Detecting Software Attacks By Monitoring Electric Power Consumption Patterns
First Claim
1. An information processing electronic device capable of detecting undesired software, comprising:
- a) a sensor for detecting an amount of electrical power or current consumed by the electronic device;
b) a threshold detector for comparing the detected electrical power or current to a threshold value, and for indicating that undesired software may be present when the threshold value is exceeded.
3 Assignments
0 Petitions
Accused Products
Abstract
Software attacks such as worms and viruses are detected in an electronic device by monitoring power consumption patterns. In a first embodiment, software attacks are detected by an increase in power consumption. The increased power consumption can be caused by increased network traffic, or by increased activity in the microprocessor. Monitoring power consumption is particularly effective for detecting DOS/flooding attacks when the electronic device is in an idle state. In a second embodiment, a power consumption signal is converted to the frequency domain (e.g., by fast Fourier transform). The highest amplitude frequencies are identified. Specific software attacks produce characteristic frequencies in the power consumption signal. Software attacks are therefore detected by matching the highest amplitude frequencies with frequencies associated with specific worms and viruses. Identification of a particular software attack typically requires matching of 3 or more of the highest amplitude frequencies, and, optionally, amplitude information.
217 Citations
31 Claims
-
1. An information processing electronic device capable of detecting undesired software, comprising:
-
a) a sensor for detecting an amount of electrical power or current consumed by the electronic device; b) a threshold detector for comparing the detected electrical power or current to a threshold value, and for indicating that undesired software may be present when the threshold value is exceeded. - View Dependent Claims (2, 3)
-
-
4. A method for detecting undesired software in an information processing electronic device, the method comprising the steps of:
-
a) detecting an amount of electrical power or current consumed by the electronic device; b) comparing the detected electrical power or current to a threshold value, and c) indicating that undesired software may be present when the threshold value is exceeded. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. An information processing electronic device capable of detecting undesired software, the electronic device comprising:
-
a) a sensor for detecting a power consumption signal representing power or current consumed by the electronic device; b) a detector for detecting a frequency signature of the power consumption signal; and c) a comparator for comparing the detected frequency signature to a database of frequency signatures associated with undesired software. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method for detecting undesired software in an information processing electronic device, the method comprising the steps of:
-
a) detecting a frequency signature of a power consumption signal representing electrical power or current consumed by the electronic device; and b) comparing the detected frequency signature to a database of frequency signatures associated with undesired software. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. An information processing electronic device capable of identifying a type of communication protocol used by undesired software, the electronic device comprising:
-
a) a sensor for detecting a power consumption signature representing power or current consumed by the electronic device; and b) a comparator for comparing the detected power consumption signature to a power signature database, wherein the database associates power consumption signatures with types of communication protocols. - View Dependent Claims (23, 24, 25)
-
-
26. A method for identifying a type of communication protocol active in an information processing electronic device, the method comprising the steps of:
-
a) detecting a power consumption signature of electrical power or current consumed by the electronic device; and b) comparing the detected power consumption signature to a database associating power consumption signatures with types of communication protocols. - View Dependent Claims (27, 28, 29, 30, 31)
-
Specification