COGNIZANT ENGINES: SYSTEMS AND METHODS FOR ENABLING PROGRAM OBSERVABILITY AND CONTROLABILITY AT INSTRUCTION LEVEL GRANULARITY

US 20100107252A1
Filed: 10/14/2008
Published: 04/29/2010
Est. Priority Date: 10/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method of real-time monitoring of program execution in a processor comprising:

observing values and events within said processor system during said program execution using programmable hardware probes, and stateful monitoring and detecting for anomalies.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to system for and methods of real time observing, monitoring, and detecting anomalies in programs'"'"' behavior at instruction level. The hardware assist design in this invention provides fine grained observability, and controllability. Fine grained observability provides unprecedented opportunity for detecting anomaly. Controllability provides a powerful tool for stopping anomaly, repairing the kernel and restoring the state of processing. The performance improvement over pure software approach is estimated to be many orders of magnitudes. This invention is also effective and efficient in detecting mutating computer viruses, where normal, signature based, virus detection is under performing.

100 Citations

View as Search Results

12 Claims

1. A method of real-time monitoring of program execution in a processor comprising:
- observing values and events within said processor system during said program execution using programmable hardware probes, and stateful monitoring and detecting for anomalies.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the probing and monitoring processes are isolated from all program or processes running on said processor.
  - 3. The method of claim 1 or claim 2, wherein upon detecting anomaly said monitor investigates further the states said processor and system.
  - 4. The method of claim 1 or claim 2, wherein upon detecting anomaly said monitor investigates further the states said processor and system and modify said states in order to eliminate anomaly and/or repair damages on the operating system and/or other programs on said system.
  - 5. A method, based on the method of claim 2, for pre-screening of programs to be run on the main/host processing system comprising:
    - loading the program into an isolated hardware subsystem capable of executing said program, executing the program on said isolated hardware subsystem, observing values and events within said subsystem during said program execution using programmable hardware probes, and stateful monitoring and detecting for anomalies.
  - 6. The method of claim 5, wherein malware detection process includes forcing said instruction set emulator to lie to said pre-screened program, whereby controlling the execution flow of said program.
  - 7. The method of claim 5, wherein malware detection process includes mapping control flow points of said program and controlling said program execution flow at the instruction level, whereby capable of defeating detection avoidance function in advanced malwares.

8. A monitored processor system comprising:
- a main processor for executing a program, a set of programmable hardware probes for observing and detecting values and events during program execution and a programmable monitor for keeping track of events and maintaining observed state of execution for detecting anomaly and/or controlling said program flow.
- View Dependent Claims (9, 10, 12)
- - 9. The system of claim 8, wherein the monitoring and detecting hardware are is a separate processor or programmable hardware state machine.
  - 10. The system of claim 8, wherein the monitoring and detecting hardware are is the main processor itself, with additional hardware logic to provide isolation and manage monitoring process invocation.
  - 12. The subsystem of claim 10, wherein said programmable monitor also controls said program'"'"'s control flow, by modifying said instruction set emulator internal resources and subsystem memory model.

11. A subsystem for pre-screening of programs to be run on the main/host processing system comprising:
- hardware instruction set emulator and memory model for executing said program in an isolated environment or sand-box, programmable probes for monitoring the execution of said program in the sandbox, and a programmable monitor for keeping track of events and maintaining observed state of execution for detecting anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sukarno Mertoguno
Original Assignee
Sukarno Mertoguno
Inventors
Mertoguno, Sukarno

Granted Patent

US 9,779,235 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/55 Detecting local intrusion o...

COGNIZANT ENGINES: SYSTEMS AND METHODS FOR ENABLING PROGRAM OBSERVABILITY AND CONTROLABILITY AT INSTRUCTION LEVEL GRANULARITY

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

COGNIZANT ENGINES: SYSTEMS AND METHODS FOR ENABLING PROGRAM OBSERVABILITY AND CONTROLABILITY AT INSTRUCTION LEVEL GRANULARITY

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links