Salus: Stackelberg Games for Malware Detection with Microarchitectural Events

Abstract

Microarchitectural events have been the subject of previous investigations for malware detection. While some studies assert the effectiveness of utilizing hardware events in detecting malware, others contend that they may not be beneficial for this purpose. We argue and empirically show that the efficacy of using hardware events for malware detection relies on accurately selecting hardware events during detector training. Through rigorous analysis, we demonstrate that the conventional approach of selecting a single subset of hardware events for training a malware detection model is insufficient for creating a robust system capable of effectively handling all types of malware, even when using a ensemble of powerful classifiers. Accordingly, we propose the use of multiple subsets of hardware events, each dedicated to training a distinct malware detection model. Since only a single subset of events can be monitored at any given time, we adopt a game-theoretic approach to determine the optimal strategy for selecting the subset of hardware events to be monitored. In addition to the theoretical analysis of our approach, we empirically demonstrate its effectiveness by comparing it to other baselines.