IBM wants to use hacker tactics for desktop security

The world of enterprise cybersecurity is in flux. Traditional antivirus software and firewalls are being replaced with a new generation of security tools that use artificial intelligence to look for malicious behavior. One of the vendors leading the transition is IBM Corp., which is churning out one patent after another as its engineers push the envelope on threat detection.

Among the most recent additions to the pile is a patent application for a piece of software that can identify unauthorized activity on a computer based on its energy profile. Power analysis is not new to the cybersecurity community, but it’s historically been regarded as a threat rather than a defensive approach. Research conducted in the late 1990s’ showed that the fluctuations in a processor’s electricity consumption often map to specific computational operations. Scientists further demonstrated that a skilled hacker could potentially abuse the method to figure out how a cryptographic device like a smart card scrambles its internal data and reverse the process. IBM’s invention works more or less the same way, except it’s designed to uncover malicious behavior rather than encryption procedures.

The software starts by determining how much electricity is consumed by a device when it’s used normally. The process is performed in two parts. First, the hardware components under the hood are tallied up and their combined power draw is calculated based on manufacturer specifications. Then, the data is correlated with the energy requirements of operating system and the applications running on top in their different states. IBM’s patent filling states that its technology can individually examine every program on the target machine to maximize the accuracy of measurements.

As a result, the software can tell if an increase in power consumption is generated by a business application performing a number-crunching operation or a key logger transmitting data to a remote server. The technology could potentially detect even subtler changes depending on how thoroughly IBM surveys the different states and power profiles of the programs used by its corporate clients. Since assessing every single service on the market is impractical, the company will presumably employ some automated monitoring mechanism or have its consulting arm perform the process manually on a company-by-company basis.

But while the technology can theoretically be made to provide a high level of accurately, it’s still inefficient to detect threats by itself given the sophistication of the black hat community. As a result, Big Blue will probably implement the software as part of one of its enterprise security suites rather than in the form of a standalone offering. Those products might one day be able to correlate a machine’s power consumption with user activity and other security metrics to spot breaches that currently slip under the radar. The technology could also be useful for identifying actions that are performed by legitimate users but violate company access policies, which often pose just as big of a risk as hacking.