XMD: An Expansive Hardware-telemetry based Mobile Malware Detector to enhance Endpoint Detection

TL;DR

XMD is a novel hardware-telemetry based mobile malware detector that leverages extensive subsystems telemetry to significantly outperform existing CPU core-focused detectors in accuracy and false positive rate.

Contribution

The paper introduces XMD, a hardware-telemetry based malware detector that utilizes expanded telemetry channels from multiple SoC subsystems, improving detection performance over existing HPC-based methods.

Findings

XMD improves detection accuracy by 32.91% over HPC-based detectors.

XMD achieves 86.54% detection rate with 2.9% false positives.

XMD outperforms signature-based Anti-Virus solutions on malware detection.

Abstract

Hardware-based Malware Detectors (HMDs) have shown promise in detecting malicious workloads. However, the current HMDs focus solely on the CPU core of a System-on-Chip (SoC) and, therefore, do not exploit the full potential of the hardware telemetry. In this paper, we propose XMD, an HMD that uses an expansive set of telemetry channels extracted from the different subsystems of SoC. XMD exploits the thread-level profiling power of the CPU-core telemetry, and the global profiling power of non-core telemetry channels, to achieve significantly better detection performance than currently used Hardware Performance Counter (HPC) based detectors. We leverage the concept of manifold hypothesis to analytically prove that adding non-core telemetry channels improves the separability of the benign and malware classes, resulting in performance gains. We train and evaluate XMD using hardware telemetries collected from 723 benign applications and 1033 malware samples on a commodity Android Operating System (OS)-based mobile device. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data. XMD achieves the best detection performance of 86.54% with a false positive rate of 2.9%, compared to the detection rate of 80%, offered by the best performing signature-based Anti-Virus(AV) on VirusTotal, on the same set of malware samples.