阅读说明：本技术 通过自动功率分析的损害检测 (Damage detection by automatic power analysis ) 是由 I.里德曼 T.谢德勒 于 2019-07-24 设计创作，主要内容包括：提供了一种用于确定在计算机上执行的至少一个应用的功耗模式的方法和系统。该方法包括测量DC电流并测量提供给数据处理设备的DC电源电压,由此创建带时间戳电压值样本和电流值样本的流。该方法还包括使用I/Q数字信号处理确定相同的时间的流的乘积并将该乘积转换成实数和虚数数据流,将实数和虚数数据流组合成复数数据流,对该复数数据流应用信号处理解调步骤,从而生成解调的数据流,并从解调的数据流中提取至少一个基于流的参数签名,该至少一个基于流的参数签名表示在数据处理设备上执行的至少一个对应应用的功耗模式。(A method and system for determining a power consumption mode of at least one application executing on a computer is provided. The method includes measuring a DC current and measuring a DC supply voltage provided to the data processing device, thereby creating a stream of time-stamped voltage value samples and current value samples. The method also includes determining a product of the streams at the same time using I/Q digital signal processing and converting the product into real and imaginary data streams, combining the real and imaginary data streams into a complex data stream, applying a signal processing demodulation step to the complex data stream, thereby generating a demodulated data stream, and extracting at least one stream-based parameter signature from the demodulated data stream, the at least one stream-based parameter signature being representative of a power consumption pattern of at least one corresponding application executing on the data processing apparatus.)

1. A computer-implemented method for determining a power consumption mode of at least one application executing on a data processing device, the method comprising:

measuring a DC current flowing into the data processing apparatus using a current sensor, thereby creating a stream of time-stamped current value samples;

measuring a DC supply voltage provided to the data processing device using a voltage sensor, thereby creating a stream of time-stamped voltage value samples;

determining a product of streams of time-stamped samples measured at the same time using I/Q digital signal processing, and converting the product into a real data stream and an imaginary data stream;

combining the real data stream and the imaginary data stream into a complex data stream;

applying a signal processing demodulation step to said complex data stream, thereby generating a demodulated data stream; and

extracting at least one stream-based parametric signature from the demodulated data stream, wherein the at least one stream-based parametric signature is indicative of a power consumption pattern of at least one corresponding application executing on the data processing device.

2. The method of claim 1, further comprising:

comparing the at least one flow-based parameter signature to known parameter signatures of known applications.

3. The method of claim 1, wherein the at least one stream-based parametric signature is at least one parametric component selected from the group consisting of a frequency signature, an amplitude signature, and a phase signature.

4. The method of claim 3, wherein the at least one stream-based parametric signature further comprises at least one selected from the group consisting of a modulus, an average, a minimum, and a maximum of each parameter component.

5. The method of claim 1, further comprising:

applying a plurality of channelization filters to the complex data stream;

generating a plurality of filter output signals; and

performing signature edge detection on each filter output signal to characterize the filter output signal by enhancing time domain information related to the determination of the power consumption mode of the data processing apparatus.

6. The method of claim 5, wherein the signature Edge detection is performed using a Canny-Edge algorithm.

7. The method of claim 1, further comprising:

applying an infinite impulse response signal filter to the demodulated data stream, wherein the infinite impulse response signal filter improves a signal-to-noise ratio of the demodulated data stream while reducing an introduced phase lag to improve a signature amplitude.

8. The method of claim 1, further comprising:

detecting one or more signature edges in the at least one flow-based parametric signature; and

the associated power signature data is aggregated into a data format suitable for the analysis engine.

9. The method of claim 8, further comprising:

transmitting the aggregated correlated power signature data to the analytics engine for monitoring.

10. A system for determining a power consumption mode of at least one application executing on a data processing device, the system comprising:

a current sensor configured to measure a DC current flowing into the data processing device, thereby creating a stream of time-stamped current value samples;

a voltage sensor configured to measure a DC supply voltage provided to the data processing device, thereby creating a stream of time-stamped voltage value samples; and

a processor configured to perform a method, the method comprising:

determining a product of streams of time-stamped samples measured at the same time using I/Q digital signal processing, and converting the product into a real data stream and an imaginary data stream;

combining the real data stream and the imaginary data stream into a complex data stream;

applying a signal processing demodulation step to said complex data stream, thereby generating a demodulated data stream, an

Extracting at least one stream-based parametric signature from the demodulated data stream, wherein the at least one stream-based parametric signature is indicative of a power consumption pattern of at least one corresponding application executing on the data processing device.

11. The system of claim 10, wherein the method further comprises:

comparing the at least one flow-based parameter signature to known parameter signatures of known applications.

