Robust Hardware-Assisted Malware Detection

Abstract

Malware detection using hardware performance counters (HPCs) offers a promising, low-overhead approach for monitoring program behaviour, as shown in prior work. However, a fundamental architectural constraint, that only a limited number of hardware events can be monitored concurrently, creates a significant bottleneck, leading to detection blind spots. Prior work has primarily focused on optimizing machine learning models for a single, statically chosen event set, or an ensemble of models over the same feature set. We argue that robustness requires diversifying not only the models, but also the underlying feature sets (i.e., the monitored hardware events) in order to capture a broader spectrum of program behaviour. This observation motivates the following research question: Can detection performance be improved by trading temporal granularity for broader coverage, via the strategic scheduling of different feature sets over time?

To answer this question, this thesis proposes Hydra, a novel detection mechanism that partitions execution traces into time slices and learns an effective, stochastic schedule of feature sets and corresponding classifiers for deployment. By cycling through complementary feature sets, Hydra mitigates the limitations of a fixed monitoring perspective. Experimental evaluation shows that Hydra significantly outperforms state-of-the-art single-feature-set baselines, achieving at least a 19.32% improvement in F1 score and a 60.23% reduction in false positive rate. These results underscore the importance of feature-set diversity and establish strategic multi-feature-set scheduling as an effective principle for robust, hardware-assisted malware detection.