Taking place this week is the annual RSA conference, which has evolved to become a major trade show for security products and technologies. As one might expect, it's also frequently used as a springboard for security-related announcements, and this year is no exception.

Of particular interest here is Intel, who is making two announcements regarding silicon-level technologies designed to improve the security of modern computers. The first one is for what Intel is calling Threat Detection Technology (TDT), a package of capabilities that can be used by software for security screening and threat detection. The second one is the Security Essential framework that includes a consistent set of root-of-trust hardware security capabilities supported across Intel’s CPU product stack.

Intel's Threat Detection Technology comes in two parts: Accelerated Memory Scanning, and Intel Advanced Platform Telemetry. AMS, arguably the most interesting aspect of today's announcement, is a means to use the company’s iGPUs to accelerate memory scanning for malware, with the goal of reducing the CPU performance impact and scanning in a more energy-efficient manner overall. Currently anti-virus/anti-malware programs use the CPU to scan memory and storage for malicious applications, and while multi-core CPU designs mitigate the worst system impacts of AV scanning, there's still a potential hit to responsiveness. So Intel is looking to address this by moving parts of AV scanning off of the CPU entirely and in to their often underutilized integrated GPUs.

The focus of Intel's efforts here is on one specific aspect of AV scanning: in-memory (resident) malware, which doesn't get caught in transnational disk I/O checks and instead requires scanning a system's complete memory to check for. The entire process is essentially little more than pattern matching - something GPUs are proving good at - so Intel believes that GPUs would be a good fit. Meanwhile the idea that this is also a more energy-efficient method is an interesting one, albeit one where it would be nice to see some data, but it's conceptually sound.

Intel’s AMS will be first supported by Microsoft’s enterprise-focused Windows Defender Advanced Threat Protection software, which will be rolling out support for the feature later this month. On the hardware side of matters AMS is supported on Intel's current-generation Gen 9/9.5 iGPUs, meaning that it will be available on 6th Gen Core (Skylake) and newer processors. Intel says that usage of AMS reduces CPU load during memory scan by an order of magnitude (from 20% to 2%) in Windows Defender ATP, which looks significant.

Meanwhile, the second part of Intel's TDT is Intel Advanced Platform Telemetry (IAPT), which uses Intel's existing platform telemetry hardware capabilities combined with machine learning algorithms to speed up the detection of advanced threats that may not be documented. Specifically, Intel is using low-level performance counters and other telemetry as a canary for potential issues; a sudden, irregular change in the counters may indicate that malware is present, particularly exposing anything that's actively trying to use side-channel attacks (e.g. Spectre) and which take constant prodding to utilize.

As this isn't signature based it's instead triggered on the basis of broader behavior patterns, which is where machine learning comes in. Essentially the idea is for AV software vendors to compile telemetry from multiple machines, giving them an evolving baseline to work from and making unusual patterns and machines stick out. Intel isn't saying very much about this capability, but according to The Register Intel has said that "In general, data is anonymized and generalized." IAPT will initially be supported by the Cisco Tetration platform for datacenters that protects cloud workloads.

Finally, Intel is also introducing Intel Security Essentials — a consistent set of security-related capabilities to be supported by the Atom-, Core- and Xeon-branded products. The feature set will encompass a number of Intel's existing security features under a single name, including secure boot, hardware protections (for data, keys, etc.), cryptography accelerators and trusted execution enclaves. Overall Intel is aiming to include all of its advanced security technologies across its entire product stack to improve security of PCs in general, so combining these features into a single, common package helps to promote that change and clarify that the same base features are supported everywhere. The move makes a great sense as it means that software makers will be able to support a unified set of security capabilities, knowing that all of them will be supported by all PCs running Intel’s up-to-date processors.

Related Reading:

Source: Intel

POST A COMMENT

36 Comments

View All Comments

  • bairlangga - Wednesday, April 18, 2018 - link

    Well, it could be time also for Microsoft for them to lift up some of their notorious Win10 services which ramped up CPU usage every now and then beyond user control to the GPU. There are tons of them... Reply
  • serendip - Wednesday, April 18, 2018 - link

    Why just Gen 9? I would assume Gen 8 GPUs like on Atoms are equally capable of this. Reply
  • notashill - Wednesday, April 18, 2018 - link

    It wouldn't be an Intel announcement if they couldn't work some extra market segmentation into it. Reply
  • Bulat Ziganshin - Wednesday, April 18, 2018 - link

    Gen9 added OpenCL 2.0 support which is much more capable than OpenCL 1.x Reply
  • mode_13h - Wednesday, April 18, 2018 - link

    Exactly. OpenCL 2.0 added support for shared virtual memory, which sounds like it'd be necessary for the GPU to scan CPU processes. Reply
  • Xajel - Wednesday, April 18, 2018 - link

    So next they will create a new Anti-Virus Accelerator and sell it for $300 with a monthly subscription.

    Yeah, security is an investment.
    Reply
  • HStewart - Wednesday, April 18, 2018 - link

    I hope Microsoft does not do that - but I believe that it should be done for non-Intel GPU's also.. assuming that non-Intel have the specific function needed to make this work. Reply
  • BurntMyBacon - Wednesday, April 18, 2018 - link

    @Anton Shilov (Article): "The focus of Intel's efforts here is on one specific aspect of AV scanning: in-memory (resident) malware, which doesn't get caught in TRANSNATIONAL disk I/O checks and instead requires scanning a system's complete memory to check for."

    I can see how they wouldn't want to get involved in TRANSNATIONAL disk I/O checks. Who knows what kind of government involvement and regulations might apply. (O_o)
    Reply
  • Manch - Wednesday, April 18, 2018 - link

    Thats why theyre really building a wall... Reply
  • Azurael - Wednesday, April 18, 2018 - link

    If Intel actually cared about consumer security, they'd provide a way to turn off the remote manageability of vPro platforms, but I suspect they don't want/aren't allowed to...

    "Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user."

    This was part of the statement released by Intel when the ME-related CVEs were made public. Notice that it is very carefully worded - all it says is they don't give _Intel_ access to your computer. Read from that what you will, but I would expect them to have written it as follows:

    'Intel does not put back doors in its products nor do our products give anybody control or access to computing systems without the explicit permission of the end user.'

    If that were true...
    Reply

Log in

Don't have an account? Sign up now