12. The system of claim 10, wherein the at least one stream-based parametric signature is at least one parametric component selected from the group consisting of a frequency signature, an amplitude signature, and a phase signature.

13. The system of claim 12, wherein the at least one stream-based parametric signature further comprises at least one selected from the group consisting of a modulus, an average, a minimum, and a maximum of each parameter component.

14. The system of claim 10, wherein the method further comprises:

applying a plurality of channelizing filters to the complex data stream to generate a plurality of filter output signals, an

Applying a signature edge detector to each of the filter output signals to characterize the filter output signals by enhancing time domain information related to the determination of the power consumption mode of the data processing device.

15. The system of claim 14, wherein each of the plurality of channelization filters is a Canny-Edge filter for signature Edge detection.

16. The system of claim 10, wherein the method further comprises:

an infinite impulse response signal filter is applied to improve the signal-to-noise ratio of the demodulated data stream while reducing the introduced phase lag to improve signature amplitude.

17. The system of claim 10, wherein the method further comprises:

detecting a signature edge in the at least one flow-based parametric signature; and

the associated power signature data is aggregated into a data format suitable for the analysis engine.

18. The system of claim 17, wherein the method further comprises:

transmitting aggregated relevant data power signature data such that the aggregated relevant data power signature data is receivable by the analysis engine for monitoring.

19. A computer program product comprising a computer readable storage medium having program instructions, wherein the computer readable storage medium is not itself a transitory signal, the program instructions executable by a processor of a data processing apparatus to cause the processor to perform a method comprising:

measuring a DC current flowing into the data processing apparatus using a current sensor, thereby creating a stream of time-stamped current value samples;

measuring a DC supply voltage provided to the data processing device using a voltage sensor, thereby creating a stream of time-stamped voltage value samples;

determining a product of streams of time-stamped samples measured at the same time using I/Q digital signal processing, and converting the product into a real data stream and an imaginary data stream;

combining the real data stream and the imaginary data stream into a complex data stream;

applying a signal processing demodulation step to said complex data stream, thereby generating a demodulated data stream; and

extracting at least one stream-based parametric signature from the demodulated data stream, wherein the at least one stream-based parametric signature is indicative of a power consumption pattern of at least one corresponding application executing on the data processing device.

20. The computer program product of claim 19, further comprising:

comparing the at least one flow-based parameter signature to known parameter signatures of known applications.

Background

The present invention relates generally to a method for software detection, and more particularly to a computer-implemented method for determining a power consumption mode of at least one application executing on a data processing device. The invention further relates to a system for determining a power consumption mode of at least one application executing on a data processing device, and to a computer program product.

A major challenge in the Information Technology (IT) security field is to detect compromised systems when IT is not possible to install malware detection software on the system. This applies to the field of Operation Technology (OT) when the system has a network connection but is otherwise a closed box, to systems with unknown or outdated operating systems, and to systems with limited user interfaces.

One way to detect system damage (compliance) is to analyze the power consumption of the system in question. This has been investigated for damage detection of devices running an operating system and an application. However, today, server virtualization is widely used. Multiple operating system instances (guest OS/operating system) are executed on the same hardware instance. In this case, detecting anomalies based on power consumption is more challenging because each guest OS runs one or more different applications and thus exhibits different power usage patterns. In addition to the mix of application modes, the power usage modes from the hypervisor (swapping in and out of the operating system and related applications) make the overall power signal more difficult to recognize and interpret. Even when a person has a power usage pattern that indicates malware, the person must determine which of a number of guest operating systems is infected, a particular one, some, or all.

Disclosure of Invention

According to one aspect of the present invention, a computer-implemented method for determining a power consumption mode of at least one application executing on a data processing device may be provided. The method may include measuring a DC current flowing into the data processing apparatus using a current sensor by which a stream of time-stamped current value samples may be created.

The method may further include measuring a DC supply voltage provided to the data processing device using a voltage sensor by which a stream of time-stamped voltage value samples may be created.

Further, the method may include determining a product of streams of time-stamped samples measured at the same time using I/Q digital signal processing and converting the product into a real data stream and an imaginary data stream, combining the real data stream and the imaginary data stream into a complex data stream, and applying a signal processing demodulation step to the complex data stream, thereby generating a demodulated data stream.

Last but not least, the method may comprise extracting at least one stream-based parametric signature from the demodulated data stream, each stream-based parametric signature being indicative of a power consumption mode of at least one respective application executing on the data processing device.

According to another aspect of the present invention, a system for determining a power consumption mode of at least one application executing on a data processing device may be provided. The system may include a current sensor for measuring a DC current flowing into the data processing device. Thus, a stream of time-stamped current value samples may be created.

The system may also include a voltage sensor for measuring a DC supply voltage provided to the data processing device. Thus, a stream of time-stamped voltage value samples may be created.

