Taking place this week is the annual RSA conference, which has evolved to become a major trade show for security products and technologies. As one might expect, it's also frequently used as a springboard for security-related announcements, and this year is no exception.

Of particular interest here is Intel, who is making two announcements regarding silicon-level technologies designed to improve the security of modern computers. The first one is for what Intel is calling Threat Detection Technology (TDT), a package of capabilities that can be used by software for security screening and threat detection. The second one is the Security Essential framework that includes a consistent set of root-of-trust hardware security capabilities supported across Intel’s CPU product stack.

Intel's Threat Detection Technology comes in two parts: Accelerated Memory Scanning, and Intel Advanced Platform Telemetry. AMS, arguably the most interesting aspect of today's announcement, is a means to use the company’s iGPUs to accelerate memory scanning for malware, with the goal of reducing the CPU performance impact and scanning in a more energy-efficient manner overall. Currently anti-virus/anti-malware programs use the CPU to scan memory and storage for malicious applications, and while multi-core CPU designs mitigate the worst system impacts of AV scanning, there's still a potential hit to responsiveness. So Intel is looking to address this by moving parts of AV scanning off of the CPU entirely and in to their often underutilized integrated GPUs.

The focus of Intel's efforts here is on one specific aspect of AV scanning: in-memory (resident) malware, which doesn't get caught in transnational disk I/O checks and instead requires scanning a system's complete memory to check for. The entire process is essentially little more than pattern matching - something GPUs are proving good at - so Intel believes that GPUs would be a good fit. Meanwhile the idea that this is also a more energy-efficient method is an interesting one, albeit one where it would be nice to see some data, but it's conceptually sound.

Intel’s AMS will be first supported by Microsoft’s enterprise-focused Windows Defender Advanced Threat Protection software, which will be rolling out support for the feature later this month. On the hardware side of matters AMS is supported on Intel's current-generation Gen 9/9.5 iGPUs, meaning that it will be available on 6th Gen Core (Skylake) and newer processors. Intel says that usage of AMS reduces CPU load during memory scan by an order of magnitude (from 20% to 2%) in Windows Defender ATP, which looks significant.

Meanwhile, the second part of Intel's TDT is Intel Advanced Platform Telemetry (IAPT), which uses Intel's existing platform telemetry hardware capabilities combined with machine learning algorithms to speed up the detection of advanced threats that may not be documented. Specifically, Intel is using low-level performance counters and other telemetry as a canary for potential issues; a sudden, irregular change in the counters may indicate that malware is present, particularly exposing anything that's actively trying to use side-channel attacks (e.g. Spectre) and which take constant prodding to utilize.

As this isn't signature based it's instead triggered on the basis of broader behavior patterns, which is where machine learning comes in. Essentially the idea is for AV software vendors to compile telemetry from multiple machines, giving them an evolving baseline to work from and making unusual patterns and machines stick out. Intel isn't saying very much about this capability, but according to The Register Intel has said that "In general, data is anonymized and generalized." IAPT will initially be supported by the Cisco Tetration platform for datacenters that protects cloud workloads.

Finally, Intel is also introducing Intel Security Essentials — a consistent set of security-related capabilities to be supported by the Atom-, Core- and Xeon-branded products. The feature set will encompass a number of Intel's existing security features under a single name, including secure boot, hardware protections (for data, keys, etc.), cryptography accelerators and trusted execution enclaves. Overall Intel is aiming to include all of its advanced security technologies across its entire product stack to improve security of PCs in general, so combining these features into a single, common package helps to promote that change and clarify that the same base features are supported everywhere. The move makes a great sense as it means that software makers will be able to support a unified set of security capabilities, knowing that all of them will be supported by all PCs running Intel’s up-to-date processors.

Related Reading:

Source: Intel

POST A COMMENT

36 Comments

View All Comments

  • HStewart - Tuesday, April 17, 2018 - link

    Pretty interesting article, one thing I be curious if Intel iGPU could be use while an Discrete GPU like Mobile NVidia and AMD GPU or like on this 8805G I am typing this on is active.

    But one there is a lot out about Cryptomining on GPU, but Intel is using the technology for a good purpose to protected the customer. There are even virus and such that use GPU to mine on some else computer even if they don't know. I am glad to see someone using the technology in GPU for some thing that is good for the customer. Of course original purpose for graphics should always be supported including games.

    Intel has been attack on security side for last 4 months or so, and this is likely the only the beginning to fight fact. Of course there will be others out there that will come back and say it means nothing - but I would help AMD also considers working with Intel and Microsoft to also provide support for their customers.
    Reply
  • Samus - Wednesday, April 18, 2018 - link

    That's a good idea. Use the iGPU silicon when a dGPU is present to do things like threat detection... Reply
  • PeachNCream - Wednesday, April 18, 2018 - link

    I think the concept of using the iGPU is a good one, but my concern is that the iGPU activity will generate heat that would otherwise not be present (say the iGPU is scanning while the CPU and a potential dGPU are busy with another relatively demanding, user-initiated task) and that additional heat will force the CPU to throttle because of rising temps that a HSF can't cope with. This is more of a problem for laptops than desktops since mobile processors usually have a much lower overall TDP threshold, but since we live in a largely mobile world, I can't escape the idea that we might bump into this problem. Then again, a set of throttled CPU cores would probably still respond better than those same cores running at full speed that are busy messing around with an antivirus scanning chore. That and there are a lot of situations in which the iGPU has processing time to spare even when it's the only graphics processor in a system. It doesn't take a lot of GPU effort to display a website or throw characters on a screen as they're being typed into a document so sending a task to those underutilized iGPUs might be a fair way of putting those frequently idle transistors to work. Reply
  • Bulat Ziganshin - Wednesday, April 18, 2018 - link

    they should pause scanning when cpu/gpu is busy, like they probably do now with cpu-only scanning

    There is another concern, though - i not sure that OS can employ iGPU when dGPU is installed and selected. At least, for other purposes it goes that way
    Reply
  • Manch - Wednesday, April 18, 2018 - link

    I wonder if this will run on GCN. It would seem silly for Intel to leave out its hybrid CPUs w Vega. Considering this is first supported in MS defender, I cant see them making it a intel exclusive. Intel could use the good PR. Reply
  • Bulat Ziganshin - Wednesday, April 18, 2018 - link

    they probably developed OpenCL 2.0 solution with IntelGPU-specific commands. But important point is the idea itself - i'm 100% sure that MS and other AV developers will quickly catch in

    BTW, Gen9 GPU is Broadwell, and Gen 9.5 is Skylake (there were no new GPUs since Skylake)
    Reply
  • Ryan Smith - Wednesday, April 18, 2018 - link

    Gen 8 is Broadwell. Gen 9 is Skylake. Gen 9.5 is Kaby Lake & Coffee Lake (which got a bunch of new media functionality that Gen 9 didn't have). Reply
  • peterfares - Wednesday, April 18, 2018 - link

    Don't those hybrid CPUs have iGPUs along with the Vega GPU? Reply
  • mode_13h - Wednesday, April 18, 2018 - link

    Yes. Reply
  • mode_13h - Wednesday, April 18, 2018 - link

    Their hybrid Kaby Lake still has the Intel iGPU enabled.

    Intel iGPUs are actually better for this sort of thing, since they contain more narrow cores. Should be better for integer, scalar, and branch-heavy tasks.
    Reply

Log in

Don't have an account? Sign up now