Unsupervised detection of anomalous processes using hardware features
First Claim
1. A method for unsupervised anomaly-based malware detection using hardware features, the method comprising:
- obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior;
identifying a set of hardware performance data from the obtained current hardware performance data based at least on a quantitative measure of how effective one or more features associated with the current hardware performance data can discriminate between hardware performance data obtained during clean execution of a victim process and hardware performance data obtained during infected execution of the victim process,wherein the quantitative measures are computed for both an exploitation stage and a take-over stage of a multi-stage malware infection that hijacks control of the victim process, andwherein the quantitative measures taken at both the exploitation stage and the take-over stage enable the determination of which features are most useful in differentiating clean execution for the victim process from infected execution of the victim process;
aggregating the identified set of hardware performance data;
transforming the aggregated set of hardware performance data based on one or more transform functions, the transforming the aggregated set of hardware performance data comprising deriving a normalized hardware performance value, normalizedi, for an event i, from hardware performance data value, rawi for the event i, according to;
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with pre-recorded hardware performance data representative of the first process'"'"' normal behavior, and determining whether a malicious process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the pre-recorded hardware performance data representative of the normal behavior of the first process.
-
Citations
14 Claims
-
1. A method for unsupervised anomaly-based malware detection using hardware features, the method comprising:
-
obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; identifying a set of hardware performance data from the obtained current hardware performance data based at least on a quantitative measure of how effective one or more features associated with the current hardware performance data can discriminate between hardware performance data obtained during clean execution of a victim process and hardware performance data obtained during infected execution of the victim process, wherein the quantitative measures are computed for both an exploitation stage and a take-over stage of a multi-stage malware infection that hijacks control of the victim process, and wherein the quantitative measures taken at both the exploitation stage and the take-over stage enable the determination of which features are most useful in differentiating clean execution for the victim process from infected execution of the victim process; aggregating the identified set of hardware performance data; transforming the aggregated set of hardware performance data based on one or more transform functions, the transforming the aggregated set of hardware performance data comprising deriving a normalized hardware performance value, normalizedi, for an event i, from hardware performance data value, rawi for the event i, according to; - View Dependent Claims (2, 3, 4, 5, 6, 7, 14)
-
-
8. A system for unsupervised anomaly-based malware detection using hardware features, the system comprising:
-
a hardware device executing a first process; and an antivirus engine in communication with the hardware device, the antivirus engine configured to; obtain current hardware performance data, including hardware performance time-varying counter data, for the hardware device executing the first process, the first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; select one or more features based on respective computed one or more scores representative of a quantitative measure of how effective one or more features associated with the current hardware performance data can discriminate between hardware performance data obtained during clean execution of a victim process and hardware performance data obtained during infected execution of the victim process, wherein the quantitative measures are computed for both an exploitation stage and a take-over stage of a multi-stage malware infection that hijacks control of the victim process, and wherein the quantitative measures taken at both the exploitation stage and the take-over stage enable the determination of which features are most useful in differentiating clean execution for the victim process from infected execution of the victim process; select performance data from the current hardware performance data only for the selected one or more features; aggregate the selected hardware performance data according to a sampling duration; transform the aggregated hardware performance data based on one or more transform functions, the transforming the aggregated hardware performance data comprising deriving a normalized hardware performance value, normalizedi, for an event i, from hardware performance data value, rawi for the event i, according to; - View Dependent Claims (9, 10)
-
-
11. A non-transitory computer readable media storing a set of instructions executable on at least one programmable device that, when executed, causes operations comprising:
-
obtaining current hardware performance data, including hardware performance time-varying counter data, for a hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; selecting one or more features based on respective computed one or more scores representative of a quantitative measure of how effective one or more features associated with the current hardware performance data can discriminate between hardware performance data obtained during clean execution of a victim process and hardware performance data obtained during infected execution of the victim process, wherein the quantitative measures are computed for both an exploitation stage and a take-over stage of a multi-stage malware infection that hijacks control of the victim process, and wherein the quantitative measures taken at both the exploitation stage and the take-over stage enable the determination of which features are most useful in differentiating clean execution for the victim process from infected execution of the victim process; obtaining performance data from the current hardware performance data only for the selected one or more features; aggregating the current hardware performance data according to a sampling duration; transforming the aggregated hardware performance data based on one or more transform functions, the transforming the aggregated hardware performance data comprising deriving a normalized hardware performance value, normalizedi, for an event i, from hardware performance data value, rawi, for the event i, according to; - View Dependent Claims (12)
-
-
13. An apparatus for unsupervised anomaly-based malware detection using hardware features, the apparatus comprising:
-
a hardware device executing a first process; an antivirus engine in communication with the hardware device, the antivirus engine configured to; obtain current hardware performance data, including hardware performance counter data, for the hardware device executing a first process associated with recorded hardware performance data representative of the first process'"'"' normal behavior; select one or more features based on respective computed one or more scores representative of a quantitative measure of how effective one or more features associated with the current hardware performance data can discriminate between hardware performance data obtained during clean execution of a victim process and hardware performance data obtained during infected execution of the victim process, wherein the quantitative measures are computed for both an exploitation stage and a take-over stage of a multi-stage malware infection that hijacks control of the victim process, and wherein the quantitative measures taken at both the exploitation stage and the take-over stage enable the determination of which features are most useful in differentiating clean execution for the victim process from infected execution of the victim process; obtain performance data from the current hardware performance data only for the selected one or more features; aggregate the current hardware performance data according to a sampling duration; transform the aggregated hardware performance data based on one or more transform functions, the transforming the aggregated hardware performance data comprising deriving a normalized hardware performance value, normalizedi for an event i, from hardware performance data value, rawi, for the event i, according to;
-
Specification