UNSUPERVISED ANOMALY-BASED MALWARE DETECTION USING HARDWARE FEATURES

US 20160275289A1
Filed: 03/14/2014
Published: 09/22/2016
Est. Priority Date: 03/18/2013
Status: Active Grant

First Claim

Patent Images

1. A method for unsupervised anomaly-based malware detection using hardware features, the method comprising:

obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior;

identifying a set of hardware performance data from the obtained current hardware performance data based at least on a degree of effectiveness of one or more features associated with hardware performance data;

aggregating the identified set of hardware performance data;

transforming the aggregated set of hardware performance data based on one or more transform functions; and

determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the transformed set of hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with pre-recorded hardware performance data representative of the first process'"'"' normal behavior, and determining whether a malicious process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the pre-recorded hardware performance data representative of the normal behavior of the first process.

Citations

21 Claims

1. A method for unsupervised anomaly-based malware detection using hardware features, the method comprising:
- obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior;
  
  identifying a set of hardware performance data from the obtained current hardware performance data based at least on a degree of effectiveness of one or more features associated with hardware performance data;
  
  aggregating the identified set of hardware performance data;
  
  transforming the aggregated set of hardware performance data based on one or more transform functions; and
  
  determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the transformed set of hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process.
- View Dependent Claims (3, 4, 5, 6, 7, 9, 10, 11, 21)
- - 3. The method of claim 1, wherein the hardware performance data is obtained at various time instances and wherein the method further comprises:
    - performing one or more of a data push operation initiated by the hardware device to send the current hardware performance data, or a data pull operation, initiated by an antivirus engine, to cause the current hardware performance data to be sent by the hardware device.
  - 4. The method of claim 1, wherein identifying the set of hardware performance data comprises:
    - selecting the one or more features based on respective computed one or more scores representative of the degree of effectiveness of the identified set of hardware performance data, wherein the degree of effectiveness indicates that the hardware performance data obtained for the selected one or more features is affected by the anomalous process; and
      
      obtaining performance data from the current hardware performance data only for the selected one or more features.
  - 5. The method of claim 4, wherein computing the one or more scores comprises computing one or more Fisher scores.
  - 6. The method of claim 1, wherein determining whether the anomalous process is affecting the performance of the first process comprises:
    - applying one or more machine-learning procedures, trained using the recorded hardware performance data representative of the normal behavior of the first process, to the transformed set of hardware performance data to determine whether the transformed set of hardware performance data for the hardware device executing the first process deviates from the recorded hardware performance data for the first process.
  - 7. The method of claim 6, wherein the one or more machine learning procedures comprise one or more of:
    - a support vector machine implementing a non-linear radial basis function (RBF) kernel, a k-nearest neighbor procedure, a decision tree procedure, a random forest procedure, an artificial neural network procedure, a tensor density procedure, a Support Vector Machine (SVM), or a hidden Markov model procedure.
  - 9. The method of claim 1, wherein transforming the aggregated set of hardware performance data comprises:
    - deriving a normalized hardware performance value, normalized_i, for an event i, from hardware performance data value, raw_i, for the event i, according to;
  - 10. The method of claim 1, wherein the hardware performance data comprise one or more of:
    - processor load density data, branch prediction performance data, or data regarding instruction cache misses.
  - 11. The method of claim 1, further comprising:
    - obtaining updates for at least the recorded hardware performance data representative of the normal behavior of the first process, wherein obtaining the updates comprises;
      
      downloading encrypted data for the updates to an antivirus engine in communication with the hardware device providing the current hardware performance data;
      
      decrypting at the antivirus engine the downloaded encrypted data for the updates; and
      
      updating a revision counter maintained by the antivirus engine indicating a revision number of a most recent update.
  - 21. The method of claim 1, wherein the anomalous process comprises a malware-type malicious process.

2. (canceled)

8. (canceled)

12. A system for unsupervised anomaly-based malware detection using hardware features, the system comprising:
- a hardware device executing a first process; and
  
  an antivirus engine in communication with the hardware device, the antivirus engine configured to;
  
  obtain current hardware performance data, including hardware performance time-varying counter data, for the hardware device executing the first process, the first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior;
  
  aggregate the current hardware performance data according to a sampling duration; and
  
  determine whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the aggregated current hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the antivirus engine configured to obtain the current hardware performance data is configured to:
    - select one or more features based on respective computed one or more scores representative of a degree of effectiveness of hardware performance data, wherein the degree of effectiveness indicates that the hardware performance data obtained for the selected one or more features is affected by the anomalous process; and
      
      obtain performance data from the current hardware performance data only for the selected one or more features.
  - 14. The system of claim 12, wherein the antivirus engine configured to determine whether the anomalous process is affecting the performance of the first process is configured to:
    - apply one or more machine-learning procedures, trained using the recorded hardware performance data representative of the normal behavior of the first process, to the aggregated current hardware performance data to determine whether the aggregated current hardware performance data for the hardware device executing the first process deviates from the recorded hardware performance data for the first process.
  - 15. The system of claim 14, wherein the one or more machine learning procedures comprise one or more of:
    - a support vector machine implementing a non-linear radial basis function (RBF) kernel, a k-nearest neighbor procedure, a decision tree procedure, a random forest procedure, an artificial neural network procedure, a tensor density procedure, a Support Vector Machine (SVM), or a hidden Markov model procedure.

16. (canceled)

17. A computer readable media storing a set of instructions executable on at least one programmable device that, when executed, causes operations comprising:
- obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior;
  
  aggregating the current hardware performance data according to a sampling duration; and
  
  determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the aggregated current hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process.
- View Dependent Claims (18, 19)
- - 18. The computer readable media of claim 17, wherein obtaining the current hardware performance data comprises:
    - selecting one or more features based on respective computed one or more scores representative of a degree of effectiveness of hardware performance data, wherein the degree of effectiveness indicates that the hardware performance data obtained for the selected one or more features is affected by the anomalous process; and
      
      obtaining performance data from the current hardware performance data only for the selected one or more features.
  - 19. The computer readable media of claim 17, wherein determining whether the anomalous process is affecting the performance of the first process comprises:
    - applying one or more machine-learning procedures, trained using the recorded hardware performance data representative of the normal behavior of the first process, to the aggregated current hardware performance data to determine whether the aggregated current hardware performance data for the hardware device executing the first process deviates from the recorded hardware performance data for the first process.

20. An apparatus for unsupervised anomaly-based malware detection using hardware features, the apparatus comprising:
- means for obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; and
  
  means for determining whether an anomalous process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the recorded hardware performance data representative of the normal behavior of the first process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
TANG, Adrian, STOLFO, Salvatore, SETHUMADHAVAN, Lakshminarasimhan

Granted Patent

US 9,996,694 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

H04L 63/0428   wherein the data content is...

H04L 9/3239   involving non-keyed hash fu...

UNSUPERVISED ANOMALY-BASED MALWARE DETECTION USING HARDWARE FEATURES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

UNSUPERVISED ANOMALY-BASED MALWARE DETECTION USING HARDWARE FEATURES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links