US 12,086,240 B2
Electronic device and attack detection method of electronic device
Kenichi Shimbo, Tokyo (JP); and Tadanobu Toba, Tokyo (JP)
Assigned to HITACHI, LTD., Tokyo (JP)
Appl. No. 17/642,793
Filed by Hitachi, Ltd., Tokyo (JP)
PCT Filed Dec. 7, 2020, PCT No. PCT/JP2020/045419
§ 371(c)(1), (2) Date Mar. 14, 2022,
PCT Pub. No. WO2021/117665, PCT Pub. Date Jun. 17, 2021.
Claims priority of application No. 2019-225330 (JP), filed on Dec. 13, 2019.
Prior Publication US 2022/0414207 A1, Dec. 29, 2022
Int. Cl. G06F 21/55 (2013.01)
CPC G06F 21/552 (2013.01) [G06F 2221/034 (2013.01)] 10 Claims
OG exemplary drawing
 
1. An electronic device comprising:
a first hardware processor; and
a second hardware processor,
wherein the first hardware processor is configured to execute:
an executable code identification software code unit configured to receive an executable code string output from the second hardware processor and identify an execution address in a kernel space, an execution address in a user space, and an interrupt code;
a kernel space feature value generation software code unit,
a user space feature value generation software code unit;
a collection time control software code unit; and
a determination software code unit,
wherein the collection time control software code unit generates a feature value generation signal based on the interrupt code and inputs the feature value generation signal to the kernel space feature value generation software code unit and the user space feature value generation software code unit,
wherein the kernel space feature value generation software code unit counts a number of accesses to the execution address in the kernel space, and outputs the counted number to the determination software code unit as a feature value in the kernel space based on the feature value generation signal,
wherein the user space feature value generation software code unit counts a number of accesses to the execution address in the user space, and outputs the counted number to the determination software code unit as a feature value in the user space based on the feature value generation signal,
wherein the determination software code unit respectively checks the feature value in the kernel space and the feature value in the user space against predetermined expected values and determines that an attack happens upon determining a difference is equal to or greater than a predetermined difference, and
wherein the determination software code unit notifies the second hardware processor of a predetermined abnormality notification signal if the determination software code unit determines that an attack happens.