Skip to main content
SpringerLink
Log in

Malware Detection in Embedded Systems Using Neural Network Model for Electromagnetic Side-Channel Signals

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS). The system exploits electromagnetic (EM) side-channel signals from the device to detect malicious activity. During training, the system models EM emanations from an uncompromised device using a neural network. These EM patterns act as fingerprints for the normal program activity. Next, we continuously monitor the target device’s EM emanations. Any deviation in the device’s activity causes a variation in the EM fingerprint, which in turn violates the trained model, and is reported as an anomalous activity. The system can monitor the target device remotely (without any physical contact), and does not require any modification to the monitored system. We evaluate the system with different malware behavior (DDoS, ransomware, and code modification) on different applications using an Altera Nios-II soft-processor. Experimental evaluation reveals that our framework can detect DDoS and ransomware with 100% accuracy (AUC = 1.0), and stealthier code modification (which is roughly a 5 μ s long attack) with an AUC ≈ 0.99, from distances up to 3 m. In addition, we execute control-flow hijack, DDoS, and ransomware on different applications using an A13-OLinuXino—a Cortex A8 ARM processor single board computer with Debian Linux OS. Furthermore, we evaluate the practicality and the robustness of our system on a medical CPS, implemented using two different devices (TS-7250 and A13-OLinuXino), while executing control-flow hijack attack. Our evaluations show that our framework can detect these attacks with perfect accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. INTEL a guide to the Internet of Things infographic. https://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html. Accessed: 2018-10-25

  2. Abera T, Asokan N, Davi L, Ekberg JE, Nyman T, Paverd A, Sadeghi AR, Tsudik G (2016) C-FLAT: control-flow attestation for embedded systems software. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 743–754. ACM

  3. Agrawal D, Archambeault B, Rao JR, Rohatgi P (2002) The EM side—channel (s). In: International workshop on cryptographic hardware and embedded systems, pp 29–45. Springer

  4. Alam M, Khan HA, Dey M, Sinha N, Callan R, Zajic A, Prvulovic M (2018) One&Done: a single-decryption EM-based attack on OpenSSL’s constant-time blinded RSA. In: Proceedings of the 27th USENIX conference on security symposium, pp 585–602. USENIX Association

  5. Alarcon-Aquino V, Barria JA (2006) Multiresolution fir neural-network-based learning algorithm applied to network traffic prediction. IEEE Trans Syst Man Cybern Part C Appl Rev 36(2):208–220

    Article  Google Scholar 

  6. Andronio N, Zanero S, Maggi F (2015) Heldroid: dissecting and detecting mobile ransomware. In: International workshop on recent advances in intrusion detection, pp 382–404. Springer

  7. Bottou L (2010) Large-scale machine learning with stochastic gradient descent. In: Proceedings of COMPSTAT’2010, pp 177–186. Springer

  8. Brewer R (2016) Ransomware attacks: detection, prevention and cure. Netw Secur 2016(9):5–9

    Article  Google Scholar 

  9. Buennemeyer TK, Nelson TM, Clagett LM, Dunning JP, Marchany R, Tront JG (2008) Mobile device profiling and intrusion detection using smart batteries. In: Proceedings of the 41st annual Hawaii international conference on system sciences, pp 296–296. IEEE

  10. Callan R, Behrang F, Zajic A, Prvulovic M, Orso A (2016) Zero-overhead profiling via EM emanations. In: Proceedings of the 25th international symposium on software testing and analysis, pp 401–412. ACM

  11. Callan R, Zajić A, Prvulovic M (2014) A practical methodology for measuring the side-channel signal available to the attacker for instruction-level events. In: Proceedings of the 47th annual IEEE/ACM international symposium on microarchitecture, pp 242–254. IEEE Computer Society

  12. Callan R, Zajić A, Prvulovic M (2015) FASE: finding amplitude-modulated side-channel emanations. In: 2015 ACM/IEEE 42nd annual international symposium on computer architecture (ISCA), pp 592–603. IEEE

  13. Cárdenas A.A., Amin S, Lin ZS, Huang YL, Huang CY, Sastry S (2011) Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM symposium on information, computer and communications security, pp 355–366. ACM

  14. Chien E (2010) Stuxnet: a breakthrough. Symantec Com 12

  15. Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Xu W, Fu K (2013) Wattsupdoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: HealthTech

  16. Colbert E (2017) Security of cyber-physical systems— CSIAc. J Cyber Secur Inf Syst 5(1)

  17. Collobert R, Weston J (2008) A unified architecture for natural language processing: deep neural networks with multitask learning. In: Proceedings of the 25th international conference on Machine learning, pp 160–167. ACM

