Detection of anomalous program execution using hardware-based micro-architectural data

US 10,025,929 B2
Filed: 11/05/2013
Issued: 07/17/2018
Est. Priority Date: 03/18/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detection of anomalous program execution using hardware-based micro-architectural data using performance counters internal to one or more processors and configured to count internal events of the one or more processors, the method comprising:

obtaining hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events;

applying one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes;

determining that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine-learning procedures; and

terminating the execution of the at least one of the one or more processes determined to correspond to an anomalous process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining hardware-based micro-architectural data, including hardware-based micro-architectural counter data, for a hardware device executing one or more processes, and determining based, at least in part, on the hardware-based micro-architectural data whether at least one of the one or more processes executing on the hardware device corresponds to a malicious process. In some embodiments, determining based on the hardware-based micro-architectural data whether the at least one of the one or more processes corresponds to a malicious process may include applying one or more machine-learning procedures to the hardware-based micro-architectural data to determine whether the at least one of the one or more processes corresponds to the malicious process.

26 Citations

View as Search Results

21 Claims

1. A method for detection of anomalous program execution using hardware-based micro-architectural data using performance counters internal to one or more processors and configured to count internal events of the one or more processors, the method comprising:
- obtaining hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events;
  
  applying one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes;
  
  determining that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine-learning procedures; and
  
  terminating the execution of the at least one of the one or more processes determined to correspond to an anomalous process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 19)
- - 2. The method of claim 1, wherein obtaining the hardware-based micro-architectural data comprises:
    - obtaining the hardware-based micro-architectural data at various time instances.
  - 3. The method of claim 2, wherein obtaining the hardware-based micro-architectural data at the various time instances comprises:
    - performing one or more of a data push operation initiated by the hardware device to send the hardware-based micro-architectural data, or a data pull operation, initiated by an antivirus engine, to send the hardware-based micro-architectural data.
  - 4. The method of claim 1, wherein obtaining the hardware-based micro-architectural data comprises:
    - obtaining multi-core hardware-based micro-architectural data resulting from execution of the one or more processes on a processor device with multiple processor cores; and
      
      correlating the respective hardware-based micro-architectural data obtained from each of the multiple processor cores to the one or more processes.
  - 5. The method of claim 1, wherein applying the one or more machine-learning procedures to the hardware-based micro-architectural data to determine whether the at least one of the one or more processes corresponds to the anomalous process comprises:
    - matching the obtained hardware-based time-varying micro-architectural performance counter data to the previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes.
  - 6. The method of claim 5, further comprising:
    - obtaining updates for one or more patterns of hardware-based micro-architectural data associated with the one or more anomalous processes.
  - 7. The method of claim 6, wherein obtaining the updates comprises:
    - downloading encrypted data for previously identified patterns of hardware-based micro-architectural data associated with the one or more anomalous processes to an antivirus engine in communication with the hardware device providing the hardware-based micro-architectural data;
      
      decrypting at the antivirus engine the downloaded encrypted data for the previously identified patterns of hardware-based micro-architectural data associated with the one or more anomalous processes; and
      
      updating a revision counter maintained by the antivirus engine indicating a revision number of a most recent update of the previously identified patterns of hardware-based micro-architectural data.
  - 8. The method of claim 1, wherein the one or more machine learning procedures comprise one or more of:
    - a k-nearest neighbor procedure, a decision tree procedure, a random forest procedure, an artificial neural network procedure, a tensor density procedure, a hidden Markov model procedure, or a Support Vector Machine (SVM).
  - 9. The method of claim 1, wherein the at least one of the one or more processes that corresponds to the anomalous process comprises one or more of a non-malicious, or a malicious process, the malicious process including one or more of:
    - a malware process, or a side-channel attack process.
  - 10. The method of claim 1, wherein the hardware-based micro-architectural data comprise one or more of:
    - processor load density data, branch prediction performance data, or data regarding instruction cache misses.
  - 19. The method of claim 5, wherein the previously identified patterns of hardware-based micro-architectural data correspond to different hardware-based micro-architectural behaviors.

