Detection of anomalous program execution using hardware-based micro-architectural data
First Claim
1. A method for detection of anomalous program execution using hardware-based micro-architectural data using performance counters internal to one or more processors and configured to count internal events of the one or more processors, the method comprising:
- obtaining hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events;
applying one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes;
determining that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine-learning procedures; and
terminating the execution of the at least one of the one or more processes determined to correspond to an anomalous process.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining hardware-based micro-architectural data, including hardware-based micro-architectural counter data, for a hardware device executing one or more processes, and determining based, at least in part, on the hardware-based micro-architectural data whether at least one of the one or more processes executing on the hardware device corresponds to a malicious process. In some embodiments, determining based on the hardware-based micro-architectural data whether the at least one of the one or more processes corresponds to a malicious process may include applying one or more machine-learning procedures to the hardware-based micro-architectural data to determine whether the at least one of the one or more processes corresponds to the malicious process.
26 Citations
21 Claims
-
1. A method for detection of anomalous program execution using hardware-based micro-architectural data using performance counters internal to one or more processors and configured to count internal events of the one or more processors, the method comprising:
-
obtaining hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events; applying one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes; determining that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine-learning procedures; and terminating the execution of the at least one of the one or more processes determined to correspond to an anomalous process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 19)
-
-
11. A system for detection of anomalous program execution using hardware-based micro-architectural data using performance counters of one or more processors and configured to count internal events of the one or more processors, the one or more processors including performance counters configurable to count events internal to said one or more processors, the system comprising:
-
a hardware device executing one or more processes, including the one or more processors; and an antivirus engine in communication with the hardware device, the antivirus engine configured to; obtain hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for the hardware device executing the one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on the performance counters of said one or more processors, and the performance counters are configured to count said events; apply one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes; determine that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine-learning procedures; and terminate the execution of the at least one of the one or more processes determined to correspond to an anomalous process. - View Dependent Claims (12, 13, 14, 15, 20)
-
-
16. A non-transitory computer readable media storing a set of instructions executable on at least one programmable device that, when executed, causes operations for detection of anomalous program execution using hardware-based micro-architectural data using performance counters internal to one or more processors and configured to count internal events of the one or more processors, the operations comprising:
-
obtaining hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events; applying one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes; determining that the at least one of the one or more processes corresponds to an anomalous program based on the applied one or more machine-learning procedures; and terminating the execution of the at least one of the one or more processes determined to correspond to an anomalous program. - View Dependent Claims (17, 21)
-
-
18. An apparatus for detection of anomalous program execution using hardware-based micro architectural data using performance counters internal to one or more hardware processors and configured to count internal events of the one or more hardware processors, the apparatus comprising:
-
a sampling unit configured to obtain hardware-based micro architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events, the sampling unit being realized on the hardware device or implemented as a hardware realization; and a software-implemented classifier configured to apply one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes; wherein upon determining that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine learning procedures, the apparatus terminates the execution of the at least one of the one or more processes determined to correspond to an anomalous process.
-
Specification