Further, the system may include a processor. The processor may use I/Q digital signal processing to determine a product of streams of time-stamped samples measured at the same time and convert the product to a real data stream and an imaginary data stream. The processor may combine the real data stream and the imaginary data stream into a complex data stream. The processor may apply signal processing demodulation steps to the complex data stream to produce a demodulated data stream.

Further, the processor may extract at least one stream-based parametric signature from the demodulated data stream, each stream-based parametric signature being indicative of a power consumption pattern of at least one respective application executing on the data processing device.

The proposed computer-implemented method for determining a power consumption mode of at least one application executing on a data processing device may provide a number of advantages and technical effects:

the concepts presented, in the form of methods or related systems, can be applied to a wide variety of different hardware systems. It may be independent of the operating system, the hypervisor used, and the applications used. Detection of anomalies in the power consumption of a system may allow detection of malware in any virtual system. This is achieved by facilitating automatic high resolution real-time channel analysis of power consumption of the target system that allows detection of behavioral changes, not only software, but also attacks the damage of the system against learning attacks using deliberately modified data sets and models, since all these cases will result in changes in target power usage due to changing computational requirements.

The proposed method may also reduce the total data output to the analysis engine to only the original stream of signatures rather than sample data. In essence, the proposed method describes providing an enhanced representation of power usage residing in the actual signature representing the power usage, rather than a large amount of raw data that would need to be transmitted to and processed by the analysis engine.

The proposed concept can be applied in different formats as long as the required power usage monitoring is at a high rate and resolution on all DC power supply rails from the target's power supply to the target (i.e. the processing device itself). The electrical power is the product of the voltage and the current. The monitoring current is still used without voltage, but does not accurately reflect true power usage, voltage drop over the power cable, and other conditions. Therefore, monitoring power consumption may be the most appropriate method for the above-mentioned problems.

The enriched data stream includes a large amount of additional data representing detailed signatures about power usage at any given point in time. Depending on the time domain analysis, the repetitive pattern will be easily extractable. This enriched data can be sent to an analytics platform, which can be a machine learning environment or other analytics platform, or the signature data from the device can be processed looking for changes in the behavior described by the signature. Some changes may be expected and will match expected parameters, while other changes may be detected, which may be indicative of a behavioral signature of the target. Once the behavioral signatures have been correctly added to the data set, signatures of different types of impairments can be easily detected using this technique.

It may also be noted that the proposed concept may deliver appropriate results for the detection of impermissible potentially malicious applications executing in a virtual machine running under the control of a hypervisor on a processing device (i.e., a server). This goes well beyond simple detection of power consumption modes using simple voltage and current sensors for dedicated processors without enhanced I/Q signal processing.

The method can also be scaled up or down and is applicable to single board computers that pass from a single power rail to complex SCADA (supervisory control and data acquisition) and ICS (industrial control system) systems. In the latter context, it may be applicable to legacy systems where it is not possible to install a monitoring agent.

For security critical systems that do not allow monitoring of surveillance agents, this approach may provide monitoring without any impact on target authentication or regulatory compliance.

For high reliability systems that would also not allow monitoring agents, this approach is useful because it is completely passive to the monitored target.

The same approach can also be miniaturized and built into mobile computing devices (phones, tablets, laptops, etc.) and provide a software agnostic interface for high security devices, as such devices can have a stand-alone interface that can display operational behavior; thus, if a high-security device is damaged, the proposed system may operate independently in such a case to show that the device is no longer secure.

In the following, additional embodiments of the inventive concept applicable to the method and related systems will be described. The relevant features may be used in any combination in the embodiments, as long as technical considerations do not make it difficult or impossible.

According to an advantageous embodiment, the method may further comprise comparing the at least one flow-based parameter signature with known parameter signatures of known applications. In this way, the method can detect what kind of application or applications are executed on the data processing device. This is possible without any interaction with the operating system and/or the scheduler or hypervisor or any other data processing device element and operating system inherent information. Thereby, older data processing devices or controllers can be investigated and it can be determined whether only allowed applications or unknown applications are executed.

According to a preferred embodiment of the method, the at least one stream-based parametric signature may be at least one parametric component selected from the group consisting of a frequency signature, an amplitude signature, and a phase signature. These signals and the parameters of the signals can be extracted from the measured current and voltage signals by digital signal processing.

According to a further preferred embodiment of the method, the at least one stream-based parameter signature may further comprise at least one selected from the group consisting of a mode value, an average value, a minimum value and a maximum value of each signature parameter component. These additional values may be determined for the frequency signature, the amplitude signature, and the phase signature. Thus, all information (current and voltage) determinable from the measured signals may be used to determine an application having a characteristic power consumption mode (i.e., a characteristic power consumption mode).

