Advertisement

Journal of Hardware and Systems Security

, Volume 3, Issue 4, pp 305–318 | Cite as

Malware Detection in Embedded Systems Using Neural Network Model for Electromagnetic Side-Channel Signals

  • Haider Adnan KhanEmail author
  • Nader Sehatbakhsh
  • Luong N. Nguyen
  • Milos Prvulovic
  • Alenka Zajić
Article

Abstract

We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS). The system exploits electromagnetic (EM) side-channel signals from the device to detect malicious activity. During training, the system models EM emanations from an uncompromised device using a neural network. These EM patterns act as fingerprints for the normal program activity. Next, we continuously monitor the target device’s EM emanations. Any deviation in the device’s activity causes a variation in the EM fingerprint, which in turn violates the trained model, and is reported as an anomalous activity. The system can monitor the target device remotely (without any physical contact), and does not require any modification to the monitored system. We evaluate the system with different malware behavior (DDoS, ransomware, and code modification) on different applications using an Altera Nios-II soft-processor. Experimental evaluation reveals that our framework can detect DDoS and ransomware with 100% accuracy (AUC = 1.0), and stealthier code modification (which is roughly a 5 μ s long attack) with an AUC ≈ 0.99, from distances up to 3 m. In addition, we execute control-flow hijack, DDoS, and ransomware on different applications using an A13-OLinuXino—a Cortex A8 ARM processor single board computer with Debian Linux OS. Furthermore, we evaluate the practicality and the robustness of our system on a medical CPS, implemented using two different devices (TS-7250 and A13-OLinuXino), while executing control-flow hijack attack. Our evaluations show that our framework can detect these attacks with perfect accuracy.

Keywords

Electromagnetic side-channel security Security of cyber-physical systems Side-channel signal analysis Malware detection Anomaly detection Neural network 

Notes

Funding Information

This work has been supported, in part, by NSF grant 1563991 and DARPA LADS contract FA8650-16-C-7620. The views and findings in this paper are those of the authors and do not necessarily reflect the views of NSF and DARPA.

