Scanning for viruses at 60fps —

Intel, Microsoft to use GPU to scan memory for malware

The company is also using its processors’ performance monitoring to detect malicious code.

Intel Skylake die shot, built using the 14nm process.
Intel Skylake die shot, built using the 14nm process.

Since the news of the Meltdown and Spectre attacks earlier this year, Intel has been working to reassure the computer industry that it takes security issues very seriously and that, in spite of the Meltdown issue, the Intel platform is a sound choice for the security conscious.

To that end, the company is announcing some new initiatives that use features specific to the Intel hardware platform to boost security. First up is Intel Threat Detection Technology (TDT), which uses features in silicon to better find malware.

The company is announcing two specific TDT features. The first is "Advanced Memory Scanning." In an effort to evade file-based anti-virus software, certain kinds of malware refrain from writing anything to disk. This can have downsides for the malware—it can't persistently infect a machine and, instead, has to reinfect the machine each time it is rebooted—but makes it harder to spot and analyze. To counter this, anti-malware software can scan system memory to look for anything untoward. This, however, comes at a performance cost, with Intel claiming it can cause processor loads of as much as 20 percent.

This is where Advanced Memory Scanning comes into effect: instead of using the CPU to scan through memory for any telltale malware signatures, the task is offloaded to the integrated GPU. In typical desktop applications, the GPU sits there only lightly loaded, with abundant unused processing capacity. Intel says that moving the memory scanning to the GPU cuts the processor load to about two percent.

Intel is positioning Advanced Memory Scanning as a feature for third parties to use. Later this month, Microsoft Windows Defender Advanced Threat Protection (ATP) will add the GPU-based memory scanning, and in principle, other software could add it, too.

Next up is Advanced Platform Telemetry. We've seen an increase in the use of cloud-based machine learning combined with endpoint data collection in the anti-malware space. Windows Defender ATP is an example of this: it tracks machine behavior to find usage patterns that seem anomalous, even if they're not known to belong to any specific piece of malware. Windows Defender ATP might notice operating system-level activity such as cryptolocker ransomware opening and overwriting every data file one after the other, for example, and it can highlight that pattern as suspicious, even if the ransomware is hitherto undiscovered.

Advanced Platform Telemetry is an Intel-specific twist on this same basic idea. Instead of using operating system-level events, Intel's telemetry uses things like the processor's integrated performance counters to spot unusual processor activity. For example, malware using the Spectre attack might cause the number of speculative branch mispredictions to change in a particular way. The processor actually keeps track of the number of mispredictions, creating data that can be fed into some cloud systems and used to make inferences about system health. Intel says that this will be integrated into Cisco Tetration at some point.

Intel is also creating some new branding for existing technology. Over the years, the company has added a huge number of security features to its processors and chipsets; there are special instructions, like AES-NI for accelerated encryption and SGX for creating protected regions of encrypted memory; and there are platform features such as Platform Trust Technology, which provides an integrated TPM, and Platform Firmware Resilience, which protects against firmware corruption.

The company is placing a number of these disparate features under a single umbrella term, "Security Essentials." Security Essentials will represent a common set of hardware security features, firmware to enable them, and software libraries to make use of them. Certain Atom, Core, and Xeon-branded hardware will support the Security Essentials platform, so any software running on them will have access to the same range of hardware-based security capabilities.

Channel Ars Technica