Accurate and Robust Malware Detection: Running XGBoost on Runtime Data From Performance Counters

Malware applications are one of the major threats that computing systems face today. While security researchers develop new defense mechanisms to detect malware, attackers continue to release new malware families that evade detection. New defense mechanisms must therefore be developed to effectively counter malware. Hardware performance counters (HPCs) have been recently proposed as a means to detect malware. However, recent work has also shown that malware detection is not effective when performance counters are sampled in realistic scenarios. We show how proper data preprocessing and the use of the XGBoost classifier can be used to improve the performance of malware detection using HPCs by at least 15%. We also show that the proposed method can detect malware early (shortly after its launch) by classifying HPC datastreams at short time intervals. In addition, we propose a multitemporal classification model that ensures the early detection of a high percentage of malware while maintaining overall low false positive rates. Finally, we show that through robust training, the XGBoost classifier shows up to 50x less vulnerability to adversarial attacks that are intended to undermine its malware detection performance.