According to a useful embodiment, the method may further comprise: applying a plurality of channelization filters to a complex data stream; generating a plurality of filter output signals; and performing signature edge detection on each of the filter output signals. The filter output signal is thereby characterized by enhancing the time domain information related to the determination of the power consumption mode of the data processing device. Thus, multiple channels may be created from the original I/Q data stream. Examples may be DC to 1kHz, 1kHz to 10kHz, and 10kHz to 100kHz, etc. Other channels may also be applied. The phase, frequency and amplitude demodulation occurring within each channel can be fed into an edge detector or edge detection algorithm to support determining the start and end of behavior specific signatures (i.e., patterns). For example, edges in a DC to 1kHz channel (or frequency band) may be detected, but not in other channels.

According to one possible embodiment, the method may further comprise using a Canny-Edge algorithm for signature Edge detection. Such algorithms from image processing are known to be robust (robust) and very useful for edge detection. Thus, well-studied methods can be used to support the goals of the presently proposed concept.

According to one allowed embodiment, the method may additionally comprise applying an infinite impulse response signal filter (IIR) and/or a Finite Impulse Response (FIR) signal filter, in particular a plurality of IIR and/or FIR filters, in order to improve the signal-to-noise ratio of the demodulated data stream, while reducing the introduced phase lag in order to improve the signature amplitude. These filters in digital signal processing are easy to implement and may represent an advanced way of better isolating the desired signal from noise.

According to an alternative embodiment, the method may further comprise: one or more signature edges in at least one flow-based parametric signature are detected, and the associated power signature data is aggregated into a data format suitable for an analysis engine. These data may be further processed by signature analysis engines using heuristic algorithms or advanced analysis engines including machine learning based systems. Because the data format for the analytics engine may already be prepared by the methods and/or systems presented herein, the analytics engine may not bear the burden of converting the data format.

Thus, in a further embodiment, the method may further comprise transmitting the aggregated relevant data power signature data to an analysis engine for monitoring. Therefore, continuous monitoring prevents observed data processing from executing damaging software. This may represent a secure way to protect older data processing systems (e.g., those for which anti-malware software is not available) from fraud and malware.

Furthermore, embodiments can take the form of an associated computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can contain the means for storing, communicating, propagating, or transmitting the program for use by or in connection with the instruction execution system, apparatus, or device.

Drawings

It should be noted that embodiments of the present invention have been described with reference to different subject matters. In particular, some embodiments are described with reference to method type claims whereas other embodiments are described with reference to apparatus type claims. However, a person skilled in the art will gather from the above and the following description that, unless other notified, in addition to any combination of features belonging to one type of subject-matter also any combination between features relating to different subject-matters, in particular between features of the method type claims and features of the apparatus type claims, is considered to be disclosed within this document.

The aspects defined above and further aspects of the invention are apparent from the examples of embodiment to be described hereinafter and are explained with reference to the examples of embodiment, but the invention is not limited thereto.

Preferred embodiments of the present disclosure will be described, by way of example only, and with reference to the following drawings.

FIG. 1 shows a block diagram of an embodiment of an inventive computer-implemented method for determining a power consumption mode of at least one application executing on a data processing device, according to an embodiment of the present disclosure.

Fig. 2 shows a block diagram of a first stage of initial calibration of a method according to an embodiment of the disclosure.

Fig. 3 shows a block diagram of a second stage of the overall implementation of the method according to an embodiment of the present disclosure.

Fig. 4 illustrates an embodiment of a system including a physical host with a power adapter and a detection unit and an analysis unit according to an embodiment of the present disclosure.

Fig. 5 illustrates an embodiment of signal sampling of an appearance of an I/Q stream-to-frequency conversion signal processing system according to an embodiment of the present disclosure.

Fig. 6 illustrates an embodiment of a simplified version of a system for determining a power consumption mode of at least one application executing on a data processing device, according to an embodiment of the present disclosure.

Fig. 7 illustrates an embodiment of a computing system for use in the concepts presented herein, in accordance with an embodiment of the present disclosure.

Detailed Description

In the context of this specification, the following conventions, terms and/or expressions may be used:

the term "power consumption mode" may denote a characteristic signal pattern in the power consumption of a data processing device, a controller or any other electrical device executing software (e.g. an application). The power consumption of the device may vary in a characteristic manner due to changing the use of the processor, memory and/or other components of the data processing apparatus when executing an application.

The term "data processing apparatus" may denote a computer system typically comprising a processor and a memory attached to the processor, a dedicated apparatus running software, a controller, and I/O devices, and similar devices. Software such as operating systems, virtualization layers (e.g., hypervisors), device drivers, and applications may be loaded and executed.