11. A system for detection of anomalous program execution using hardware-based micro-architectural data using performance counters of one or more processors and configured to count internal events of the one or more processors, the one or more processors including performance counters configurable to count events internal to said one or more processors, the system comprising:
- a hardware device executing one or more processes, including the one or more processors; and
  
  an antivirus engine in communication with the hardware device, the antivirus engine configured to;
  
  obtain hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for the hardware device executing the one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on the performance counters of said one or more processors, and the performance counters are configured to count said events;
  
  apply one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes;
  
  determine that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine-learning procedures; and
  
  terminate the execution of the at least one of the one or more processes determined to correspond to an anomalous process.
- View Dependent Claims (12, 13, 14, 15, 20)
- - 12. The system of claim 11, wherein the antivirus engine configured to obtain the hardware-based micro-architectural data is configured to:
    - obtain the hardware-based micro-architectural data at various time instances.
  - 13. The system of claim 12, wherein the antivirus engine configured to obtain the hardware-based micro-architectural data at the various time instances is configured to:
    - receive the hardware-based micro-architectural data in response to one or more of;
      
      a data push operation initiated by the hardware device, or a data pull operation initiated by the antivirus engine.
  - 14. The system of claim 11, wherein the antivirus engine configured to apply the one or more machine-learning procedures to the hardware-based micro-architectural data to determine whether the at least one of the one or more processes corresponds to the anomalous process is configured to:
    - match the obtained hardware-based micro-architectural data to one or more patterns of hardware-based micro-architectural data associated with one or more anomalous processes.
  - 15. The system of claim 14, wherein the antivirus engine is further configured to:
    - obtain updates for the one or more patterns of hardware-based micro-architectural data associated with the one or more anomalous processes.
  - 20. The system of claim 14, wherein the previously identified patterns of hardware-based micro-architectural data correspond to different hardware-based micro-architectural behaviors.

16. A non-transitory computer readable media storing a set of instructions executable on at least one programmable device that, when executed, causes operations for detection of anomalous program execution using hardware-based micro-architectural data using performance counters internal to one or more processors and configured to count internal events of the one or more processors, the operations comprising:
- obtaining hardware-based micro-architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events;
  
  applying one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time-varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes;
  
  determining that the at least one of the one or more processes corresponds to an anomalous program based on the applied one or more machine-learning procedures; and
  
  terminating the execution of the at least one of the one or more processes determined to correspond to an anomalous program.
- View Dependent Claims (17, 21)
- - 17. The computer readable media of claim 16, wherein applying the one or more machine-learning procedures to the hardware-based micro-architectural data to determine whether the at least one of the one or more processes corresponds to the anomalous process comprises:
    - matching the obtained hardware-based time-varying micro-architectural performance counter data to the previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes.
  - 21. The computer readable media of claim 17, wherein the previously identified patterns of hardware-based micro-architectural data correspond to different hardware-based micro-architectural behaviors.

18. An apparatus for detection of anomalous program execution using hardware-based micro architectural data using performance counters internal to one or more hardware processors and configured to count internal events of the one or more hardware processors, the apparatus comprising:
- a sampling unit configured to obtain hardware-based micro architectural data, including hardware-based time-varying micro-architectural performance counter data, for a hardware device executing one or more processes, wherein the time-varying micro-architectural performance counter data measures instruction-level events that occur on one or more circuits of the hardware device, wherein the events are internal to the one or more processors executing said processes, the events are counted on performance counters of said one or more processors, and the performance counters are configured to count said events, the sampling unit being realized on the hardware device or implemented as a hardware realization; and
  
  a software-implemented classifier configured to apply one or more machine-learning procedures to the obtained hardware-based micro-architectural data of the hardware device to determine whether at least one of the one or more processes executing on the hardware device corresponds to an anomalous process, wherein applying one or more machine-learning procedures comprises classifying the obtained hardware-based time varying micro-architectural performance counter data based on previously identified patterns of hardware-based micro-architectural data associated with one or more anomalous processes;
  
  wherein upon determining that the at least one of the one or more processes corresponds to an anomalous process based on the applied one or more machine learning procedures, the apparatus terminates the execution of the at least one of the one or more processes determined to correspond to an anomalous process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Sethumadhavan, Lakshminarasimhan, Demme, John, Schmitz, Jared, Tang, Adrian, Stolfo, Sal, Maycock, Matthew
Primary Examiner(s)
Jeudy, Josnel

Application Number

US14/778,007
Publication Number

US 20160275288A1
Time in Patent Office

1,715 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3466   Performance evaluation by t...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/572   Secure firmware programming...

G06F 2201/88   Monitoring involving counting

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

H04L 63/0428   wherein the data content is...

H04L 9/3239   involving non-keyed hash fu...

Detection of anomalous program execution using hardware-based micro-architectural data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of anomalous program execution using hardware-based micro-architectural data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links