MALWARE EARLY-STAGE DETECTION USING MACHINE LEARNING ON HARDWARE PERFORMANCE COUNTERS

Abstract

Systems affected by Malware in the past 10 years has risen from 29 million to 780 million, which tells us it’s a rapidly growing threat. Viruses, ransomware, worms, backdoors, botnets etc. all come under malware. Ransomware alone is predicted to cost $11.5 billion in 2019. As the downtime and financial damages are rising the researchers are finding new ways to tackle this threat. However, the usual approach is prone to high false positive rate or delayed detection rate. This research explores a dynamic approach for early-stage malware detection by modeling it’s behavior using hardware performance counters with low overhead. The analysis begins on a bare-metal machine running malware which is profiled for hardware calls using Intel VTune before it infects the system. By using this system design, I am able to generate models from data extracted using hardware performance counters and use it to train the system using machine learning techniques from known malware samples collected from VirusTotal and Hybrid Analysis.