The term "time-stamped current value samples" may represent a continuous sequence of measured values of current flowing from a power source to a data processing device. Each measurement may be digitized and correlated with the time of measurement and/or digitization. The same applies to the term "time-stamped voltage value samples". Furthermore, these measurements may be digitized and appended to a time value.

The term "I/Q digital signal processing" may denote a more accurate representation of a signal than using only a series of samples of the instantaneous amplitude of the signal. In general, it is not possible to determine a frequency from a series of samples because in a complex environment it is not possible to determine whether it is a positive or negative frequency because, for example, they may generate the same curve (e.g., cos (x) ═ cos (-x)). Second, it is difficult to determine the power (peak amplitude, envelope) of the signal. Only peak amplitudes at 0 °,180 °,360 °, etc. are visible here. However, the maximum power consumption may be elsewhere. The I/Q representation of these examples solves this problem. Instead of considering the signal as a flat curve as described above, it can be considered as a corkscrew (helix), helix, coil spring (coil spring) in three dimensions. Thus, the I/Q data samples represent the coordinates of the signal as seen along the time axis of the corkscrew. The amplitude modulated sinusoids are referred to as in-phase and quadrature components. This concept is well known to those skilled in the art.

The term "complex data stream" may denote a continuous sequence of digital values having both a real and a complex or imaginary part in a mathematical sense.

The term "signal processing demodulation" may refer to the process of extracting the original information-bearing signal from a carrier wave. The demodulator may be implemented as an electronic circuit or as a computer program executing some digital filter program for recovering the information content from the modulated carrier wave. There are many types of modulation and therefore many types of demodulator methods.

The term "flow-based parameter signature" may refer to a characteristic signal pattern over time that may be relevant to the execution of a particular application or combination of applications on a computer system using a hypervisor.

Hereinafter, a detailed description will be given of the drawings. All the illustrations in the drawings are schematic. First, a block diagram of an embodiment of an inventive computer-implemented method for determining a power consumption mode of at least one application executing on a data processing device is presented. Further embodiments will be described hereinafter, as well as embodiments of a system for determining a power consumption mode of at least one application executing on a data processing device.

FIG. 1 shows a block diagram of an embodiment of a computer-implemented method 100 for determining a power consumption mode of at least one application executing on a data processing device. The method includes measuring 102 a DC current flowing into the data processing device using a current sensor. The current sensor is connected between the data processing equipment and the power supply; thereby, a stream of time-stamped current value samples is generated.

The method 100 then includes measuring 104 a DC supply voltage provided by the power supply to the data processing device using the voltage sensor. The voltage sensors are connected to the processing device and the power source, respectively, in particular, in parallel or across, respectively. Thereby, a stream of time-stamped voltage value samples is generated.

Further, the method 100 includes: the product of the streams of time-stamped samples measured at the same time (mathematically, the product thereof is determined) is determined (106) and converted into a real data stream and an imaginary data stream. For this purpose, I/Q digital signal processing is used. Basically, the power consumed is determined.

For practical implementation, it would also be useful to extract the real (Q) and imaginary (I) streams from the source signal stream by a process of mixing the source stream with the appropriate COS and SIN function values to produce I and Q components.

Next, the real data stream and the imaginary data stream are combined (108) into a complex data stream, and the complex data stream is applied

(110) A signal processing demodulation step, thereby generating a demodulated data stream, and extracting (112) at least one stream-based parametric signature from the demodulated data stream. Thus, each of the flow-based parameter signatures, particularly in combination, represents a power consumption pattern of at least one corresponding application executing on the data processing device, which also potentially executes the hypervisor and the plurality of applications.

The method and the proposed example implementation are built together with signal processing techniques using well established techniques as a basis to provide a rich data stream describing the power usage of the data processing target. In essence, the automated and embedded devices within or attached to the power supply of each server can provide for the determination of a particular compromised virtual host with a virtualized computing environment by being able to recognize task switching and power signatures for each of the constituent virtualization tasks.

In general, the proposed concept can be used as a two-stage approach:

fig. 2 shows a block diagram 200 of a first stage of initial calibration. Power usage signatures are collected for one or more hypervisors 204, operating systems 206, and applications 208 (202). This can be done during a cycle of continuously refining the power characteristics. These power signatures, indicating a properly functioning system, are then recorded, 210.

Fig. 3 shows a block diagram 300 of the second phase of the overall method, in particular the detection mode. First, at 302, a signature is extracted from the power consumption of the target system. At 304, these signatures are fed to the analysis unit. At 306, the separated parameter signatures are separated into a signature indicative of normal behavior (308) and a signature indicative of impaired behavior (310).