  18. Deng L, Yu D, et al. (2014) Deep learning: methods and applications. Foundations and Trends® in Signal Processing 7(3–4):197–387

    Article  MathSciNet  Google Scholar 

  19. Falliere N, Murchu LO, Chien E (2011) W32. stuxnet dossier. White paper, Symantec Corp., Security Response 5(6)

  20. Farwell JP, Rohozinski R (2011) Stuxnet and the future of cyber war. Survival 53(1):23–40

    Article  Google Scholar 

  21. Genkin D, Pachmanov L, Pipman I, Tromer E (2015) Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: International workshop on cryptographic hardware and embedded systems, pp 207–228. Springer

  22. González CRA, Reed JH (2011) Power fingerprinting in sdr integrity assessment for security and regulatory compliance. Analog Integr Circ Sig Process 69(2-3):307

    Article  Google Scholar 

  23. Graves A, Mohamed AR, Hinton G (2013) Speech recognition with deep recurrent neural networks. In: 2013 IEEE international conference on Acoustics, speech and signal processing (icassp), pp 6645–6649. IEEE

  24. Guthaus MR, Ringenberg JS, Ernst D, Austin TM, Mudge T, Brown RB (2001) Mibench: A free, commercially representative embedded benchmark suite. In: Proceedings of the 4th annual IEEE international workshop on workload characterization. WWC-4 (Cat. No. 01EX538), pp 3–14. IEEE

  25. Han Y, Etigowni S, Liu H, Zonouz S, Petropulu A (2017) Watch me, but don’t touch me! contactless control flow monitoring via electromagnetic emanations. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1095–1108. ACM

  26. Hayashi YI, Homma N, Mizuki T, Shimada H, Aoki T, Sone H, Sauvage L, Danger JL (2013) Efficient evaluation of em radiation associated with information leakage from cryptographic devices. IEEE Trans Electromagn Compat 55(3):555–563

    Article  Google Scholar 

  27. Herzberg B, Bekerman D, Zeifman I (2016) Breaking down mirai: an IoT DDoS botnet analysis. Incapsula Blog, Bots and DDoS, Security

  28. Hochreiter S (1998) The vanishing gradient problem during learning recurrent neural nets and problem solutions. International Journal of Uncertainty. Fuzziness and Knowledge-Based Systems 6(02):107–116

    Article  Google Scholar 

  29. Jacoby GA, Marchany R, Davis N (2004) Battery-based intrusion detection a first line of defense. In: Proceedings from the 5th annual IEEE SMC information assurance workshop, 2004, pp 272–279. IEEE

  30. Juyal P, Adibelli S, Sehatbakhsh N, Zajic A (2018) A directive antenna based on conducting discs for detecting unintentional em emissions at large distances. IEEE Transactions on Antennas and Propagation pp 1–1. https://doi.org/10.1109/TAP.2018.2870370

    Article  Google Scholar 

  31. Karlik B, Olgac AV (2011) Performance analysis of various activation functions in generalized MLP architectures of neural networks. International Journal of Artificial Intelligence and Expert Systems 1(4):111–122

    Google Scholar 

  32. Khan HA, Alam M, Zajic A, Prvulovic M (2018) Detailed tracking of program control flow using analog side-channel signals: a promise for IoT malware detection and a threat for many cryptographic implementations. In: Cyber Sensing 2018, vol. 10630, p. 1063005. International Society for Optics and Photonics

  33. Khashei M, Bijari M (2010) An artificial neural network (p, d, q) model for timeseries forecasting. Expert Systems with applications 37(1):479–489

    Article  Google Scholar 

  34. Kim H, Smith J, Shin KG (2008) Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of the 6th international conference on mobile systems, applications, and services, pp 239–252. ACM

  35. Krizhevsky A, Sutskever I, Hinton G (2012) Imagenet classification with deep convolutional neural networks. In: Advances in neural information processing systems, pp 1097–1105

  36. Langner R (2011) Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 9(3):49–51

    Article  Google Scholar 

  37. LeCun Y, Bengio Y, Hinton G (2015) Deep learning. Nature 521(7553):436

    Article  Google Scholar 

  38. Lee I, Sokolsky O (2010) Medical cyber physical systems. In: 2010 47th ACM/IEEE design automation conference (DAC), pp 743–748. IEEE

  39. Liu L, Yan G, Zhang X, Chen S (2009) Virusmeter: preventing your cellphone from spies. In: International workshop on recent advances in intrusion detection, pp 244–264. Springer

  40. Liu Y, Wei L, Zhou Z, Zhang K, Xu W, Xu Q (2016) On code execution tracking via power side-channel. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 1019–1031. ACM

