Hardware-based Malware Detectors (HMDs) have shown promise in detecting malicious workloads. However, the current HMDs focus solely on the CPU core of a System-on-Chip (SoC) and, therefore, do not exploit the full potential of the hardware telemetry. In this paper, we propose XMD, an HMD that uses an expansive set of telemetry channels extracted from the different subsystems of SoC. XMD exploits the thread-level profiling power of the CPU-core telemetry, and the global profiling power of non-core telemetry channels, to achieve significantly better detection performance than currently used Hardware Performance Counter (HPC) based detectors. We leverage the concept of manifold hypothesis to analytically prove that adding non-core telemetry channels improves the separability of the benign and malware classes, resulting in performance gains. We train and evaluate XMD using hardware telemetries collected from 723 benign applications and 1033 malware samples on a commodity Android Operating System (OS)-based mobile device. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data. XMD achieves the best detection performance of 86.54% with a false positive rate of 2.9%, compared to the detection rate of 80%, offered by the best performing signature-based Anti-Virus(AV) on VirusTotal, on the same set of malware samples.

翻译：基于硬件的恶意软件检测器（HMD）在检测恶意负载方面展现出了潜力。然而，当前的HMD仅关注片上系统（SoC）的CPU核心，因此未能充分利用硬件遥测的全部潜力。在本文中，我们提出XMD，一种利用从SoC不同子系统提取的广泛遥测通道的HMD。XMD利用CPU核心遥测的线程级分析能力以及非核心遥测通道的全局分析能力，实现了比当前基于硬件性能计数器（HPC）的检测器显著更优的检测性能。我们利用流形假设的概念从理论上证明，增加非核心遥测通道可提高良性软件与恶意软件类别的可分性，从而带来性能提升。我们基于来自商用Android操作系统（OS）移动设备的723个良性应用和1033个恶意样本的硬件遥测数据，对XMD进行训练和评估。在分布内测试数据上，XMD比当前使用的HPC检测器性能提升了32.91%。在与VirusTotal上性能最优的基于签名的反病毒软件（AV）相同的恶意样本集上，XMD实现了86.54%的最佳检测性能，误报率为2.9%，而该AV的检测率为80%。