In the event signatures indicative of normal behavior are found, these signatures are used to refine (312) the parameter signatures of the hypervisor, operating system and applications, e.g., as described in the context of FIG. 2. The process then returns to the extract signature step 302.

In the case where the parameter signature indicates tampering behavior (310), optionally, a comparison 314 with known malicious parameter signatures may be made, and if a certain threshold is exceeded, an alarm may be raised and a response may be triggered (316). As input for the comparison 314, a known signature 318 representing the malicious activity (i.e., malware executing on the target system) is retrieved from an external storage source. Further, after the alert has been issued (316), the detected malicious signature may be sent to an external destination at 320. As also shown in fig. 3, after the alarm is issued, the process returns to extracting the signature in step 302.

It should be noted that in fig. 3, only frequency is used as several signal features. A similar flow chart may be plotted using signal amplitude and/or signal phase. In addition, these signal characteristics may also be evaluated in combination. Alternatively, the term "frequency" may be replaced with a signal characteristic to obtain a more general flow chart.

Fig. 4 shows an embodiment of a system comprising a physical host 400 with a power adapter 412, as well as a detection unit 414, an analysis unit 430 and an alarm and reaction system 434. The physical host 400 includes a transformer 412 that uses AC power and converts it to DC power used in the physical host. The physical host 400 includes processors, memory units, and subsystems, collectively referred to with reference numeral 402. Physical host 400 executes a series of virtual systems, denoted as virtual system 1, 404, virtual system 2, 406, virtual system 3, 408, and virtual system 4, 410. More virtual systems may be executed on physical host 400. The virtual system may execute on a hypervisor (not shown). In each virtual system, an operating system and one or more applications may be executed.

The detection unit 414 is adapted to perform signal processing. Although shown in abstract form, the current sensor 426 is connected in series between the DC output of the power supply 412 and the power consuming devices of the physical host 400. In a similar manner, a voltage sensor 424 is connected on an output line from the DC output of the power supply 412, measuring the voltage supplied from the DC power output of the power supply 412 to the power consuming devices of the physical host 400.

Two signal streams from a voltage sensor 424 and a current sensor 426 are fed to an analog-to-digital converter 420. Each signal stream is independently a/D (analog/digital) converted. The analog sensor input is sampled at a bandwidth that is twice the analog bandwidth (nyquist rate) of the current sensing device.

More than one voltage/current combination may be sampled, for example, 3.3V, 5V, and 12V supply rails of 1MHz current analog bandwidth from a typical computer power supply to various components within the computer.

The output of frequency generator 416 and the output of a/D converter 420 are used to digitally mix the samples with sine and cosine through I/Q mixer 428 to convert this data stream into I and Q streams (real and imaginary). This is a signal processing method that provides relevant data for real-time characterization of the data stream.

The digital signal processor 422 uses the I and Q data streams from the I/Q mixer 428 as input signals to extract useful data, including but not limited to:

the amplitude of the data stream is then used,

frequency of the data stream, and

the phase of the data stream

Additional running values with the above Mean, maximum, minimum values (Mean, Max, Min are abbreviations for the mathematical values of Mean, maximum and minimum) together with the AC coupling component.

The above data may be extracted across multiple sampling channel frequencies (generated by frequency generator 416) for each power sensor. Channel data aggregation helps identify edges of power signatures in a manner similar to the "Canny edge detection" algorithm, such as John f.

Digital signal processing may be performed by the subsystem using a high speed acceleration microcontroller. Which may be a SoC (system on a chip) sampling each of the current sense and voltage lines at 2MHz, the ADC samples are mixed with a SIN/COS table to provide digital I and Q values for each analog sample.

The microcontroller DSP core running the signal processing software performs signal processing, channelization, and other tasks before passing the power signature to the ethernet module, TCP/IP network adapter 418. The ethernet functionality allows the power analyzer to be connected to a standard ethernet network. The result is a server power supply with network sockets that sends a constant rich side-channel power analysis data stream with very good resolution.

The data fed from the device is then fed to an analytics processing platform 430 that includes a pattern recognition engine 432, which pattern recognition engine 432 is used to detect abnormal behavior, specific signatures, and/or anomalies in the power consumption patterns. Through the alarm and reaction system 434, predefined tasks may be initiated to protect the physical servers from executing damaging software. To this end, the alarm and reaction system 434 may also include a presentation layer and an automated response engine 436.

Turning to fig. 5, a more detailed view of different exemplary waveforms is allowed at different stages of the analysis process. Fig. 5 illustrates an embodiment of signal sampling of an analog I/Q stream to frequency converted signal processing system. The signal source 502 (which may be the same as the frequency generator 416 of fig. 4) may illustratively deliver the following data: signal rate: 44.1[ kHz ]; waveform: sine; frequency: 10[ kHz ]; amplitude: 1[ V ]; offsetting: 0. block 504 may represent input from power sensor 426 of fig. 4.

