UNSUPERVISED ANOMALY-BASED MALWARE DETECTION USING HARDWARE FEATURES
First Claim
1. A method for unsupervised anomaly-based malware detection using hardware features, the method comprising:
- obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior;
identifying a set of hardware performance data from the obtained current hardware performance data based at least on a degree of effectiveness of one or more features associated with hardware performance data;
aggregating the identified set of hardware performance data;
transforming the aggregated set of hardware performance data based on one or more transform functions; and
determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the transformed set of hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with pre-recorded hardware performance data representative of the first process'"'"' normal behavior, and determining whether a malicious process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the pre-recorded hardware performance data representative of the normal behavior of the first process.
-
Citations
21 Claims
-
1. A method for unsupervised anomaly-based malware detection using hardware features, the method comprising:
-
obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; identifying a set of hardware performance data from the obtained current hardware performance data based at least on a degree of effectiveness of one or more features associated with hardware performance data; aggregating the identified set of hardware performance data; transforming the aggregated set of hardware performance data based on one or more transform functions; and determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the transformed set of hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process. - View Dependent Claims (3, 4, 5, 6, 7, 9, 10, 11, 21)
-
-
2. (canceled)
-
8. (canceled)
-
12. A system for unsupervised anomaly-based malware detection using hardware features, the system comprising:
-
a hardware device executing a first process; and an antivirus engine in communication with the hardware device, the antivirus engine configured to; obtain current hardware performance data, including hardware performance time-varying counter data, for the hardware device executing the first process, the first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; aggregate the current hardware performance data according to a sampling duration; and determine whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the aggregated current hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process. - View Dependent Claims (13, 14, 15)
-
-
16. (canceled)
-
17. A computer readable media storing a set of instructions executable on at least one programmable device that, when executed, causes operations comprising:
-
obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; aggregating the current hardware performance data according to a sampling duration; and determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the aggregated current hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process. - View Dependent Claims (18, 19)
-
-
20. An apparatus for unsupervised anomaly-based malware detection using hardware features, the apparatus comprising:
-
means for obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; and means for determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process.
-
Specification