Detecting software attacks by monitoring electric power consumption patterns

US 7,877,621 B2
Filed: 06/24/2005
Issued: 01/25/2011
Est. Priority Date: 09/03/2004
Status: Active Grant

First Claim

Patent Images

1. An information processing electronic device capable of protecting a mobile, battery-powered device from malicious software attacks, comprising:

a) a sensor for detecting an amount of electrical power or current consumed by the mobile, battery-powered device;

b) a threshold detector for comparing the detected electrical power or current to a threshold value, and for indicating that undesired software may be present on the mobile, battery-powered device when the threshold value is exceeded.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Software attacks such as worms and viruses are detected in an electronic device by monitoring power consumption patterns. In a first embodiment, software attacks are detected by an increase in power consumption. The increased power consumption can be caused by increased network traffic, or by increased activity in the microprocessor. Monitoring power consumption is particularly effective for detecting DOS/flooding attacks when the electronic device is in an idle state. In a second embodiment, a power consumption signal is converted to the frequency domain (e.g., by fast Fourier transform). The highest amplitude frequencies are identified. Specific software attacks produce characteristic frequencies in the power consumption signal. Software attacks are therefore detected by matching the highest amplitude frequencies with frequencies associated with specific worms and viruses. Identification of a particular software attack typically requires matching of 3 or more of the highest amplitude frequencies, and, optionally, amplitude information.

Citations

32 Claims

1. An information processing electronic device capable of protecting a mobile, battery-powered device from malicious software attacks, comprising:
- a) a sensor for detecting an amount of electrical power or current consumed by the mobile, battery-powered device;
  
  b) a threshold detector for comparing the detected electrical power or current to a threshold value, and for indicating that undesired software may be present on the mobile, battery-powered device when the threshold value is exceeded.
- View Dependent Claims (2, 3)
- - 2. The electronic device of claim 1, further comprising a network interface circuit (NIC), and a microprocessor (MP), wherein the sensor detects an amount of electrical power or current consumed by the NIC and the MP.
  - 3. The electronic device of claim 2, wherein the sensor can detect an amount of electrical power or current consumed by the NIC or MP individually.

4. A method for detecting a malicious software attack in a mobile, battery-powered device, the method comprising the steps of:
- a) detecting an amount of electrical power or current consumed by the mobile, battery-powered device;
  
  b) comparing the detected electrical power or current to a threshold value, andc) indicating that undesired software may be present on the mobile, battery-powered device when the threshold value is exceeded.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The method of claim 4, wherein if the detected power or current exceeds the threshold value in step (b), then alerting a user or microprocessor or network administrator that undesired software is or might be present.
  - 6. The method of claim 4, wherein step (b) is performed periodically.
  - 7. The method of claim 6, wherein, if the detected power or current exceeds the threshold value in a plurality of consecutive measurements, then indicating to a user or microprocessor that undesired software may be operating.
  - 8. The method of claim 4, wherein the mobile, battery-powered device includes a network interface circuit or microprocessor.
  - 9. The method of claim 4, further comprising the step of adjusting the threshold value according to an operating mode of the mobile, battery-powered device.

10. An information processing electronic device capable of detecting undesired software, the electronic device comprising:
- a) a sensor for detecting a power consumption signal representing power or current consumed by the electronic device;
  
  b) a detector for detecting a frequency signature of the power consumption signal; and
  
  c) a comparator for comparing the detected frequency signature to a database of frequency signatures associated with undesired software.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The electronic device of claim 10, further comprising a buffer for temporarily storing the power consumption signal from the sensor, such that the detector can retroactively determine a frequency signature of recent power consumption.
  - 12. The electronic device of claim 10, wherein the frequency signature includes amplitude information.
  - 13. The electronic device of claim 10, further comprising a network interface circuit (NIC), and a microprocessor (MP), wherein the detector detects a frequency signature of the NIC or MP individually.
  - 14. The electronic device of claim 10, wherein the detector and comparator are implemented as software, firmware or hardware.