The output of signal source 502 is shown as sine/cosine in graph 520. Graph 524 shows the source signal.

The delay unit 506 generates sine and cosine signals. The cosine signal is generated by delaying the sine signal by 90%. Further, the output of the delay unit 506 refers to the signal diagram 520.

The multiplier 508 receives the signal source 502 for the Q stream and the output signal of the delay unit 506; multiplier 510 receives the outputs of delay unit 506 and power sensor 504 as input signals for the I stream. The floating-point to complex converter 512 uses the Q data stream and the I data stream as inputs. The output signal of the floating-point to complex converter 512, in particular the I/Q data stream superimposed on the source signal, is shown in diagram 522.

An exemplary low pass filter 514 is followed in the signal stream with the following characteristics: extracting: 1[1/sec ]; sample rate 44.1[ kHz ]; cutoff frequency: 1.5[ kHz ]; transition width: 200 of a carrier; window: hamming, beta: 6.76. as a subsequent unit, a quadrature demodulator 516 with a gate 7.01874k is used. It is again followed by a low pass filter 518 having the following characteristics: extracting: 1[1/sec ]; a door 1; sample rate 44.1[ kHz ]; cutoff frequency: 400[ Hz ]; a transition width 10; window: hamming, beta 6.76. The quadrature demodulator 514 is a conjugate multiplication block and, in complex theory, provides an output that has a linear relationship with the frequency contained within the I/Q stream. It should be noted that the term 'decimating' relates to decimating signal samples per second. Thus, if there are 1000 samples per second and the decimation value is 10, there are only 100 samples as output. This may protect the processor and other circuitry from overload. The transition width forms a-3 dB frequency window.

In frequency droop (sink), the signal diagram 526 shows the frequency components of power usage that may be related to feature applications and hypervisor and operating system activity. Specifically, the left side of the trace of graph 526 shows the consistent power usage expected in the example; the right side of graph 526 shows a different frequency pattern that highlights the behavior variations associated with the overlapping signal noise in the original power signal in this example.

It may be noted that the actual signal processing is shown here in a simplified form to demonstrate the principle with some specific numbers for sampling and filtering rates, and some other parameters.

Fig. 6 illustrates an embodiment of a simplified version of a system 600 for determining a power consumption mode of at least one application executing on a data processing device. System 600 includes a current sensor 602 (equivalent to current sensors 426 and 504) for measuring the DC current flowing into the data processing device using the current sensor. The current sensor 602 is connected between the data processing device and the power supply, creating a stream of time-stamped current value samples.

The system 600 further comprises a voltage sensor 604 (equivalent to the voltage sensor 424) for measuring with the voltage sensor the DC supply voltage provided by the power supply to the data processing device. The voltage sensor 604 is connected to the processing device and the power supply, thereby creating a stream of time-stamped voltage value samples.

Further, the system 600 includes an I/Q digital signal processor 606 adapted to determine a product of streams of time-stamped samples measured at the same time using I/Q digital signal processing and convert the product into a real data stream (I stream) and an imaginary data stream (Q stream), and a combining module 608 (equivalent to the floating-point to complex converter 512) adapted to combine the real data stream and the imaginary data stream into a complex data stream.

Further, the system 600 comprises a demodulator unit 610 (corresponding to the quadrature demodulator 516) and an extraction unit 612, the demodulator unit 610 being adapted to apply signal processing demodulation steps to the complex data stream, thereby generating a demodulated data stream, the extraction unit 612 being adapted to extract at least one stream-based parametric signature from the demodulated data stream. Each of the flow-based parameter signatures represents a power consumption mode of at least one corresponding application executing on the data processing device. Thus, a distinction can be made between allowed and disallowed or potentially dangerous hypervisor/operating system/application combinations.

Embodiments of the invention may be implemented with virtually any type of computer regardless of the platform being adapted to store and/or execute program code. Fig. 7 shows, as an example, a computing system 700 adapted to execute program code related to the proposed method, e.g., for signal edge detection processing or other digital filter algorithms. However, a Digital Signal Processor (DSP) or FPGA may also be used for these tasks.

The computing system 700 is only one example of a suitable computer system and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein, regardless of whether the computer system 700 is capable of being implemented and/or performing any of the functions recited above. In computer system 700, there are components that may operate with many other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with computer system/server 700 include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above systems or devices, and the like. Computer system/server 700 may be described in the general context of computer system-executable instructions, such as program modules, being executed by computer system 700. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer system/server 700 may be implemented in a distributed cloud computing environment where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

As shown, computer system/server 700 is shown in the form of a general purpose computing device. Components of computer system/server 700 may include, but are not limited to, one or more processors or processing units 702, a system memory 704, and a bus 706 that couples various system components including the system memory 704 to the processors 702. Bus 706 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus. Computer system/server 700 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by computer system/server 700 and includes both volatile and nonvolatile media, removable and non-removable media.

