公开(公告)号：US12248570B2

公开(公告)日：2025-03-11

申请号：US17739930

申请日：2022-05-09

Applicant: Intel Corporation

Inventor： Paul Carlson ,  Rahuldeva Ghosh ,  Baiju Patel ,  Zhong Chen

IPC: G06F21/56 ,  G06F3/06 ,  G06F12/0802 ,  G06F21/62 ,  G06F21/75 ,  G06N20/00

Abstract: The present disclosure is directed to systems and methods for detecting side-channel exploit attacks such as Spectre and Meltdown. Performance monitoring circuitry includes first counter circuitry to monitor CPU cache misses and second counter circuitry to monitor DTLB load misses. Upon detecting an excessive number of cache misses and/or load misses, the performance monitoring circuitry transfers the first and second counter circuitry data to control circuitry. The control circuitry determines a CPU cache miss to DTLB load miss ratio for each of a plurality of temporal intervals. The control circuitry the identifies, determines, and/or detects a pattern or trend in the CPU cache miss to DTLB load miss ratio. Upon detecting a deviation from the identified CPU cache miss to DTLB load miss ratio pattern or trend indicative of a potential side-channel exploit attack, the control circuitry generates an output to alert a system user or system administrator.

公开(公告)号：US11372972B2

公开(公告)日：2022-06-28

申请号：US16233810

申请日：2018-12-27

Applicant: Intel Corporation

Inventor： Paul Carlson ,  Rahuldeva Ghosh ,  Baiju Patel ,  Zhong Chen

IPC: G06F21/56 ,  G06F12/0802 ,  G06N20/00 ,  G06F3/06 ,  G06F21/62 ,  G06F21/75

Abstract: The present disclosure is directed to systems and methods for detecting side-channel exploit attacks such as Spectre and Meltdown. Performance monitoring circuitry includes first counter circuitry to monitor CPU cache misses and second counter circuitry to monitor DTLB load misses. Upon detecting an excessive number of cache misses and/or load misses, the performance monitoring circuitry transfers the first and second counter circuitry data to control circuitry. The control circuitry determines a CPU cache miss to DTLB load miss ratio for each of a plurality of temporal intervals. The control circuitry the identifies, determines, and/or detects a pattern or trend in the CPU cache miss to DTLB load miss ratio. Upon detecting a deviation from the identified CPU cache miss to DTLB load miss ratio pattern or trend indicative of a potential side-channel exploit attack, the control circuitry generates an output to alert a system user or system administrator.

公开(公告)号：US20190163900A1

公开(公告)日：2019-05-30

申请号：US16246187

申请日：2019-01-11

Applicant: Intel Corporation

Inventor： Zheng Zhang ,  Jason Martin ,  Justin Gottschlich ,  Abhilasha Bhargav-Spantzel ,  Salmin Sultana ,  Li Chen ,  Wei Li ,  Priyam Biswas ,  Paul Carlson

IPC: G06F21/52 ,  G05B23/02 ,  G06N20/00 ,  G06F21/51

Abstract: Methods, systems, articles of manufacture and apparatus to detect process hijacking are disclosed herein. An example apparatus to detect control flow anomalies includes a parsing engine to compare a target instruction pointer (TIP) address to a dynamic link library (DLL) module list, and in response to detecting a match of the TIP address to a DLL in the DLL module list, set a first portion of a normalized TIP address to a value equal to an identifier of the DLL. The example apparatus disclosed herein also includes a DLL entry point analyzer to set a second portion of the normalized TIP address based on a comparison between the TIP address and an entry point of the DLL, and a model compliance engine to generate a flow validity decision based on a comparison between (a) the first and second portion of the normalized TIP address and (b) a control flow integrity model.

