Hardware-based Malware Detectors (HMDs) have shown promise in detecting malicious workloads. However, the current HMDs focus solely on the CPU core of a System-on-Chip (SoC) and, therefore, do not exploit the full potential of the hardware telemetry. In this paper, we propose XMD, an HMD that uses an expansive set of telemetry channels extracted from the different subsystems of SoC. XMD exploits the thread-level profiling power of the CPU-core telemetry, and the global profiling power of non-core telemetry channels, to achieve significantly better detection performance than currently used Hardware Performance Counter (HPC) based detectors. We leverage the concept of manifold hypothesis to analytically prove the performance gains observed in XMD. We train and evaluate XMD using hardware telemetries collected from 904 benign applications and 1205 malware samples on a commodity Android Operating System (OS)-based mobile device. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data. XMD achieves the best detection performance of 86.54% with a false positive rate of 2.9%, compared to the detection rate of 80\%, offered by the best performing software-based Anti-Virus(AV) on VirusTotal, on the same set of malware samples.
翻译:在本文中,我们提议XMD,即使用从SoC各子系统抽取的一套宽广的遥测频道。XMD利用CPU核心遥测和非核心遥测频道的线级剖析能力,利用目前使用的HPC核心遥测数据的32.91%对分配测试数据进行比目前使用的HPC基于HPC的检测能力更好的全球剖析。我们利用多种假设的概念分析证明XMD所观测的绩效收益。我们利用从904良性应用中收集的硬件遥测和从商品和机器人操作系统(OS)各不同子系统(OS)采集的1205个软件样本,对XMD进行训练和评价。XMD利用目前使用的HPC核心遥测仪和非核心遥测频道的线级剖析能力,实现大大优于目前使用的硬件性能。XMDMD实现了最佳的检测性能,以86.54%的MAVS样本为正率率,以80.54%的MAV样本为正比。