Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

XMD: An Expansive Hardware-telemetry based Mobile Malware Detector to enhance Endpoint Detection

Harshit Kumar, Biswadeep Chakraborty, Sudarshan Sharma, Saibal Mukhopadhyay

TL;DR

XMD addresses the limitations of CPU-centric hardware malware detectors by leveraging an expansive set of hardware telemetry across SoC subsystems. Grounded in the manifold hypothesis, it proves that fusing diverse telemetry channels increases the separability of benign and malware classes, and validates this with a bare-metal Pixel 3 dataset (1033 malware, 723 benign). Empirically, XMD outperforms HPC-only detectors, achieving up to 86.54% detection with 2.9% FPR and surpassing VirusTotal AV on the same samples, though it remains below specialized Android detectors. The work demonstrates that system-wide telemetry can broaden the attack space covered by HMDs and offers a promising, complementary approach for robust, low-overhead mobile malware detection.

Abstract

Hardware-based Malware Detectors (HMDs) have shown promise in detecting malicious workloads. However, the current HMDs focus solely on the CPU core of a System-on-Chip (SoC) and, therefore, do not exploit the full potential of the hardware telemetry. In this paper, we propose XMD, an HMD that uses an expansive set of telemetry channels extracted from the different subsystems of SoC. XMD exploits the thread-level profiling power of the CPU-core telemetry, and the global profiling power of non-core telemetry channels, to achieve significantly better detection performance than currently used Hardware Performance Counter (HPC) based detectors. We leverage the concept of manifold hypothesis to analytically prove that adding non-core telemetry channels improves the separability of the benign and malware classes, resulting in performance gains. We train and evaluate XMD using hardware telemetries collected from 723 benign applications and 1033 malware samples on a commodity Android Operating System (OS)-based mobile device. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data. XMD achieves the best detection performance of 86.54% with a false positive rate of 2.9%, compared to the detection rate of 80%, offered by the best performing signature-based Anti-Virus(AV) on VirusTotal, on the same set of malware samples.

XMD: An Expansive Hardware-telemetry based Mobile Malware Detector to enhance Endpoint Detection

TL;DR

XMD addresses the limitations of CPU-centric hardware malware detectors by leveraging an expansive set of hardware telemetry across SoC subsystems. Grounded in the manifold hypothesis, it proves that fusing diverse telemetry channels increases the separability of benign and malware classes, and validates this with a bare-metal Pixel 3 dataset (1033 malware, 723 benign). Empirically, XMD outperforms HPC-only detectors, achieving up to 86.54% detection with 2.9% FPR and surpassing VirusTotal AV on the same samples, though it remains below specialized Android detectors. The work demonstrates that system-wide telemetry can broaden the attack space covered by HMDs and offers a promising, complementary approach for robust, low-overhead mobile malware detection.

Abstract

Hardware-based Malware Detectors (HMDs) have shown promise in detecting malicious workloads. However, the current HMDs focus solely on the CPU core of a System-on-Chip (SoC) and, therefore, do not exploit the full potential of the hardware telemetry. In this paper, we propose XMD, an HMD that uses an expansive set of telemetry channels extracted from the different subsystems of SoC. XMD exploits the thread-level profiling power of the CPU-core telemetry, and the global profiling power of non-core telemetry channels, to achieve significantly better detection performance than currently used Hardware Performance Counter (HPC) based detectors. We leverage the concept of manifold hypothesis to analytically prove that adding non-core telemetry channels improves the separability of the benign and malware classes, resulting in performance gains. We train and evaluate XMD using hardware telemetries collected from 723 benign applications and 1033 malware samples on a commodity Android Operating System (OS)-based mobile device. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data. XMD achieves the best detection performance of 86.54% with a false positive rate of 2.9%, compared to the detection rate of 80%, offered by the best performing signature-based Anti-Virus(AV) on VirusTotal, on the same set of malware samples.
Paper Structure (24 sections, 7 equations, 8 figures, 8 tables)

This paper contains 24 sections, 7 equations, 8 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background and Threat Model
  3. Classes of Hardware Telemetry
  4. Threat Model
  5. Related Works and Motivation
  6. Theory of XMD
  7. Intuition behind XMD
  8. Background and Definitions
  9. Theorem
  10. Mathematical proof
  11. Approach for Experimental Validation
  12. Dataset Collection Framework
  13. Malware and Benign programs used
  14. Bare-metal analysis environment
  15. Selection of Hardware Signals
  16. ...and 9 more sections

Figures (8)

  • Figure 1: Comprehensive cross-stack monitoring performed by modern Endpoint-Detection : [Left] Software-based malware detection approaches, [Right] Proposed XMD operating on expansive set of telemetry channels.
  • Figure 2: 2-D visualization of Benign [green] vs. Malware [red] classification using manifolds: (a) candidate hyperplanes that can separate the benign and malware manifolds, (b) classification task with overlapping manifolds, (c) solution space of the hyperplanes for case-a (easier classification problem) and for case-b (difficult classification problem).
  • Figure 3: Creating the classifiers: (a) Feature engineering steps for GLOBL channels, (b) feature engineering steps for the HPC groups, (c) Late stage fusion for merging the decisions of the base detectors
  • Figure 4: Runtime for different iterations of malware and benign applications (using Logcat)
  • Figure 5: F1-score for HPC-groups and GLOBL channels
  • ...and 3 more figures