Rootkit detection by using HW resources to detect inconsistencies in network traffic
First Claim
Patent Images
1. A non-transitory computer readable medium with instructions stored thereon, the instructions comprising instructions that when executed cause a programmable device to:
- monitor network traffic of the programmable device in an environment controlled by an operating system of the programmable device, producing a first monitor data;
monitor network traffic of the programmable device in a cryptographically secured hardware environment of the programmable device not controlled by the operating system, producing a second monitor data;
compare the first monitor data with the second monitor data; and
indicate whether the first monitor data is the same as the second monitor data.
10 Assignments
0 Petitions
Accused Products
Abstract
A technique allows detection of covert malware that attempts to hide network traffic. By monitoring network traffic both in a secure trusted environment and in an operating system environment, then comparing the monitor data, attempts to hide network traffic can be detected, allowing the possibility of performing rehabilitative actions on the computer system to locate and remove the malware hiding the network traffic.
-
Citations
24 Claims
-
1. A non-transitory computer readable medium with instructions stored thereon, the instructions comprising instructions that when executed cause a programmable device to:
-
monitor network traffic of the programmable device in an environment controlled by an operating system of the programmable device, producing a first monitor data; monitor network traffic of the programmable device in a cryptographically secured hardware environment of the programmable device not controlled by the operating system, producing a second monitor data; compare the first monitor data with the second monitor data; and indicate whether the first monitor data is the same as the second monitor data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of detecting malware, comprising:
-
monitoring network traffic of a programmable device in an environment controlled by an operating system for the programmable device, producing a first monitor data; monitoring network traffic of the programmable device in a cryptographically secured hardware environment of the programmable device not controlled by the operating system, producing a second monitor data; comparing the first monitor data with the second monitor data; and indicating the presence of malware if the first monitor data does not match the second monitor data. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A programmable device, comprising:
-
a processor; an operating system, comprising instructions that when executed by the processor control the processor and provide an operating system environment for other software to execute on the processor; an intrusion detection software, comprising instructions that when executed by the processor in the operating system environment cause the processor to; record network traffic of the programmable device as a first monitor data; and a cryptographically secured hardware environment configured to record network traffic of the programmable device as a second monitor data, wherein the cryptographically secured hardware environment is outside of the operating system environment; wherein the programmable device is configured to; compare the first monitor data with the second monitor data; and generate an alert if the first monitor data is not the same as the second monitor data. - View Dependent Claims (21, 22, 23, 24)
-
Specification