References

  1. 1.
    INTEL a guide to the Internet of Things infographic. https://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html. Accessed: 2018-10-25
  2. 2.
    Abera T, Asokan N, Davi L, Ekberg JE, Nyman T, Paverd A, Sadeghi AR, Tsudik G (2016) C-FLAT: control-flow attestation for embedded systems software. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 743–754. ACMGoogle Scholar
  3. 3.
    Agrawal D, Archambeault B, Rao JR, Rohatgi P (2002) The EM side—channel (s). In: International workshop on cryptographic hardware and embedded systems, pp 29–45. SpringerGoogle Scholar
  4. 4.
    Alam M, Khan HA, Dey M, Sinha N, Callan R, Zajic A, Prvulovic M (2018) One&Done: a single-decryption EM-based attack on OpenSSL’s constant-time blinded RSA. In: Proceedings of the 27th USENIX conference on security symposium, pp 585–602. USENIX AssociationGoogle Scholar
  5. 5.
    Alarcon-Aquino V, Barria JA (2006) Multiresolution fir neural-network-based learning algorithm applied to network traffic prediction. IEEE Trans Syst Man Cybern Part C Appl Rev 36(2):208–220CrossRefGoogle Scholar
  6. 6.
    Andronio N, Zanero S, Maggi F (2015) Heldroid: dissecting and detecting mobile ransomware. In: International workshop on recent advances in intrusion detection, pp 382–404. SpringerGoogle Scholar
  7. 7.
    Bottou L (2010) Large-scale machine learning with stochastic gradient descent. In: Proceedings of COMPSTAT’2010, pp 177–186. SpringerGoogle Scholar
  8. 8.
    Brewer R (2016) Ransomware attacks: detection, prevention and cure. Netw Secur 2016(9):5–9CrossRefGoogle Scholar
  9. 9.
    Buennemeyer TK, Nelson TM, Clagett LM, Dunning JP, Marchany R, Tront JG (2008) Mobile device profiling and intrusion detection using smart batteries. In: Proceedings of the 41st annual Hawaii international conference on system sciences, pp 296–296. IEEEGoogle Scholar
  10. 10.
    Callan R, Behrang F, Zajic A, Prvulovic M, Orso A (2016) Zero-overhead profiling via EM emanations. In: Proceedings of the 25th international symposium on software testing and analysis, pp 401–412. ACMGoogle Scholar
  11. 11.
    Callan R, Zajić A, Prvulovic M (2014) A practical methodology for measuring the side-channel signal available to the attacker for instruction-level events. In: Proceedings of the 47th annual IEEE/ACM international symposium on microarchitecture, pp 242–254. IEEE Computer SocietyGoogle Scholar
  12. 12.
    Callan R, Zajić A, Prvulovic M (2015) FASE: finding amplitude-modulated side-channel emanations. In: 2015 ACM/IEEE 42nd annual international symposium on computer architecture (ISCA), pp 592–603. IEEEGoogle Scholar
  13. 13.
    Cárdenas A.A., Amin S, Lin ZS, Huang YL, Huang CY, Sastry S (2011) Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM symposium on information, computer and communications security, pp 355–366. ACMGoogle Scholar
  14. 14.
    Chien E (2010) Stuxnet: a breakthrough. Symantec Com 12Google Scholar
  15. 15.
    Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Xu W, Fu K (2013) Wattsupdoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: HealthTechGoogle Scholar
  16. 16.
    Colbert E (2017) Security of cyber-physical systems— CSIAc. J Cyber Secur Inf Syst 5(1)Google Scholar
  17. 17.
    Collobert R, Weston J (2008) A unified architecture for natural language processing: deep neural networks with multitask learning. In: Proceedings of the 25th international conference on Machine learning, pp 160–167. ACMGoogle Scholar
  18. 18.
    Deng L, Yu D, et al. (2014) Deep learning: methods and applications. Foundations and Trends® in Signal Processing 7(3–4):197–387MathSciNetCrossRefGoogle Scholar
  19. 19.
    Falliere N, Murchu LO, Chien E (2011) W32. stuxnet dossier. White paper, Symantec Corp., Security Response 5(6)Google Scholar
  20. 20.
    Farwell JP, Rohozinski R (2011) Stuxnet and the future of cyber war. Survival 53(1):23–40CrossRefGoogle Scholar
  21. 21.
    Genkin D, Pachmanov L, Pipman I, Tromer E (2015) Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: International workshop on cryptographic hardware and embedded systems, pp 207–228. SpringerGoogle Scholar
  22. 22.
    González CRA, Reed JH (2011) Power fingerprinting in sdr integrity assessment for security and regulatory compliance. Analog Integr Circ Sig Process 69(2-3):307CrossRefGoogle Scholar
  23. 23.
    Graves A, Mohamed AR, Hinton G (2013) Speech recognition with deep recurrent neural networks. In: 2013 IEEE international conference on Acoustics, speech and signal processing (icassp), pp 6645–6649. IEEEGoogle Scholar
  24. 24.
    Guthaus MR, Ringenberg JS, Ernst D, Austin TM, Mudge T, Brown RB (2001) Mibench: A free, commercially representative embedded benchmark suite. In: Proceedings of the 4th annual IEEE international workshop on workload characterization. WWC-4 (Cat. No. 01EX538), pp 3–14. IEEEGoogle Scholar
  25. 25.
    Han Y, Etigowni S, Liu H, Zonouz S, Petropulu A (2017) Watch me, but don’t touch me! contactless control flow monitoring via electromagnetic emanations. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1095–1108. ACMGoogle Scholar
  26. 26.
    Hayashi YI, Homma N, Mizuki T, Shimada H, Aoki T, Sone H, Sauvage L, Danger JL (2013) Efficient evaluation of em radiation associated with information leakage from cryptographic devices. IEEE Trans Electromagn Compat 55(3):555–563CrossRefGoogle Scholar
  27. 27.
    Herzberg B, Bekerman D, Zeifman I (2016) Breaking down mirai: an IoT DDoS botnet analysis. Incapsula Blog, Bots and DDoS, SecurityGoogle Scholar
  28. 28.
    Hochreiter S (1998) The vanishing gradient problem during learning recurrent neural nets and problem solutions. International Journal of Uncertainty. Fuzziness and Knowledge-Based Systems 6(02):107–116CrossRefGoogle Scholar
  29. 29.