  41. Malhotra P, Vig L, Shroff G, Agarwal P (2015) Long short term memory networks for anomaly detection in time series. In: Proceedings, p. 89. Presses universitaires de Louvain

  42. McMillan R (2010) Siemens: stuxnet worm hit industrial systems. Computerworld, 14

  43. Nair V, Hinton G (2010) Rectified linear units improve restricted Boltzmann machines. In: Proceedings of the 27th international conference on machine learning (ICML-10), pp 807–814

  44. Nakashima E, Mufson S (2008) Hackers have attacked foreign utilities, CIA analyst says. Washington Post

  45. Nazari A, Sehatbakhsh N, Alam M, Zajic A, Prvulovic M (2017) Eddie: Em-based detection of deviations in program execution. In: 2017 ACM/IEEE 44th annual international symposium on computer architecture (ISCA), pp 333–346. IEEE

  46. Newsome J, Song DX (2005) Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software

  47. Ozsoy M, Khasawneh KN, Donovick C, Gorelik I, Abu-Ghazaleh NB, Ponomarev D (2016) Hardware-based malware detection using low-level architectural features. IEEE Trans Comput 65(11):3332–3344

    Article  MathSciNet  Google Scholar 

  48. Richards R (2016) High-assurance cyber military systems (HACMS). DARPA, mil

  49. Rothermel G, Elbaum S, Kinneer A, Do H (2006) Software-artifact infrastructure repository. URL http://sir.unl.edu/portal

  50. Rumelhart DE, Hinton G, Williams RJ (1986) Learning representations by back-propagating errors. Nature 323(6088):533

    Article  Google Scholar 

  51. Sametinger J, Rozenblit J, Lysecky R, Ott P (2015) Security challenges for medical devices. Commun ACM 58(4):74–82

    Article  Google Scholar 

  52. Sehatbakhsh N, Alam M, Nazari A, Zajic A, Prvulovic M (2018) Syndrome: spectral analysis for anomaly detection on medical IoT and embedded devices. In: 2018 IEEE international symposium on hardware oriented security and trust (HOST), pp 1–8. https://doi.org/10.1109/HST.2018.8383884

  53. Sehatbakhsh N, Nazari A, Zajic A, Prvulovic M (2016) Spectral profiling: observer-effect-free profiling by monitoring EM emanations. In: The 49th annual IEEE/ACM international symposium on microarchitecture, p. 59. IEEE Press

  54. Ticknor JL (2013) A Bayesian regularized artificial neural network for stock market forecasting. Expert Systems with Applications 40(14):5501–5506

    Article  Google Scholar 

  55. Wang X, Zhou Q, Harer J, Brown G, Qiu S, Dou Z, Wang J, Hinton A, Gonzalez CA, Chin P (2018) Deep learning-based classification and anomaly detection of side-channel signals. In: Cyber Sensing 2018, vol 10630, pp 1063006. International Society for Optics and Photonics

  56. Wijnen B, Hunt EJ, Anzalone GC, Pearce JM (2014) Open-source syringe pump library, vol 9, p e107216

    Article  Google Scholar 

  57. Zajic A, Prvulovic M (2014) Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Trans Electromagn Compat 56(4):885–893

    Article  Google Scholar 

  58. Zeiler MD, Ranzato M, Monga R, Mao M, Yang K, Le QV, Nguyen P, Senior A, Vanhoucke V, Dean J et al (2013) On rectified linear units for speech processing. In: 2013 IEEE international conference on acoustics, speech and signal processing (ICASSP), pp 3517–3521. IEEE

Download references

Funding

This work has been supported, in part, by NSF grant 1563991 and DARPA LADS contract FA8650-16-C-7620. The views and findings in this paper are those of the authors and do not necessarily reflect the views of NSF and DARPA.

Author information

Authors and Affiliations

  1. Georgia Institute of Technology, Atlanta, GA, 30332, USA

    Haider Adnan Khan, Nader Sehatbakhsh, Luong N. Nguyen, Milos Prvulovic & Alenka Zajić

Authors
  1. Haider Adnan Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nader Sehatbakhsh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luong N. Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Milos Prvulovic
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alenka Zajić
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Haider Adnan Khan.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Khan, H.A., Sehatbakhsh, N., Nguyen, L.N. et al. Malware Detection in Embedded Systems Using Neural Network Model for Electromagnetic Side-Channel Signals. J Hardw Syst Secur 3, 305–318 (2019). https://doi.org/10.1007/s41635-019-00074-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-019-00074-w

Keywords

Search

Navigation