Kadiyala , S. P., Kartheek, A., & Truong-Huu , T. (2020). Program Behavior Analysis and Clustering using Performance Counters. Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security. https://doi.org/10.1145/3477997.3478011
Abstract:
Understanding dynamic behavior of computer programs during
normal working conditions is an important task, which has multiple
security benefits such as development of a behavior-based
anomaly detection, vulnerability discovery and patching. Existing
works achieved this goal by collecting and analyzing various data
including network traffic, system calls, instruction traces, etc. In
this paper, we explore the use of a new type of data, performance
counters, to analyze dynamic behavior of programs. Using existing
primitives, we develop a tool named perfextract to capture
data from different performance counters for a program during
its startup time, thus forming multiple time series to represent
the dynamic behavior of the program. We analyze the collected
data and develop a clustering algorithm that allows us to classify
each program using its performance counter time series into a specific
group and to identify the intrinsic behavior of that group. We
carry out extensive experiments with 18 real world programs that
belong to 4 groups including web browsers, text editors, image
viewers and audio players. The experimental results show that the
examined programs can be accurately differentiated based on their
performance counter data regardless whether programs are run in
physical or virtual environments.
License type:
Publisher Copyright
Funding Info:
This research / project is supported by the Agency for Science, Technology and Research - RIE2020 AME
Grant Reference no. : A1916g2047