In a highly interconnected systems, such as the global information grid, data security that extends to the end-nodes of the network is needed. Software applications that are vulnerable to malicious alteration, piracy, and reverse engineering can result in the compromise of command, control, and communication channels; as well as piracy and exploitation of central database servers and critical information systems. Operating system's (OS) kernel-mode software protection can protect applications by making them less accessible to the attackers. However, such solutions currently do not address the susceptibility of the technology to over-the-wire or insider attacks to the protecting functions of the kernel themselves. Susceptibility, in this case, is defined as the inherent weaknesses in the protection defenses. To provide immunity toward from attacks, it is important that the protecting functions of the kernel itself is secured. It is often necessary to isolate the protecting functions from the rest of the system.
Researches are being conducted in developing autonomic kernel self-monitoring, self-healing, and self-protecting technology as a means to reduce the susceptibility to attacks. In the context of software protection, kernel monitoring involves the static and runtime examination of the application as well as the associated kernel-mode protections. Kernel self-healing involves the diagnosis and repair of those modifications determined to be malicious in order to return to the original unaltered protection system. Kernel self-protecting systems are focused on adapting to the environment and improving the software protection system as necessary. These systems are able to observe their operational environment, detect possible attacks to the system, such as the deployment of reverse engineering tools or unauthorized read/write access, and take action in order to contain the attackers, deploy countermeasures, or adapt to increase the level of protection.
The finer granularity (deeper level) program behavior can be observed, the better chance of detecting anomaly. The finest granularity of program monitoring is at the instruction level, where the behavior of the program can be monitored for each transition of the execution state, at clock cycle granularity. To achieve instruction level observability, a pure software environment needs to run a very detailed virtual machine, which requires modeling of the processor, and simulating its operating environment at clock cycle granularity. This approach is very expensive in term of the computing power required. Current state of the art technology includes kernel runtime process monitoring, where both the kernel protections as well as the kernel monitoring, healing, and protecting components are in the kernel. In-kernel runtime process monitoring and healing system is embedded in the kernel it monitors. The fact that kernel and its protecting functions are not isolated, and interact with external environment, makes this approach susceptible to compromises. Thus this approach does not satisfy the requirement that the monitoring and self-healing system be immune to compromise [2].
Another state of the art technology includes hypervisor or virtual machine monitoring, detection, and repair of kernel-mode software protections. Hypervisor and virtual machine based provides isolation for the self-protecting system. It requires the kernel and the application runs in a virtual machine environment as guess operating system and applications, while self-protecting software runs on host operating system [2]. This approach rely on software (running in host OS) to monitor the behavior of other software (running on guess OS), and the guess OS itself it is necessary for this approach to instrument either the guess OS and/or the virtual machine itself with software probes, to monitor the execution of the guess kernel and its applications. These software probes introduce additional cycles to the already costly emulation or virtual machine implementation [3].
Another state of the art technology includes remote direct memory access (RDMA) technology, where the monitoring and healing components are on a remote host. Remote host monitoring uses backdoor mechanism, such as RDMA [3], to investigate the main memory of the system being monitored. Remote healing system copies memory content of the main system, into its working memory via backdoor (RDMA). It analyze it, and try to detect anomaly from the memory map of the main processor. Remote healing system can heal the monitored kernel by writing proper binary directly into the main system memory via RDMA. The only cost of this approach to performance of the main system is the additional bus & memory bandwidth cost due to RDMA/monitoring activities. It is not clear how often does the main memory of the system need to be copied to the remote monitor and analyze, to have an acceptable protection without overburdening the system being monitored with additional RDMA accesses. The fact that main memory need to be copied, and then analyzed implies that there is significant latency required for detecting anomaly. This technique can not observe the state of the process in true real-time fashion.
The object of this invention is a hardware assisted systems and methods for real-time monitoring execution of programs at the most elementary level; the instruction level. The family of systems and methods in this invention are called cognizant engines family. The hardware assist design, in this invention, provides not only observability, but also controllability at this level. Fine grained observability provides unprecedented opportunity for detecting anomaly. Controllability provides a powerful tool for stopping anomaly, repairing the kernel and restoring the state of processing. The performance improvement over pure software approach is estimated in the order of 500 to 1000 times. The hardware assisted monitoring, in this invention, is very valuable in detecting mutating (polymorphic) computer viruses, where normal, signature based, virus detection is under performing. The controllability aspect of this invention allows for defeating advanced detection avoidance logic deployed by advanced polymorphic and metamorphic malwares. Accordingly, members of cognizant engine family have the following advantages:                Cognizant processing engine family provides observability (monitoring capability) at the deepest level of granularity, the machine instruction level.        It supports real-time monitoring of program behavior, at clock cycle granularity.        Cognizant engine family member provides low latency from the detection of suspicious event or anomaly to the time when appropriate action can be taken, due to the fact that probes can be programmed to take immediate action, by halting or interrupting the processor, within 2 to 3 cycles latency.        Implementation of cognizant processing engine on a host processor has low performance impact. The only impact to the main processor is when it is interrupted or halted by the probe or monitor due to detection of a critical event. The software and operating system running on the main processor do not need to be instrumented.        Cognizant engine family's hardware based isolation for the monitoring program, protects the monitoring program from being tampered.        
Other advantages includes:                Cognizant engine family provides controllability at the finest granularity. The monitoring core can modify all of main processor resources, including main memory, control and status registers, register files, caches, etc.        The monitor in the embodiments of cognizant engine family, provides controllability to the execution path of programs running on the main processor. The fact that monitoring core can access (write) branch status register, it can steer the program execution path. This feature is valuable in defeating the detection avoidance logic of a polymorphic malware.        Early detection and low latency action, reduce compromise or damage to minimal, and hence simplifying and reducing self-healing effort.        
The following are the references cited in above paragraphs:    1. Julian B. Grizzard, John G. Levine, and Henry L. Owen, “Reestablishing Trust in Compromised Systems Recovering from Rootkits that Trojan the System Call Table,”    2. Julian B, Grizzard, Eric R. Dodson, Gregory J. Conti, John G. Levine, and Henry L. Owen, “Towards a Trusted Immutable Kernel Extension (TIKE) for Self-Healing Systems: a Virtual Machine Approach”,    3. Florin Sultan, Aniruddha Bohra, Julian Neamtiu, and Liviu Iftode, “Nonintrusive Remote Healing Using Backdoors,”    4. Carey Nachenberg, “Understanding and Managing Polymorphic Viruses”,    5. “Understanding Heuristics: Symantec's Bloodhound Technology”,