January, 2011

Beholder relies on the fact that a successful intruder must modify a device’s software to (1) hide their actions and (2) accomplish their mission. This requires that a compromised device alter its workload – and alteration that Beholder detects. Even “sleeper” code installed on a machine must operate command and control and utilize stealth, both of which require the machine to perform work it normally does not.

Beholder operates by having monitored devices precisely measure the execution time of critical routines. Periodically these data are aggregated and transmitted in encrypted form to a remote monitoring server. Certain disruptions in these data are immediately detectable as an intrusion – that is, no training period or parameter tuning is required. Other, subtler deviations can be detected following an initial training period that establishes a “baseline” for each monitored device. As this baseline is unique to the specific device, an intruder cannot know it precisely in advance.

Beholder does not rely on identifying any specific attack, but instead identifies symptoms of the attack, and is applicable to a wide variety of threats, including “zero day” attacks.
There are existing clients for both Windows and Linux, and the technology is currently in the pilot phase.

Principal Investigator

Stacy J Prowell


Department of Energy (DOE)