Detecting software attacks by monitoring electric power consumption patterns
Inventors
Jacoby, Grant A. • Davis, IV, Nathaniel J • Marchany, Randolph C.
Assignees
Virginia Tech Intellectual Properties Inc • Virginia Polytechnic Institute and State University • United States Department of the Army
Publication Number
US-7877621-B2
Publication Date
2011-01-25
Expiration Date
2025-06-24
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
Software attacks such as worms and viruses are detected in an electronic device by monitoring power consumption patterns. In a first embodiment, software attacks are detected by an increase in power consumption. The increased power consumption can be caused by increased network traffic, or by increased activity in the microprocessor. Monitoring power consumption is particularly effective for detecting DOS/flooding attacks when the electronic device is in an idle state. In a second embodiment, a power consumption signal is converted to the frequency domain (e.g., by fast Fourier transform). The highest amplitude frequencies are identified. Specific software attacks produce characteristic frequencies in the power consumption signal. Software attacks are therefore detected by matching the highest amplitude frequencies with frequencies associated with specific worms and viruses. Identification of a particular software attack typically requires matching of 3 or more of the highest amplitude frequencies, and, optionally, amplitude information.
Core Innovation
The invention presents an apparatus and methods for detecting malicious software attacks, such as worms and viruses, in information processing electronic devices by monitoring electric power consumption patterns. The approach relies on interpretable changes in power usage, notably increases caused by abnormal system activities, to infer the presence of undesired software. A threshold-based comparison is used, where electrical power consumption in device components like the network interface circuit (NIC) and microprocessor is periodically or continuously measured against a dynamically adjustable threshold value.
A further innovation involves analyzing the frequency spectrum of power consumption signals. By converting power usage data to the frequency domain and extracting characteristic high-amplitude frequency components, the system can compare detected frequency signatures against a database of known signatures for specific software attacks. This method enhances detection capability by enabling identification of attacks based on empirically-determined frequency patterns that are unique per device type and attack.
Additionally, power consumption signatures can be analyzed in the time domain to identify communication protocols used during network flooding attacks, further aiding in distinguishing the nature of the attack. The system leverages long-duration monitoring and pattern recognition, such as identifying signatures with continuous or intermittent plateaus corresponding to specific communication protocols, to provide insights into the type of network activity associated with malicious software.
The invention addresses the problem of protecting portable, battery-powered devices, especially those using wireless networks, from software attacks in a manner that does not significantly drain the battery or overload limited microprocessor resources—a key challenge faced by traditional antivirus and firewall techniques. The presented low-power, reliable, and simple detection method is designed to be particularly applicable in these constrained environments.
Claims Coverage
The patent includes several independent claims encompassing three principal inventive features.
Detection of malicious software via threshold-based power consumption monitoring
An information processing electronic device employs a sensor to detect the electrical power or current consumed by the device. A threshold detector compares this consumption to a set threshold value and indicates the presence of undesired software when the threshold is exceeded. This approach is applicable specifically to mobile, battery-powered devices and supports alerting mechanisms if excessive consumption is detected.
Identification of undesired software using frequency signatures of power consumption
The device comprises a sensor for detecting power consumption signals, a detector for identifying frequency signatures within those signals, and a comparator to match detected signatures against a database of signatures associated with undesired software. A method is also claimed for detecting such software by obtaining the frequency signature from power consumption and comparing it to a database for identification and alerting.
Detection of communication protocol types based on power consumption signatures
An information processing electronic device is equipped to detect the type of communication protocol used in an attack by measuring the power consumption signature. The database associates specific patterns—such as a single continuous plateau for Transmission Control (TC) protocol, or an initial plateau followed by short plateaus and lulls for Universal Datagram (UD) protocol—with protocol types. The device includes means to compare the detected signature to the database and identify the protocol.
In summary, the patent claims broadly cover apparatus and methods for detecting malicious software and identifying network protocols through power consumption pattern analysis in both time and frequency domains.
Stated Advantages
The method detects malicious software without significantly increasing battery consumption, thus preserving battery life in portable devices.
The detection approach does not overload the microprocessor, making it suitable for devices with limited processing capability.
The system enables fast, sensitive, and specific detection of software attacks by utilizing unique frequency and time-domain power signatures.
The method is particularly effective for detecting denial of service (DOS) and flooding attacks, especially when devices are in low-power or idle states.
Frequency signature-based detection is difficult to circumvent, enhancing robustness against attack modification.
Documented Applications
Protecting mobile, battery-powered devices such as PDAs, cell phones, and laptop computers from malicious software attacks.
Monitoring and identifying attacks in devices connected via wireless networks.
Detecting and distinguishing network flooding attacks, including identification of the type of communication protocol (TCP, UDP, ICMP) used in such attacks.
Application to both portable and non-portable electronic devices, including personal computers.
Enabling network administrators, security experts, or users to analyze power consumption data for security monitoring and protocol identification.
Interested in licensing this patent?