XMD: An Expansive Hardware-telemetry based Malware Detector to enhance Endpoint Detection
share
Hardware-based Malware Detectors (HMDs) have shown promise in detecting malicious workloads. However, the current HMDs focus solely on the CPU core of a System-on-Chip (SoC) and, therefore, do not exploit the full potential of the hardware telemetry. In this paper, we propose XMD, an HMD that operates on an expansive set of telemetry channels extracted from the different subsystems of SoC. Key innovations in XMD are guided by analytical theorems that leverage the concept of manifold hypothesis. XMD exploits the thread-level profiling power of the CPU-core telemetry, and the global profiling power of non-core telemetry channels, to achieve significantly better detection performance and concept drift robustness than currently used Hardware Performance Counter (HPC) based detectors. We train and evaluate XMD using hardware telemetries collected from 904 benign applications and 1205 malware samples. XMD improves over currently used HPC-based detectors by 32.91 67.57 performance of 86.54 detection rate of 80 Anti-Virus(AV) on VirusTotal, on the same set of malware samples.
READ FULL TEXT