SYSTEMS, METHODS, AND APPARATUSES FOR INTRUSION DETECTION AND ANALYTICS USING POWER CHARACTERISTICS SUCH AS SIDE-CHANNEL INFORMATION COLLECTION
First Claim
1. An apparatus, comprising:
- a processor configured to receive a set of side-channel data representing a power signature of a target device, the set of side-channel data being captured by a probe disposed proximate to the target device,the processor configured to extract a first characteristic of the set of side-channel data;
the processor configured to receive, at a first time, a first set of reference side-channel data of a reference device, the first set of reference side-channel data having a second characteristic and representing a first reference power signature of the reference device,the processor configured to compare the first characteristic of the target device and the second characteristic of the reference device to determine a first anomaly of the target device,the processor configured to receive, at a second time after the first time, a second set of reference side-channel data of the reference device, the second set of reference side-channel data having a third characteristic and representing a second reference power signature of the reference device,the processor configured to compare the first characteristic of the target device and the third characteristic of the reference device to determine a second anomaly of the target device,the processor configured to send a signal indicating the change from the first anomaly to the second anomaly of the target device.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments described herein include a system that collects and learns reference side-channel normal activity, process it to reveal key features, compares subsequent collected data and processed data for anomalous behavior, and reports such behavior to a management center where this information is displayed and predefine actions can be executed when anomalous behavior is observed. In some instances, a physical side channel (e.g. and indirect measure of program execution such as power consumption or electromagnetic emissions and other physical signals) can be used to assess the execution status in a processor or digital circuit using an external monitor and detect, with extreme accuracy, when an unauthorized execution has managed to disrupt the normal operation of a target system (e.g., a computer system, etc.).
27 Citations
20 Claims
-
1. An apparatus, comprising:
-
a processor configured to receive a set of side-channel data representing a power signature of a target device, the set of side-channel data being captured by a probe disposed proximate to the target device, the processor configured to extract a first characteristic of the set of side-channel data; the processor configured to receive, at a first time, a first set of reference side-channel data of a reference device, the first set of reference side-channel data having a second characteristic and representing a first reference power signature of the reference device, the processor configured to compare the first characteristic of the target device and the second characteristic of the reference device to determine a first anomaly of the target device, the processor configured to receive, at a second time after the first time, a second set of reference side-channel data of the reference device, the second set of reference side-channel data having a third characteristic and representing a second reference power signature of the reference device, the processor configured to compare the first characteristic of the target device and the third characteristic of the reference device to determine a second anomaly of the target device, the processor configured to send a signal indicating the change from the first anomaly to the second anomaly of the target device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
receiving, at a first time, a first set of reference side-channel data of a reference device, the first set of reference side-channel data having a first reference characteristic and representing a first reference power signature of the reference device; receiving, at a second time after the first time, a second set of reference side-channel data of the reference device, the second set of reference side-channel data having a second reference characteristic and representing a second reference power signature of the reference device; receiving, at a third time after the second time, a set of side-channel data representing a power signature of a target device, the set of side-channel data being captured by a probe disposed proximate to the target device; extracting a characteristic of the set of side-channel data of the target device; comparing the characteristic of the target device with the first reference characteristic of the reference device to determine a first anomaly of the target device; comparing the characteristic of the target device with the second reference characteristic of the reference device to determine a second anomaly of the target device; and sending a signal indicating the change from the first anomaly to the second anomaly of the target device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
a processor configured to receive a first set of side-channel data representing a power signature of a first target device and being captured by a probe disposed proximate to the first target device, the processor configured to be operatively coupled to the first target device via a network, the processor configured to receive a second set of side-channel data representing a power signature of a second target device and data being captured by a probe disposed proximate to the second target device, the processor configured to be operatively coupled to the second target device via the network, the processor configured to extract a first characteristic of the first set of side-channel data of the first target device and a second characteristic of the second set of side-channel data of the second target device, the processor configured to compare the first characteristic of the first target device with a power signature of a first reference device to determine a first anomaly of the first target device, the processor configured to compare the second characteristic of the second target device with a power signature of a second reference device to determine a second anomaly of the second target device, the processor configured to send a first signal indicating the first anomaly to the first target device and send a second signal indicating the second anomaly to the second target device. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification