HARDENED EVENT COUNTERS FOR ANOMALY DETECTION

摘要

A collection of techniques allow for the detection of covert malware that attempts to hide its existence on a system by leveraging both trusted hardware event counters and the particular memory addresses (as well as the sequences of such addresses) of the instructions that are generating the suspected malicious activity. By monitoring the address distribution's specific patterns over time, one can build a behavioral model (i.e., “fingerprint”) of a particular process—and later attempt to match suspected malicious processes to the stored behavioral models. Whenever the actual measured behavior of a suspected malicious process fails to match said stored behavioral models, the system or system administrator may attempt to perform rehabilitative actions on the computer system to locate and remove the malware hiding on the system.

主权项

1. A non-transitory computer readable medium with instructions stored thereon, the instructions comprising instructions that, when executed, cause a computer system to:
monitor a first set of hardware counters of the computer system over a first time period, producing first fingerprint data for each of one or more operating system processes; monitor the first set of hardware counters of the computer system over a second time period in a secure environment not controlled by the operating system of the computer system, producing first runtime data for each of one or more operating system processes; compare the first runtime data for each of the one or more operating system processes with the first fingerprint data for the corresponding operating system process; and indicate whether the first runtime data for any of the one or more operating system processes differs by a predetermined threshold from the first fingerprint data for the corresponding operating system process.