Intel and Microsoft will use GPU to scan for malware.
Since Meltdown and Spectre attacks earlier this year, Intel has been working to show that it takes security issues very seriously and in spite of the Meltdown issue, Intel's platform is still secure. Intel announced some new initiatives that use features specific to the Intel hardware platform to boost security. First up is Intel Threat Detection Technology (TDT), which uses features in it's chips to better find malware. One of the features is "Advanced Memory Scanning." In an attempt to bypass file-based anti-virus software, some malware avoids writing to disk. This can have downsides for the malware, it can't persistently infect a machine and, instead, has to reinfect the machine each time it is rebooted, and as a result, makes it harder to spot and analyze. To prevent this, anti-malware software can scan system memory to look for anything suspicious. This scanning takes a toll on performance. Intel claims it can cause processor loads of as much as 20 percent.
This is where Advanced Memory Scanning comes into effect, instead of using the CPU to scan through memory for any malware signatures, the task is offloaded to the GPU. In typical desktop applications, the GPU sits there idling with minimal load. Intel states that moving the memory scanning to the GPU cuts the processor load to about two percent. Intel is positioning Advanced Memory Scanning as a feature for third parties to use. Later this month, Microsoft Windows Defender Advanced Threat Protection (ATP) will add the GPU-based memory scanning, and in principle, other software could add it.
The next feature is Advanced Platform Telemetry. It will take adavantage of computing trends such as the increased use of cloud-based machine learning and endpoint data collection in the anti-malware space. Windows Defender ATP is a prime example. it tracks machine behavior to find usage patterns that seem suspicious, even if they're not known to belong to any specific malware. Windows Defender ATP might notice operating system-level activity such as cryptolocker ransomware opening and overwriting every data file one after the other, for example, and it can highlight that pattern as suspicious, even if the ransomware is undiscovered. Advanced Platform Telemetry is Intel's take on the same idea. Instead of using operating system-level events, Intel's telemetry uses things like the CPU's integrated performance counters to spot unusual processor activity. For example, malware using the Spectre attack might cause the number of speculative branch mispredictions to change in a particular way. The processor actually keeps track of the number of mispredictions, creating data that can be fed into some cloud systems and used to make inferences about system health. Intel says that this will be integrated into Cisco Tetration at some point.
Intel is also giving some cohesion for existing technology. Over the years, the company has added a huge number of security features to its processors and chipsets; there are special instructions, like AES-NI for accelerated encryption and SGX for creating protected regions of encrypted memory; and there are platform features such as Platform Trust Technology, which provides an integrated TPM, and Platform Firmware Resilience, which protects against firmware corruption. Intel will place many of these feacutres features under a single term, "Security Essentials." Security Essentials will represent a common set of hardware security features, firmware to enable them, and software libraries to make use of them. Various Atom, Core, and Xeon CPUs will support the Security Essentials platform, so any software running on them will have access to the same range of hardware-based security.