Rootkit detection by using HW resources to detect inconsistencies in network traffic

US 9,197,654 B2
Filed: 06/28/2013
Issued: 11/24/2015
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium with instructions stored thereon, the instructions comprising instructions that when executed cause a programmable device to:

monitor network traffic of the programmable device in an environment controlled by an operating system of the programmable device, producing a first monitor data;

monitor network traffic of the programmable device in a cryptographically secured hardware environment of the programmable device not controlled by the operating system, producing a second monitor data;

compare the first monitor data with the second monitor data; and

indicate whether the first monitor data is the same as the second monitor data.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique allows detection of covert malware that attempts to hide network traffic. By monitoring network traffic both in a secure trusted environment and in an operating system environment, then comparing the monitor data, attempts to hide network traffic can be detected, allowing the possibility of performing rehabilitative actions on the computer system to locate and remove the malware hiding the network traffic.

Citations

24 Claims

1. A non-transitory computer readable medium with instructions stored thereon, the instructions comprising instructions that when executed cause a programmable device to:
- monitor network traffic of the programmable device in an environment controlled by an operating system of the programmable device, producing a first monitor data;
  
  monitor network traffic of the programmable device in a cryptographically secured hardware environment of the programmable device not controlled by the operating system, producing a second monitor data;
  
  compare the first monitor data with the second monitor data; and
  
  indicate whether the first monitor data is the same as the second monitor data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer readable medium of claim 1, wherein the instructions that when executed cause the programmable device to compare the first monitor data with the second monitor data comprise instructions that when executed cause the programmable device to:
    - send the first monitor data from the environment controlled by the operating system to the cryptographically secured hardware environment; and
      
      compare the first monitor data with the second monitor data in the cryptographically secured hardware environment.
  - 3. The non-transitory computer readable medium of claim 1, wherein the instructions that when executed cause the programmable device to compare the first monitor data with the second monitor data comprise instructions that when executed cause the programmable device to:
    - send the second monitor data from the cryptographically secured hardware environment to the environment controlled by the operating system; and
      
      compare the first monitor data with the second monitor data in the environment controlled by the operating system.
  - 4. The non-transitory computer readable medium of claim 1, wherein the instructions that when executed cause the programmable device to compare the first monitor data with the second monitor data comprise instructions that when executed cause the programmable device to:
    - send the first monitor data and the second monitor data to an external facility; and
      
      compare the first monitor data with the second monitor data in the external facility.
  - 5. The non-transitory computer readable medium of claim 1, wherein the instructions stored thereon further comprise instructions that when executed cause the programmable device to:
    - generate an alert indicating the presence of malware on the programmable device.
  - 6. The non-transitory computer readable medium of claim 1, wherein the instructions that when executed cause the programmable device to compare the first monitor data with the second monitor data comprise instructions that when executed cause the programmable device to:
    - limit the comparison by an exclude list.
  - 7. The non-transitory computer readable medium of claim 1, wherein the instructions stored thereon further comprise instructions that when executed cause the programmable device to generate a malware alert in the operating system environment or the cryptographically secured hardware environment.
  - 8. The non-transitory computer readable medium of claim 7, wherein the instructions that when executed cause the programmable device to generate a malware alert in the operating system environment or the cryptographically secured hardware environment comprise instructions for sending the malware alert via a network.
  - 9. The non-transitory computer readable medium of claim 1, wherein the instructions stored thereon further comprise instructions that when executed cause the programmable device to:
    - quarantine the programmable device.

10. A method of detecting malware, comprising:
- monitoring network traffic of a programmable device in an environment controlled by an operating system for the programmable device, producing a first monitor data;
  
  monitoring network traffic of the programmable device in a cryptographically secured hardware environment of the programmable device not controlled by the operating system, producing a second monitor data;
  
  comparing the first monitor data with the second monitor data; and
  
  indicating the presence of malware if the first monitor data does not match the second monitor data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein monitoring network traffic of a programmable device in an environment controlled by an operating system for the programmable device comprises:
    - monitoring network traffic in an intrusion detection system executing under control by the operating system.
  - 12. The method of claim 10, further comprising:
    - loading firmware for execution in the cryptographically secured hardware environment at powerup of the programmable device.
  - 13. The method of claim 10, wherein comparing the first monitor data with the second monitor data comprises:
    - sending the first monitor data to the cryptographically secured hardware environment; and
      
      comparing the first monitor data with the second monitor data in the cryptographically secured hardware environment.
  - 14. The method of claim 10, further comprising:
    - quarantining the programmable device responsive to the indication of the presence of malware.
  - 15. The method of claim 10, wherein comparing the first monitor data with the second monitor data comprises:
    - sending the second monitor data to an intrusion detection system executing under control by the operating system; and
      
      comparing the first monitor data with the second monitor data by the intrusion detection system.
  - 16. The method of claim 10, wherein comparing the first monitor data with the second monitor data comprises:
    - sending the first monitor data from the cryptographically secured hardware environment to an external facility for comparison with the second monitor data; and
      
      sending the second monitor data from the intrusion detection system to the external facility for comparison with the first monitor data.
  - 17. The method of claim 16, wherein indicating the presence of malware comprises:
    - receiving an alert generated by the external facility.
  - 18. The method of claim 10, wherein indicating the presence of malware comprises:
    - displaying an alert indicating the presence of malware.
  - 19. The method of claim 10, wherein the first monitor data and the second monitor data comprise network flow data.

20. A programmable device, comprising:
- a processor;
  
  an operating system, comprising instructions that when executed by the processor control the processor and provide an operating system environment for other software to execute on the processor;
  
  an intrusion detection software, comprising instructions that when executed by the processor in the operating system environment cause the processor to;
  
  record network traffic of the programmable device as a first monitor data; and
  
  a cryptographically secured hardware environment configured to record network traffic of the programmable device as a second monitor data, wherein the cryptographically secured hardware environment is outside of the operating system environment;
  
  wherein the programmable device is configured to;
  
  compare the first monitor data with the second monitor data; and
  
  generate an alert if the first monitor data is not the same as the second monitor data.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The programmable device of claim 20, wherein the first monitor data and the second monitor data comprise network flow data.
  - 22. The programmable device of claim 20,wherein intrusion detection system further comprises instructions that when executed by the processor in the operating system environment cause the processor to:
    - request the second monitor data from the cryptographically secured hardware environment; and
      
      compare the first monitor data with the second monitor data by the intrusion detection system in the operating system environment.
  - 23. The programmable device of claim 20, wherein the intrusion detection software is configured to cause the process to record network traffic continuously.
  - 24. The programmable device of claim 20, wherein the programmable device is configured to compare the first monitor data and the second monitor data periodically.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ben-Shalom, Omer, Nayshtut, Alex, Muttik, Igor
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US13/931,705
Publication Number

US 20150007316A1
Time in Patent Office

879 Days
Field of Search

726 22- 25, 713187-188, 709217-229
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/556   involving covert channels, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/12   Applying verification of th...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/16   Implementing security featu...

Rootkit detection by using HW resources to detect inconsistencies in network traffic

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Rootkit detection by using HW resources to detect inconsistencies in network traffic

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links