Microarchitectural Malware Detection via Translation Lookaside Buffer (TLB) Events

Authors

Cristian Agredo, Air Force Institute of Technology
Daniel F. Koranek, Air Force Institute of Technology
Christine M. Schubert Kabban, Air Force Institute of TechnologyFollow
Jose R. Gutierrez del Arroyo, Air Force Institute of Technology
Scott R. Graham, Air Force Institute of TechnologyFollow

Document Type

Article

Publication Date

9-17-2025

Abstract

Prior work has shown that Translation Lookaside Buffer (TLB) data contains valuable behavioral information. Many existing methodologies rely on timing features or focus solely on workload classification. In this study, we propose a novel approach to malware classification using only TLB-related Hardware Performance Counters (HPCs), explicitly excluding any dependence on timing features such as task execution duration or memory access timing. Our methodology evaluates whether TLB data alone, without any timing information, can effectively distinguish between malicious and benign programs. We test this across three classification scenarios: (1) A binary classification problem involving distinguishing malicious from benign tasks, (2) a 4-way classification problem designed to improve separability, and (3) a 10-way classification problem with classes of individual benign and malware tasks. Our results demonstrate that even without execution time or memory access timing, TLB events achieve up to 81% accuracy for the binary, and 72% accuracy for the 4-class grouping, and 61% accuracy for the 10-class grouping. These findings demonstrate that time-independent TLB patterns can serve as robust behavioral signatures. This work expands the understanding of microarchitectural side effects by demonstrating that TLB-only features, independent of timing-based techniques, can be effectively used for real-world malware detection.

Comments

© 2025 Authors.

This article is published by MDPI, licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Sourced from the published version of record cited below.

DOI

10.3390/jcp5030075

Source Publication

Journal of Cybersecurity and Privacy (ISSN 2624-800X)

Recommended Citation

Agredo, C., Koranek, D. F., Kabban, C. M. S., Arroyo, J. A. G. d., & Graham, S. R. (2025). Microarchitectural Malware Detection via Translation Lookaside Buffer (TLB) Events. Journal of Cybersecurity and Privacy, 5(3), 75. https://doi.org/10.3390/jcp5030075