Identifying stealth malware using CPU power consumption and learning algorithms

Lucket, Patrick; McDonald, J. Todd; Glisson, William B.; Benton, Ryan; Dawson, Joel; Doyle, Blair A.

View/Open

Article (8.203Mb)

Date

2018

Author

Lucket, Patrick

McDonald, J. Todd

Glisson, William B.

Benton, Ryan

Dawson, Joel

Doyle, Blair A.

Metadata

Show full item record

Abstract

With the increased assimilation of technology into all aspects of everyday life, rootkits pose a credible threat to individuals, corporations, and governments. Using various techniques, rootkits can infect systems and remain undetected for extended periods of time. This threat necessitates the careful consideration of real-time detection solutions. Behavioral detection techniques allow for the identification of rootkits with no previously recorded signatures. This research examines a variety of machine learning algorithms, including Nearest Neighbor, Decision Trees, Neural Networks, and Support Vector Machines, and proposes a behavioral detection method based on low yield CPU power consumption. The method is evaluated onWindows 10, Ubuntu Desktop, and Ubuntu Server operating systems along with employing three different rootkits. Relevant features within the data are calculated and the overall best performing algorithms are identified. A nested neural network is then applied that enables highly accurate data classification. Our results present a viable method of rootkit detection that can operate in real-time with minimal computational and space complexity.

URI

https://hdl.handle.net/20.500.11875/2420

Collections

Description

This is a post-print version of this article to see the final version go to the following citation Patrick Luckett, J. Todd McDonald, William B. Glisson, Ryan Benton, Joel Dawson, Blair A. Doyle, "Identifying stealth malware using CPU power consumption and learning algorithms". Journal of Computer Security 26(2018) 589-613. DOI 10.3233/JCS-171060