Malware can range from simple adware to stealthy kernel control-flow modifying rootkits. Although anti-virus software is popular, an ongoing cat-and-mouse cycle of anti-virus development and malware that thwarts the anti-virus has ensued. More recently, trusted hardware-based malware detection techniques are being developed on the premise that it is easier to bypass software-based defenses than hardware-based counterparts. One such approach is the use of hardware performance counters (HPCs) to detect malware for Linux and Android platforms. This paper, for the first time, presents an analytical framework to investigate the security provided by HPC-based malware detection techniques. The HPC readings are periodically monitored over the duration of the program execution for comparison with a golden HPC reading. We develop a mathematical framework to investigate the probability of malware detection, when HPCs are monitored at a pre-determined sampling interval. In other words, given a program, a set of HPCs, and a sampling rate, the framework can be employed to analyze the probability of malware detection.

中文翻译：

---

基于硬件性能计数器的恶意软件检测的理论研究

恶意软件的范围从简单的广告软件到隐秘的内核控制流修改rootkit。尽管反病毒软件很流行，但随之而来的反病毒开发和阻止反病毒软件的恶意软件的猫捉老鼠的周期随之而来。最近，在基于硬件的恶意软件检测技术比基于硬件的防御软件更容易绕过基于软件的防御的前提下，正在开发这种软件。一种这样的方法是使用硬件性能计数器（HPC）来检测Linux和Android平台的恶意软件。本文首次提出了一个分析框架，以研究基于HPC的恶意软件检测技术提供的安全性。在程序执行期间会定期监视HPC读数，以与黄金HPC读数进行比较。我们建立了一个数学框架来调查以预定采样间隔监视HPC时检测到恶意软件的可能性。换句话说，给定一个程序，一组HPC和一个采样率，可以使用该框架来分析恶意软件检测的可能性。