Systems, methods, and apparatuses for intrusion detection and analytics using power characteristics such as side-channel information collection

US 9,268,938 B1
Filed: 05/22/2015
Issued: 02/23/2016
Est. Priority Date: 05/22/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a probe configured to capture side-channel information relating to an operation status of a target device, the probe in a permanently fixed position relative to the target device during a life span of anomaly detection on the target device;

a fixture, configured to fixedly hold the probe such that the probe is in a permanently fixed position relative to the target device;

a processor, communicatively coupled to the probe, configured to;

process the side-channel information to extract a first characteristic of the side-channel information,retrieve previously-stored reference side-channel information having a second characteristic and representing a normal activity of the target device,compare the first characteristic with the second characteristic to determine an anomaly of the target device, andsend to a user interface an alert indicative of the anomaly based on the first characteristic and the second characteristic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments described herein include a system that collects and learns reference side-channel normal activity, process it to reveal key features, compares subsequent collected data and processed data for anomalous behavior, and reports such behavior to a management center where this information is displayed and predefine actions can be executed when anomalous behavior is observed. In some instances, a physical side channel (e.g. and indirect measure of program execution such as power consumption or electromagnetic emissions and other physical signals) can be used to assess the execution status in a processor or digital circuit using an external monitor and detect, with extreme accuracy, when an unauthorized execution has managed to disrupt the normal operation of a target system (e.g., a computer system, etc.).

Citations

20 Claims

1. An apparatus, comprising:
- a probe configured to capture side-channel information relating to an operation status of a target device, the probe in a permanently fixed position relative to the target device during a life span of anomaly detection on the target device;
  
  a fixture, configured to fixedly hold the probe such that the probe is in a permanently fixed position relative to the target device;
  
  a processor, communicatively coupled to the probe, configured to;
  
  process the side-channel information to extract a first characteristic of the side-channel information,retrieve previously-stored reference side-channel information having a second characteristic and representing a normal activity of the target device,compare the first characteristic with the second characteristic to determine an anomaly of the target device, andsend to a user interface an alert indicative of the anomaly based on the first characteristic and the second characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the fixture includes an integrated circuit socket on the target device to hold a sensor of the probe, the fixture is a part of a board of the target device.
  - 3. The apparatus of claim 1, wherein the fixture includes a mechanical fastener attached to any of a chip, a circuit board or a case of the target device, to hold the probe in an intended location.
  - 4. The apparatus of claim 1, wherein the fixture includes a customized chassis or a customized cover of the target device including a coupler that is configured to fix the probe on the target device.
  - 5. The apparatus of claim 1, further comprising:
    - a matrix of a plurality of probes including the probe, the plurality of probes being spatially distributed.
  - 6. The apparatus of claim 1, further comprising:
    - a matrix of a plurality of probes including the probe, the plurality of probes being spatially distributed, the plurality of probes being operably reconfigurable during anomaly detection of the target device.
  - 7. The apparatus of claim 1, wherein:
    - the target device includes a target circuit chip; and
      
      the probe is included in the target circuit chip.

8. An apparatus, comprising:
- a circuit anomaly detector configured to monitor a change of state in a pin of a target circuit chip that indicates that a reprogrammable component on the target circuit chip is reprogrammed from initial manufacture to end of operation of the target circuit chip; and
  
  a notification processor communicatively coupled to the circuit anomaly detector, configured to transmit a notification message including a representation of the change of state, to an entity designated to respond to a detected anomaly.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. The apparatus of claim 8, wherein the circuit anomaly detector includes any of an electromagnetic sensor or a direct circuit connection to the target circuit chip.
  - 10. The apparatus of claim 8, wherein the reprogrammable component includes any of a FLASH memory unit, a field programmable gate array (FPGA), or a basic input/output system (BIOS).
  - 11. The apparatus of claim 8, wherein the notification message is presented to a user via a user interface.
  - 12. The apparatus of claim 8, wherein the notification message is transmitted to a module instantiated with the target circuit chip, the module designated to respond to the detected anomaly.
  - 13. The apparatus of claim 8, wherein:
    - the circuit anomaly detector is configured to monitor a plurality of changes of state in the pin of the target circuit chip, each change of state from the plurality of changes of state being uniquely associated with a time from a plurality of times,the notification processor configured to transmit a notification message based on the plurality of changes of state.
  - 14. The apparatus of claim 8, wherein the circuit anomaly detector includes any of an electromagnetic sensor in the target circuit chip.
  - 15. The apparatus of claim 8, wherein the notification message is sent to a response circuit in the target circuit chip to trigger remediation in response to the detected anomaly.
  - 16. The apparatus of claim 8, wherein the notification message is sent to a response circuit in the target circuit chip to trigger remediation to a known state in the pin of the target circuit chip in response to the detected anomaly.
  - 17. The apparatus of claim 8, further comprising:
    - a matrix of a plurality of probes configured to measure the change of state in the pin of the target circuit chip,output of the plurality of probes being sent to the circuit anomaly detector.
  - 18. The apparatus of claim 8, further comprising:
    - a matrix of a plurality of probes configured to measure the change of state in the pin of the target circuit chip,output of the plurality of probes being sent to the circuit anomaly detector,the plurality of probes being operably reconfigurable during anomaly detection of the target circuit chip.

19. An apparatus comprising:
- a circuit anomaly detector configured to monitor a change of state in a in of a target circuit chip that indicates that a reprogrammable component on the target circuit chip is reprogrammed, the target circuit chip including firmware,the change of state in the pin of the target circuit chip associated with a patch for the firmware, anda notification processor communicatively coupled to the circuit anomaly detector, configured to transmit a notification message to an entity designated to respond to a detected anomaly,the notification message indicating that the change of state is associated with the patch.

20. An apparatus comprising:
- a circuit anomaly detector configured to monitor a first change of state in a pin of a target circuit chip at a first time that indicates that a reprogrammable component on the target circuit chip is reprogrammed; and
  
  the circuit anomaly detector is configured to monitor a second change of state in the pin of the target circuit chip at a second time after the first time,a notification processor communicatively coupled to the circuit anomaly detector, configured to transmit a notification message including a representation of the change of state, to an entity designated to respond to a detected anomaly,the notification message including a time-related performance parameter of the target circuit chip based on the first change of state and the second change of state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Power Fingerprinting Inc.
Original Assignee
Power Fingerprinting Inc.
Inventors
Aguayo Gonzalez, Carlos R., Reed, Jeffrey H., Chen, Steven C.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US14/720,497
Time in Patent Office

277 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G01R 1/0408   Test fixtures or contact fi...

G01R 21/00   Arrangements for measuring ...

G01R 31/2832   Specific tests of electroni...

G01R 31/2886   Features relating to contac...

G01R 31/2887   involving moving the probe ...

G01R 31/2891   related to sensing or contr...

G01R 31/2893   Handling, conveying or load...

G06F 21/32   using biometric data, e.g. ...

G06F 21/552   involving long-term monitor...

G06F 21/755   with measures against power...

G06F 2221/034   Test or assess a computer o...

Systems, methods, and apparatuses for intrusion detection and analytics using power characteristics such as side-channel information collection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, methods, and apparatuses for intrusion detection and analytics using power characteristics such as side-channel information collection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links