Hydra: Robust Hardware-Assisted Malware Detection

TL;DR

Hydra enhances malware detection by dynamically scheduling diverse hardware event feature sets over time, significantly improving accuracy and reducing false positives compared to static approaches.

Contribution

Introduces Hydra, a novel method that schedules multiple hardware event feature sets over time to improve malware detection robustness.

Findings

Hydra achieves a 19.32% higher F1 score over single-feature models.

False positive rate is reduced by 60.23% with Hydra.

Dynamic feature set scheduling outperforms static monitoring strategies.

Abstract

Malware detection using Hardware Performance Counters (HPCs) offers a promising, low-overhead approach for monitoring program behavior. However, a fundamental architectural constraint, that only a limited number of hardware events can be monitored concurrently, creates a significant bottleneck, leading to detection blind spots. Prior work has primarily focused on optimizing machine learning models for a single, statically chosen event set, or on ensembling models over the same feature set. We argue that robustness requires diversifying not only the models, but also the underlying feature sets (i.e., the monitored hardware events) in order to capture a broader spectrum of program behavior. This observation motivates the following research question: Can detection performance be improved by trading temporal granularity for broader coverage, via the strategic scheduling of different feature sets over time? To answer this question, we propose Hydra, a novel detection mechanism that partitions execution traces into time slices and learns an effective schedule of feature sets and corresponding classifiers for deployment. By cycling through complementary feature sets, Hydra mitigates the limitations of a fixed monitoring perspective. Our experimental evaluation shows that Hydra significantly outperforms state-of-the-art single-feature-set baselines, achieving a 19.32% improvement in F1 score and a 60.23% reduction in false positive rate. These results underscore the importance of feature-set diversity and establish strategic multi-feature-set scheduling as an effective principle for robust, hardware-assisted malware detection.