DAMUS: Adaptively Updating Hardware Performance Counter Based Malware Detector Under System Resource Competition

Hardware performance counter based malware detection (HMD) model that learns HPC-level behavior by using machine learning or deep learning algorithms has been widely researched in various application scenarios. However, the program's HPC-level behavior is easily affected due to system resource competition, which leaves counter based malware detection out-of-date. Unfortunately, current research could not adaptively update HMD model. In this paper, we propose DAMUS, a distribution-aware model updating strategy to adaptively update counter based malware detection model. Specifically, we first design an autoencoder with contrastive learning to map existing samples into a low-dimensional space for better calculating distributions. Second, in the low-dimensional space, the distribution characteristics are calculated for further judging the drift of testing samples. Finally, based on the total determined drifts of testing samples and a threshold, a decision could be given on whether the counter based malware detection model needs to be updated. We evaluate DAMUS by testing HMD model on datasets collected under benchmark application environment and actual server environment with different resource types or pressure levels. The experimental results show the advantages of DAMUS over existing updating strategies in promoting model updating. We also demonstrate its overhead spent on the task of malware detection.