15. A method for detecting undesired software in an information processing electronic device, the method comprising the steps of:
- a) detecting a frequency signature of a power consumption signal representing electrical power or current consumed by the electronic device; and
  
  b) comparing the detected frequency signature to a database of frequency signatures associated with undesired software.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, wherein if a match is found in step (b), then alerting a user or microprocessor or network administrator that undesired software is or might be present.
  - 17. The method of claim 15, wherein the frequency signatures include amplitude information.
  - 18. The method of claim 15, wherein the detecting step includes the step of discriminating against all frequencies having amplitudes less than a predetermined confidence threshold.
  - 19. The method of claim 15, wherein each frequency signature includes at least 3 frequency components.
  - 20. The method of claim 15, further comprising the step of identifying a type of undesired software that may be operating based on a match between the detected frequency signature and a matching frequency signature stored in the database.
  - 21. The method of claim 15, wherein the electronic device comprises a network interface circuit (NIC), and a microprocessor (MP), and wherein frequency signatures of the NIC or MP are detected individually.

22. An information processing electronic device capable of identifying a type of communication protocol used by undesired software, the electronic device comprising:
- a) a sensor for detecting a power consumption signature representing power or current consumed by the electronic device;
  
  b) a database including;
  
  i) data associating a Transmission Control (TC) protocol with a power consumption signature having a single continuous plateau; and
  
  ii) data associating a Universal Datagram (UD) protocol with a power consumption signature having an initial plateau followed by at least one short plateau and at least one lull; and
  
  c) a comparator for comparing the detected power consumption signature to a power signature database, wherein the database associates power consumption signatures with types of communication protocols.
- View Dependent Claims (23, 24)
- - 23. The electronic device of claim 22, further comprising a means for smoothing the power consumption signature.
  - 24. The electronic device of claim 22, further comprising a network interface circuit (NIC), and a microprocessor (MP), wherein the sensor detects a power consumption signature of the NIC or MP individually.

25. A method for identifying a type of communication protocol active in an information processing electronic device, the method comprising the steps of:
- a) detecting a power consumption signature of electrical power or current consumed by the electronic device;
  
  b) comparing the detected power consumption signature to a database associating power consumption signatures with types of communication protocols; and
  
  c) identifying the communication protocol as a Universal Datagram (UD) protocol if the power consumption signal includes an initial plateau followed by a plurality of alternating short plateaus and lulls.
- View Dependent Claims (26, 27, 28)
- - 26. The method of claim 25, wherein the detecting step includes the step of smoothing the power consumption signature.
  - 27. The method of claim 25, wherein if a match is found in step (b), then alerting a user or microprocessor or network administrator of the type of communication protocol.
  - 28. The method of claim 25, wherein step (b) is performed manually.

29. A method for identifying a type of communication protocol active in an information processing electronic device, the method comprising the steps of:
- a) detecting a power consumption signature of electrical power or current consumed by the electronic device;
  
  b) comparing the detected power consumption signature to a database associating power consumption signatures with types of communication protocols; and
  
  c) identifying the communication protocol as a Transmission Control (TC) protocol or Internet Control Message protocol if the power consumption signal consists of a single continuous plateau.
- View Dependent Claims (30, 31, 32)
- - 30. The method of claim 29, wherein if a match is found in step (b), then alerting a user or microprocessor or network administrator of the type of communication protocol.
  - 31. The method of claim 29, wherein step (b) is performed manually.
  - 32. The method of claim 29, wherein the detecting step includes the step of smoothing the power consumption signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
US Department of The Army (Government of the United States of America), Virginia Tech Intellectual Properties, Inc. (Virginia Polytechnic Institute and State University)
Original Assignee
The United States Of America As Represented By The Secretary Of The Army, Virginia Tech Intellectual Properties, Inc. (Virginia Polytechnic Institute and State University)
Inventors
Jacoby, Grant A., Marchany, Randolph C., Davis, Nathaniel J IV
Primary Examiner(s)
Butler; Dennis M

Application Number

US11/574,619
Publication Number

US 20080276111A1
Time in Patent Office

2,041 Days
Field of Search

713/300, 713/310, 713/340, 726/22, 726/23, 726/24, 726/25
US Class Current

713/340
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3062   where the monitored propert...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/81   by operating on the power s...

Detecting software attacks by monitoring electric power consumption patterns

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting software attacks by monitoring electric power consumption patterns

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links