The system memory 704 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)708 and/or cache memory 710. The computer system/server 700 may also include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, the storage system 712 may be provided for reading from and writing to non-removable, nonvolatile magnetic media (not shown, and commonly referred to as "hard disk drives"). Although not shown, a magnetic disk drive for reading from and writing to a removable nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable nonvolatile optical disk such as a CD-ROM, DVD-ROM, or other optical media may be provided. In such instances, each may be connected to bus 706 by one or more data media interfaces. As will be further depicted and described below, memory 704 may include at least one program product having a set of program modules (e.g., at least one) configured to carry out the functions of embodiments of the invention.

A program/utility having a set (at least one) of program modules 716, as well as an operating system, one or more application programs, other program modules, and program data may be stored in memory 704 by way of example, and not limitation. Each of the operating system, one or more application programs, other program modules, and program data, or some combination thereof, may include an embodiment of a networked environment. Program modules 716 generally perform the functions and/or methodologies of embodiments of the present invention, as described herein.

Computer system/server 700 may also communicate with one or more external devices 718, such as a keyboard, pointing device, display 720, etc.; one or more devices that enable a user to interact with computer system/server 700; and/or any device (e.g., network card, modem, etc.) that enables computer system/server 700 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 714. Further, computer system/server 700 may communicate with one or more networks, such as a Local Area Network (LAN), a general Wide Area Network (WAN), and/or a public network (e.g., the internet) via network adapter 722. As depicted, network adapter 722 may communicate with other components of computer system/server 700 via bus 706. It should be appreciated that, although not shown, other hardware and/or software components may be used in conjunction with computer system/server 700. Examples include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data archival storage systems, and the like.

The description of the different embodiments of the present invention has been presented for purposes of illustration but is not intended to be exhaustive or limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is selected to best explain the principles of the embodiments, the practical application, or technical improvements to the techniques available on the market, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

The present invention may be embodied as systems, methods, and/or computer program products. The computer program product may include a computer readable storage medium having computer readable program instructions thereon for causing a processor to perform aspects of the present invention.

The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system for propagating the medium. Examples of a computer-readable medium may include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a Random Access Memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk read only memory (CD-ROM), compact disk read/write (CD-R/W), DVD, and blu-ray disks.

The computer readable storage medium may be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer-readable storage medium includes the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device such as punch cards or raised structures in grooves having instructions recorded thereon, and any suitable combination of the foregoing. A computer-readable storage medium as used herein should not be interpreted as a transitory signal per se, such as a radio wave or other freely propagating electromagnetic wave, an electromagnetic wave propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or an electrical signal transmitted through a wire.

The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a corresponding computing/processing device, or to an external computer or external storage device via a network (e.g., the internet, a local area network, a wide area network, and/or a wireless network). The network may include copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium within the respective computing/processing device.

The computer readable program instructions for carrying out operations of the present invention may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source code or object code written in any combination of one or more programming languages, including an object oriented Smalltalk, C + + or the like programming language, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly as a stand-alone software package on the user's computer, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, an electronic circuit, including, for example, a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), may personalize the electronic circuit by executing computer-readable program instructions with state information of the computer-readable program instructions in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable storage medium having the instructions stored therein comprise an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or another device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and/or block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

According to another aspect of the present invention, a system for determining a power consumption mode of at least one application executing on a data processing device may be provided. The system may include a current sensor for measuring a DC current flowing into the data processing device using the current sensor. The current sensor may be connected between the data processing device and the power source. Thus, a stream of time-stamped current value samples may be created.

The system may further include a voltage sensor for measuring a DC supply voltage provided by the power supply to the data processing device using the voltage sensor. The voltage sensor may be connected to the processing device and the power source. Thus, a stream of time-stamped voltage value samples may be created.

Further, the system may comprise an I/Q digital signal processor adapted to determine a product of streams of time-stamped samples measured at the same time using I/Q digital signal processing and convert the product into a real data stream and an imaginary data stream, a combining module adapted to combine the real data stream and the imaginary data stream into a complex data stream, and a demodulator unit adapted to apply a signal processing demodulation step to the complex data stream, thereby generating a demodulated data stream.

Furthermore, the system may comprise an extraction unit adapted for extracting at least one stream-based parametric signature from the demodulated data stream, each of the stream-based parametric signatures representing a power consumption pattern of at least one respective application executing on the data processing device.