公开(公告)号：US11790087B2

公开(公告)日：2023-10-17

申请号：US17132248

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： Deepak Kumar Mishra ,  Prajesh Ambili Rajendran ,  Taj un nisha N ,  Rahuldeva Ghosh ,  Paul Carlson ,  Zheng Zhang

IPC: G06F21/55 ,  G06F21/56 ,  G06N20/00

CPC classification number: G06F21/566 ,  G06F21/564 ,  G06F21/568 ,  G06N20/00

Abstract: A method comprises generating a first set of hardware performance counter (HPC) events that is ranked based on an ability of an individual HPC event to profile a malware class, generating a second set of HPC event combinations that is ranked based on an ability of a set of at least two joint HPC events to profile a malware class, generating a third set of extended HPC event combinations, profiling one or more malware events and one or more benign applications to obtain a detection accuracy parameter for each malware event, applying a machine learning model to rank the third set of HPC event combinations based on malware detection accuracy, and applying a genetic algorithm to the third set of HPC event combinations to identify a subset of the third set of extended combinations of HPC events to be used for malware detection and classification.

公开(公告)号：US20220335127A1

公开(公告)日：2022-10-20

申请号：US17739930

申请日：2022-05-09

Applicant: Intel Corporation

Inventor： Paul Carlson ,  Rahuldeva Ghosh ,  Baiju Patel ,  Zhong Chen

IPC: G06F21/56 ,  G06F12/0802 ,  G06N20/00 ,  G06F3/06 ,  G06F21/62 ,  G06F21/75

Abstract: The present disclosure is directed to systems and methods for detecting side-channel exploit attacks such as Spectre and Meltdown. Performance monitoring circuitry includes first counter circuitry to monitor CPU cache misses and second counter circuitry to monitor DTLB load misses. Upon detecting an excessive number of cache misses and/or load misses, the performance monitoring circuitry transfers the first and second counter circuitry data to control circuitry. The control circuitry determines a CPU cache miss to DTLB load miss ratio for each of a plurality of temporal intervals. The control circuitry the identifies, determines, and/or detects a pattern or trend in the CPU cache miss to DTLB load miss ratio. Upon detecting a deviation from the identified CPU cache miss to DTLB load miss ratio pattern or trend indicative of a potential side-channel exploit attack, the control circuitry generates an output to alert a system user or system administrator.

公开(公告)号：US11416603B2

公开(公告)日：2022-08-16

申请号：US16246187

申请日：2019-01-11

Applicant: Intel Corporation

Inventor： Zheng Zhang ,  Jason Martin ,  Justin Gottschlich ,  Abhilasha Bhargav-Spantzel ,  Salmin Sultana ,  Li Chen ,  Wei Li ,  Priyam Biswas ,  Paul Carlson

IPC: G06F21/52 ,  G06N20/00 ,  G06F21/56 ,  G06F21/51 ,  G05B23/02

Abstract: Methods, systems, articles of manufacture and apparatus to detect process hijacking are disclosed herein. An example apparatus to detect control flow anomalies includes a parsing engine to compare a target instruction pointer (TIP) address to a dynamic link library (DLL) module list, and in response to detecting a match of the TIP address to a DLL in the DLL module list, set a first portion of a normalized TIP address to a value equal to an identifier of the DLL. The example apparatus disclosed herein also includes a DLL entry point analyzer to set a second portion of the normalized TIP address based on a comparison between the TIP address and an entry point of the DLL, and a model compliance engine to generate a flow validity decision based on a comparison between (a) the first and second portion of the normalized TIP address and (b) a control flow integrity model.

公开(公告)号：US20210110038A1

公开(公告)日：2021-04-15

申请号：US17132248

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： Deepak Kumar Mishra ,  Prajesh Ambili Rajendran ,  Taj un nisha N ,  Rahuldeva Ghosh ,  Paul Carlson ,  Zheng Zhang

IPC: G06F21/56 ,  G06N20/00

Abstract: A method comprises generating a first set of hardware performance counter (HPC) events that is ranked based on an ability of an individual HPC event to profile a malware class, generating a second set of HPC event combinations that is ranked based on an ability of a set of at least two joint HPC events to profile a malware class, generating a third set of extended HPC event combinations, profiling one or more malware events and one or more benign applications to obtain a detection accuracy parameter for each malware event, applying a machine learning model to rank the third set of HPC event combinations based on malware detection accuracy, and applying a genetic algorithm to the third set of HPC event combinations to identify a subset of the third set of extended combinations of HPC events to be used for malware detection and classification.