A Low-Level Hybrid Intrusion Detection System Based on Hardware Performance Counters

Traditionally, Intrusion Detection Systems (IDSs) rely on computer program behaviors at operating systems’ level to detect malware. Most of these techniques use high semantic features such as functions and system calls. These high semantic features are susceptible to malicious attacks at higher privilege levels. In particular, a malicious malware rootkit may bypass intrusion detection by manipulating system data or operating system code. In this paper, a framework for profiling normal and malicious activities is proposed. This framework is based on Hardware Performance Counters (HPCs) and hybrid IDS to detect malware. Extensive experiments have been conducted to study the effectiveness of the HPCs that could distinguish between malware and nor-mal applications. The performance of the proposed approach has been tested on Windows-based malware families and demonstrated a detection rate of 99%.