HEAVEN: A Hardware-Enhanced AntiVirus ENgine to accelerate real-time, signature-based malware detection

Antiviruses (AVs) are computing-intensive applications that rely on constant monitoring of OS events and on applying pattern matching procedures on binaries to detect malware. In this paper, we introduce HEAVEN, a framework for Intel x86/x86-64 and MS Windows that combines hardware and software to i...

Full description

Saved in:
Bibliographic Details
Published in:Expert systems with applications 2022-09, Vol.201, p.117083, Article 117083
Main Authors: Botacin, Marcus, Alves, Marco Zanata, Oliveira, Daniela, Grégio, André
Format: Article
Language:English
Subjects:
Anti-virus software
Antivirus
Branch prediction
Central processing units
Computer memory
CPUs
Hardware
Malware
Pattern matching
Signatures
Software
Workflow
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Antiviruses (AVs) are computing-intensive applications that rely on constant monitoring of OS events and on applying pattern matching procedures on binaries to detect malware. In this paper, we introduce HEAVEN, a framework for Intel x86/x86-64 and MS Windows that combines hardware and software to improve AVs performance. HEAVEN workflow consists of a hardware-assisted signature matching process as its first step (triage), which is fast, and only invokes the software-based AV when the software is suspicious, i.e., with an unknown hardware signature for malignity. We implement a PoC for HEAVEN by instrumenting Intel’s x86/x86-64 branch predictor, which allows for the generation of malware signatures based on branch pattern history. To validate our PoC, we evaluate HEAVEN with a dataset composed of 10,000 malware and 1,000 benign software samples from different categories and accomplished malware detection rates of 100% (no false-positives). The detection occurred before the execution of 10% of the samples’ code. HEAVEN is designed to be memory efficient: it identified unique 32-bit signatures for each sample at the storage cost of only 35KB of SRAM. HEAVEN is also designed with processing efficiency in mind: its hardware extensions present negligible performance overhead and reduces the average workload of the chosen software AV counterpart (ClamWin)—10% for CPU usage, 5.61% for memory throughput, 16.22% for disk writes, and 20.22% for disk reads. With HEAVEN, we may decrease the number of CPU cycles used for malware scanning by 87.5%, which is a promising result regarding the feasibility of our proposal: the combination of hardware-/software-based AVs for practical and effective malware detection that flags suspicious software while posing negligible performance overhead. •Real-time AntiViruses (AVs) become performance-prohibitive if purely implemented in software.•A Hardware–Software collaborative AV might fully mitigate the overhead of real-time AV monitoring.•Branch patterns might be used as fingerprint of known malicious code execution.•The Branch Prediction Unit (BPU) might be instrumented to fingerprint applications without much redesign.•Hardware-assisted Avs can support software updates to not break current AV’s operation modes.
ISSN:0957-4174
1873-6793
DOI:10.1016/j.eswa.2022.117083