Detecting software attacks by monitoring electric power consumption patterns
First Claim
1. An information processing electronic device capable of protecting a mobile, battery-powered device from malicious software attacks, comprising:
- a) a sensor for detecting an amount of electrical power or current consumed by the mobile, battery-powered device;
b) a threshold detector for comparing the detected electrical power or current to a threshold value, and for indicating that undesired software may be present on the mobile, battery-powered device when the threshold value is exceeded.
3 Assignments
0 Petitions
Accused Products
Abstract
Software attacks such as worms and viruses are detected in an electronic device by monitoring power consumption patterns. In a first embodiment, software attacks are detected by an increase in power consumption. The increased power consumption can be caused by increased network traffic, or by increased activity in the microprocessor. Monitoring power consumption is particularly effective for detecting DOS/flooding attacks when the electronic device is in an idle state. In a second embodiment, a power consumption signal is converted to the frequency domain (e.g., by fast Fourier transform). The highest amplitude frequencies are identified. Specific software attacks produce characteristic frequencies in the power consumption signal. Software attacks are therefore detected by matching the highest amplitude frequencies with frequencies associated with specific worms and viruses. Identification of a particular software attack typically requires matching of 3 or more of the highest amplitude frequencies, and, optionally, amplitude information.
-
Citations
32 Claims
-
1. An information processing electronic device capable of protecting a mobile, battery-powered device from malicious software attacks, comprising:
-
a) a sensor for detecting an amount of electrical power or current consumed by the mobile, battery-powered device; b) a threshold detector for comparing the detected electrical power or current to a threshold value, and for indicating that undesired software may be present on the mobile, battery-powered device when the threshold value is exceeded. - View Dependent Claims (2, 3)
-
-
4. A method for detecting a malicious software attack in a mobile, battery-powered device, the method comprising the steps of:
-
a) detecting an amount of electrical power or current consumed by the mobile, battery-powered device; b) comparing the detected electrical power or current to a threshold value, and c) indicating that undesired software may be present on the mobile, battery-powered device when the threshold value is exceeded. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. An information processing electronic device capable of detecting undesired software, the electronic device comprising:
-
a) a sensor for detecting a power consumption signal representing power or current consumed by the electronic device; b) a detector for detecting a frequency signature of the power consumption signal; and c) a comparator for comparing the detected frequency signature to a database of frequency signatures associated with undesired software. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method for detecting undesired software in an information processing electronic device, the method comprising the steps of:
-
a) detecting a frequency signature of a power consumption signal representing electrical power or current consumed by the electronic device; and b) comparing the detected frequency signature to a database of frequency signatures associated with undesired software. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. An information processing electronic device capable of identifying a type of communication protocol used by undesired software, the electronic device comprising:
-
a) a sensor for detecting a power consumption signature representing power or current consumed by the electronic device; b) a database including; i) data associating a Transmission Control (TC) protocol with a power consumption signature having a single continuous plateau; and ii) data associating a Universal Datagram (UD) protocol with a power consumption signature having an initial plateau followed by at least one short plateau and at least one lull; and c) a comparator for comparing the detected power consumption signature to a power signature database, wherein the database associates power consumption signatures with types of communication protocols. - View Dependent Claims (23, 24)
-
-
25. A method for identifying a type of communication protocol active in an information processing electronic device, the method comprising the steps of:
-
a) detecting a power consumption signature of electrical power or current consumed by the electronic device; b) comparing the detected power consumption signature to a database associating power consumption signatures with types of communication protocols; and c) identifying the communication protocol as a Universal Datagram (UD) protocol if the power consumption signal includes an initial plateau followed by a plurality of alternating short plateaus and lulls. - View Dependent Claims (26, 27, 28)
-
-
29. A method for identifying a type of communication protocol active in an information processing electronic device, the method comprising the steps of:
-
a) detecting a power consumption signature of electrical power or current consumed by the electronic device; b) comparing the detected power consumption signature to a database associating power consumption signatures with types of communication protocols; and c) identifying the communication protocol as a Transmission Control (TC) protocol or Internet Control Message protocol if the power consumption signal consists of a single continuous plateau. - View Dependent Claims (30, 31, 32)
-
Specification