Security Symposium (USENIX Security 21), 2021, 2327-2344.
[37] Khasawneh, K.N., Abu-Ghazaleh, N., Ponomarev, D. and Yu, L. (2017) Rhmd: Evasion-Resilient Hardware Malware Detectors. Proceedings of the 50th An-nual IEEE/ACM International Symposium on Microarchitecture, Cambridge, 14-18 October 2017, 315-327. [Google Scholar] [CrossRef
[38] Ozsoy, M., Donovick, C., Gorelik, I., Abu-Ghazaleh, N. and Ponomarev, D. (2015) Malware-Aware Processors: A Framework for Efficient Online Malware Detection. 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA), Burlingame, 7-11 February 2015, 651-661. [Google Scholar] [CrossRef
[39] Ozsoy, M., Khasawneh, K.N., Donovick, C., Gorelik, I., AbuGhazaleh, N. and Ponomarev, D. (2016) Hardware-Based Malware Detection Using Low-Level Architectural Fea-tures. IEEE Transactions on Computers, 65, 3332-3344. [Google Scholar] [CrossRef
[40] Das, S., Chen, B., Chandramohan, M., Liu, Y. and Zhang, W. (2018) Ropsentry: Runtime Defense against Rop Attacks Using Hardware Performance Counters. Computers & Security, 73, 374-388. [Google Scholar] [CrossRef
[41] Singh, B., Evtyushkin, D., Elwell, J., Riley, R. and Cervesato, I. (2017) On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, 2-6 April 2017, 483-493. [Google Scholar] [CrossRef
[42] Khasawneh, K.N., Ozsoy, M., Donovick, C., Abu-Ghazaleh, N. and Ponomarev, D. (2015) Ensemble Learning for Low-Level Hardware-Supported Malware Detection. In: International Symposium on Recent Advances in Intrusion Detection, Springer, Berlin, 3-25. [Google Scholar] [CrossRef
[43] Sayadi, H., Patel, N., Pd, S.M., Sasan, A., Rafatirad, S. and Homayoun, H. (2018) Ensemble Learning for Effective Run-Time Hardware-Based Malware Detection: A Comprehen-sive Analysis and Classification. 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC), San Francisco, 24-28 June 2018, 1-6. [Google Scholar] [CrossRef
[44] Tang, A., Sethumadhavan, S. and Stolfo, S.J. (2014) Unsupervised Anomaly-Based Malware Detection Using Hardware Features. In: International Workshop on Recent Advances in Intru-sion Detection, Springer, Berlin, 109-129. [Google Scholar] [CrossRef
[45] Garcia-Serrano, A. (2015) Anomaly Detection for Malware Identification Using Hardware Performance Counters.
[46] Zhang, T., Zhang, Y. and Lee, R.B. (2016) Cloudradar: A Real-Time Sidechannel Attack Detection System in Clouds. In: International Symposium on Research in Attacks, Intru-sions, and Defenses, Springer, Berlin, 118-140. [Google Scholar] [CrossRef
[47] Zhou, B., Gupta, A., Jahanshahi, R., Egele, M. and Joshi, A. (2018) Hardware Performance Counters Can Detect Malware: Myth or Fact? Proceedings of the 2018 on Asia Confer-ence on Computer and Communications Security, Incheon, 4-8 June 2018, 457-468. [Google Scholar] [CrossRef
[48] Wang, X., Chai, S., Isnardi, M., Lim, S. and Karri, R. (2016) Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing. ACM Transactions on Architecture and Code Optimization (TACO), 13, 1-23. [Google Scholar] [CrossRef
[49] Basu, K., Krishnamurthy, P., Khorrami, F. and Karri, R. (2019) A Theoretical Study of Hardware Performance Counters-Based Malware Detection. IEEE Transactions on Information Forensics and Security, 15, 512-525. [Google Scholar] [CrossRef
[50] Jyothi, V., Wang, X., Addepalli, S.K. and Karri, R. (2016) BRAIN: Behavior Based Adaptive Intrusion Detection in Networks: Using Hardware Performance Counters to Detect DDoS Attacks. 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Em-bedded Systems (VLSID), IEEE, Kolkata, 4-8 January 2016, 587-588. [Google Scholar] [CrossRef
[51] Wang, X., Konstantinou, C., Maniatakos, M., Karri, R., Lee, S., Robison, P., Stergiou, P. and Kim, S. (2016) Malicious Firmware Detection with Hardware Performance Counters. IEEE Transactions on Multi-Scale Computing Systems, 2, 160-173. [Google Scholar] [CrossRef
[52] Alam, M., Sinha, S., Bhattacharya, S., Dutta, S., Mukhopadh-yay, D. and Chattopadhyay, A. (2020) Rapper: Ransomware Prevention via Performance Counters.
[53] Li, C. and Gaudiot, J.-L. (2019) Detecting Malicious Attacks Exploiting Hardware Vulnerabilities Using Performance Counters. 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), Vol. 1, 588-597. [Google Scholar] [CrossRef
[54] Aweke, Z.B., Yitbarek, S.F., Qiao, R., Das, R., Hicks, M., Oren, Y. and Austin, T. (2016) Anvil: Software-Based Protection against Next-Generation Rowhammer Attacks. ACM SIGPLAN Notices, 51, 743-755. [Google Scholar] [CrossRef
[55] Pan, Z., Sheldon, J. and Mishra, P. (2022) Hardware-Assisted Malware Detection and Localization Using Explainable Machine Learning. IEEE Transactions on Computers, 71, 3308-3321. [Google Scholar] [CrossRef
[56] Hu, Y.F., et al. (2022) Care: Enabling Hardware Per-formance Counter Based Malware Detection Resilient under System Resource Competition. The 24th IEEE International Conferences on High Performance Computing and Communications (HPCC), Chengdu, 18-20 December 2022, 377-385.
[57] Wang, X. and Karri, R. (2015) Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 35, 485-498. [Google Scholar] [CrossRef