    Jacoby GA, Marchany R, Davis N (2004) Battery-based intrusion detection a first line of defense. In: Proceedings from the 5th annual IEEE SMC information assurance workshop, 2004, pp 272–279. IEEEGoogle Scholar
  30. 30.
    Juyal P, Adibelli S, Sehatbakhsh N, Zajic A (2018) A directive antenna based on conducting discs for detecting unintentional em emissions at large distances. IEEE Transactions on Antennas and Propagation pp 1–1.  https://doi.org/10.1109/TAP.2018.2870370 CrossRefGoogle Scholar
  31. 31.
    Karlik B, Olgac AV (2011) Performance analysis of various activation functions in generalized MLP architectures of neural networks. International Journal of Artificial Intelligence and Expert Systems 1(4):111–122Google Scholar
  32. 32.
    Khan HA, Alam M, Zajic A, Prvulovic M (2018) Detailed tracking of program control flow using analog side-channel signals: a promise for IoT malware detection and a threat for many cryptographic implementations. In: Cyber Sensing 2018, vol. 10630, p. 1063005. International Society for Optics and PhotonicsGoogle Scholar
  33. 33.
    Khashei M, Bijari M (2010) An artificial neural network (p, d, q) model for timeseries forecasting. Expert Systems with applications 37(1):479–489CrossRefGoogle Scholar
  34. 34.
    Kim H, Smith J, Shin KG (2008) Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of the 6th international conference on mobile systems, applications, and services, pp 239–252. ACMGoogle Scholar
  35. 35.
    Krizhevsky A, Sutskever I, Hinton G (2012) Imagenet classification with deep convolutional neural networks. In: Advances in neural information processing systems, pp 1097–1105Google Scholar
  36. 36.
    Langner R (2011) Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 9(3):49–51CrossRefGoogle Scholar
  37. 37.
    LeCun Y, Bengio Y, Hinton G (2015) Deep learning. Nature 521(7553):436CrossRefGoogle Scholar
  38. 38.
    Lee I, Sokolsky O (2010) Medical cyber physical systems. In: 2010 47th ACM/IEEE design automation conference (DAC), pp 743–748. IEEEGoogle Scholar
  39. 39.
    Liu L, Yan G, Zhang X, Chen S (2009) Virusmeter: preventing your cellphone from spies. In: International workshop on recent advances in intrusion detection, pp 244–264. SpringerGoogle Scholar
  40. 40.
    Liu Y, Wei L, Zhou Z, Zhang K, Xu W, Xu Q (2016) On code execution tracking via power side-channel. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 1019–1031. ACMGoogle Scholar
  41. 41.
    Malhotra P, Vig L, Shroff G, Agarwal P (2015) Long short term memory networks for anomaly detection in time series. In: Proceedings, p. 89. Presses universitaires de LouvainGoogle Scholar
  42. 42.
    McMillan R (2010) Siemens: stuxnet worm hit industrial systems. Computerworld, 14Google Scholar
  43. 43.
    Nair V, Hinton G (2010) Rectified linear units improve restricted Boltzmann machines. In: Proceedings of the 27th international conference on machine learning (ICML-10), pp 807–814Google Scholar
  44. 44.
    Nakashima E, Mufson S (2008) Hackers have attacked foreign utilities, CIA analyst says. Washington PostGoogle Scholar
  45. 45.
    Nazari A, Sehatbakhsh N, Alam M, Zajic A, Prvulovic M (2017) Eddie: Em-based detection of deviations in program execution. In: 2017 ACM/IEEE 44th annual international symposium on computer architecture (ISCA), pp 333–346. IEEEGoogle Scholar
  46. 46.
    Newsome J, Song DX (2005) Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity softwareGoogle Scholar
  47. 47.
    Ozsoy M, Khasawneh KN, Donovick C, Gorelik I, Abu-Ghazaleh NB, Ponomarev D (2016) Hardware-based malware detection using low-level architectural features. IEEE Trans Comput 65(11):3332–3344MathSciNetCrossRefGoogle Scholar
  48. 48.
    Richards R (2016) High-assurance cyber military systems (HACMS). DARPA, milGoogle Scholar
  49. 49.
    Rothermel G, Elbaum S, Kinneer A, Do H (2006) Software-artifact infrastructure repository. URL http://sir.unl.edu/portal
  50. 50.
    Rumelhart DE, Hinton G, Williams RJ (1986) Learning representations by back-propagating errors. Nature 323(6088):533CrossRefGoogle Scholar
  51. 51.
    Sametinger J, Rozenblit J, Lysecky R, Ott P (2015) Security challenges for medical devices. Commun ACM 58(4):74–82CrossRefGoogle Scholar
  52. 52.
    Sehatbakhsh N, Alam M, Nazari A, Zajic A, Prvulovic M (2018) Syndrome: spectral analysis for anomaly detection on medical IoT and embedded devices. In: 2018 IEEE international symposium on hardware oriented security and trust (HOST), pp 1–8.  https://doi.org/10.1109/HST.2018.8383884
  53. 53.
    Sehatbakhsh N, Nazari A, Zajic A, Prvulovic M (2016) Spectral profiling: observer-effect-free profiling by monitoring EM emanations. In: The 49th annual IEEE/ACM international symposium on microarchitecture, p. 59. IEEE PressGoogle Scholar
  54. 54.
    Ticknor JL (2013) A Bayesian regularized artificial neural network for stock market forecasting. Expert Systems with Applications 40(14):5501–5506CrossRefGoogle Scholar
  55. 55.
    Wang X, Zhou Q, Harer J, Brown G, Qiu S, Dou Z, Wang J, Hinton A, Gonzalez CA, Chin P (2018) Deep learning-based classification and anomaly detection of side-channel signals. In: Cyber Sensing 2018, vol 10630, pp 1063006. International Society for Optics and PhotonicsGoogle Scholar
  56. 56.
    Wijnen B, Hunt EJ, Anzalone GC, Pearce JM (2014) Open-source syringe pump library, vol 9, p e107216CrossRefGoogle Scholar
  57. 57.
    Zajic A, Prvulovic M (2014) Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Trans Electromagn Compat 56(4):885–893CrossRefGoogle Scholar
  58. 58.
    Zeiler MD, Ranzato M, Monga R, Mao M, Yang K, Le QV, Nguyen P, Senior A, Vanhoucke V, Dean J et al (2013) On rectified linear units for speech processing. In: 2013 IEEE international conference on acoustics, speech and signal processing (ICASSP), pp 3517–3521. IEEEGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Georgia Institute of TechnologyAtlantaUSA

Personalised recommendations