Abstract
We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS). The system exploits electromagnetic (EM) side-channel signals from the device to detect malicious activity. During training, the system models EM emanations from an uncompromised device using a neural network. These EM patterns act as fingerprints for the normal program activity. Next, we continuously monitor the target device’s EM emanations. Any deviation in the device’s activity causes a variation in the EM fingerprint, which in turn violates the trained model, and is reported as an anomalous activity. The system can monitor the target device remotely (without any physical contact), and does not require any modification to the monitored system. We evaluate the system with different malware behavior (DDoS, ransomware, and code modification) on different applications using an Altera Nios-II soft-processor. Experimental evaluation reveals that our framework can detect DDoS and ransomware with 100% accuracy (AUC = 1.0), and stealthier code modification (which is roughly a 5 μ s long attack) with an AUC ≈ 0.99, from distances up to 3 m. In addition, we execute control-flow hijack, DDoS, and ransomware on different applications using an A13-OLinuXino—a Cortex A8 ARM processor single board computer with Debian Linux OS. Furthermore, we evaluate the practicality and the robustness of our system on a medical CPS, implemented using two different devices (TS-7250 and A13-OLinuXino), while executing control-flow hijack attack. Our evaluations show that our framework can detect these attacks with perfect accuracy.
Similar content being viewed by others
References
INTEL a guide to the Internet of Things infographic. https://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html. Accessed: 2018-10-25
Abera T, Asokan N, Davi L, Ekberg JE, Nyman T, Paverd A, Sadeghi AR, Tsudik G (2016) C-FLAT: control-flow attestation for embedded systems software. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 743–754. ACM
Agrawal D, Archambeault B, Rao JR, Rohatgi P (2002) The EM side—channel (s). In: International workshop on cryptographic hardware and embedded systems, pp 29–45. Springer
Alam M, Khan HA, Dey M, Sinha N, Callan R, Zajic A, Prvulovic M (2018) One&Done: a single-decryption EM-based attack on OpenSSL’s constant-time blinded RSA. In: Proceedings of the 27th USENIX conference on security symposium, pp 585–602. USENIX Association
Alarcon-Aquino V, Barria JA (2006) Multiresolution fir neural-network-based learning algorithm applied to network traffic prediction. IEEE Trans Syst Man Cybern Part C Appl Rev 36(2):208–220
Andronio N, Zanero S, Maggi F (2015) Heldroid: dissecting and detecting mobile ransomware. In: International workshop on recent advances in intrusion detection, pp 382–404. Springer
Bottou L (2010) Large-scale machine learning with stochastic gradient descent. In: Proceedings of COMPSTAT’2010, pp 177–186. Springer
Brewer R (2016) Ransomware attacks: detection, prevention and cure. Netw Secur 2016(9):5–9
Buennemeyer TK, Nelson TM, Clagett LM, Dunning JP, Marchany R, Tront JG (2008) Mobile device profiling and intrusion detection using smart batteries. In: Proceedings of the 41st annual Hawaii international conference on system sciences, pp 296–296. IEEE
Callan R, Behrang F, Zajic A, Prvulovic M, Orso A (2016) Zero-overhead profiling via EM emanations. In: Proceedings of the 25th international symposium on software testing and analysis, pp 401–412. ACM
Callan R, Zajić A, Prvulovic M (2014) A practical methodology for measuring the side-channel signal available to the attacker for instruction-level events. In: Proceedings of the 47th annual IEEE/ACM international symposium on microarchitecture, pp 242–254. IEEE Computer Society
Callan R, Zajić A, Prvulovic M (2015) FASE: finding amplitude-modulated side-channel emanations. In: 2015 ACM/IEEE 42nd annual international symposium on computer architecture (ISCA), pp 592–603. IEEE
Cárdenas A.A., Amin S, Lin ZS, Huang YL, Huang CY, Sastry S (2011) Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM symposium on information, computer and communications security, pp 355–366. ACM
Chien E (2010) Stuxnet: a breakthrough. Symantec Com 12
Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Xu W, Fu K (2013) Wattsupdoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: HealthTech
Colbert E (2017) Security of cyber-physical systems— CSIAc. J Cyber Secur Inf Syst 5(1)
Collobert R, Weston J (2008) A unified architecture for natural language processing: deep neural networks with multitask learning. In: Proceedings of the 25th international conference on Machine learning, pp 160–167. ACM
Deng L, Yu D, et al. (2014) Deep learning: methods and applications. Foundations and Trends® in Signal Processing 7(3–4):197–387
Falliere N, Murchu LO, Chien E (2011) W32. stuxnet dossier. White paper, Symantec Corp., Security Response 5(6)
Farwell JP, Rohozinski R (2011) Stuxnet and the future of cyber war. Survival 53(1):23–40
Genkin D, Pachmanov L, Pipman I, Tromer E (2015) Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: International workshop on cryptographic hardware and embedded systems, pp 207–228. Springer
González CRA, Reed JH (2011) Power fingerprinting in sdr integrity assessment for security and regulatory compliance. Analog Integr Circ Sig Process 69(2-3):307
Graves A, Mohamed AR, Hinton G (2013) Speech recognition with deep recurrent neural networks. In: 2013 IEEE international conference on Acoustics, speech and signal processing (icassp), pp 6645–6649. IEEE
Guthaus MR, Ringenberg JS, Ernst D, Austin TM, Mudge T, Brown RB (2001) Mibench: A free, commercially representative embedded benchmark suite. In: Proceedings of the 4th annual IEEE international workshop on workload characterization. WWC-4 (Cat. No. 01EX538), pp 3–14. IEEE
Han Y, Etigowni S, Liu H, Zonouz S, Petropulu A (2017) Watch me, but don’t touch me! contactless control flow monitoring via electromagnetic emanations. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1095–1108. ACM
Hayashi YI, Homma N, Mizuki T, Shimada H, Aoki T, Sone H, Sauvage L, Danger JL (2013) Efficient evaluation of em radiation associated with information leakage from cryptographic devices. IEEE Trans Electromagn Compat 55(3):555–563
Herzberg B, Bekerman D, Zeifman I (2016) Breaking down mirai: an IoT DDoS botnet analysis. Incapsula Blog, Bots and DDoS, Security
Hochreiter S (1998) The vanishing gradient problem during learning recurrent neural nets and problem solutions. International Journal of Uncertainty. Fuzziness and Knowledge-Based Systems 6(02):107–116
Jacoby GA, Marchany R, Davis N (2004) Battery-based intrusion detection a first line of defense. In: Proceedings from the 5th annual IEEE SMC information assurance workshop, 2004, pp 272–279. IEEE
Juyal P, Adibelli S, Sehatbakhsh N, Zajic A (2018) A directive antenna based on conducting discs for detecting unintentional em emissions at large distances. IEEE Transactions on Antennas and Propagation pp 1–1. https://doi.org/10.1109/TAP.2018.2870370
Karlik B, Olgac AV (2011) Performance analysis of various activation functions in generalized MLP architectures of neural networks. International Journal of Artificial Intelligence and Expert Systems 1(4):111–122
Khan HA, Alam M, Zajic A, Prvulovic M (2018) Detailed tracking of program control flow using analog side-channel signals: a promise for IoT malware detection and a threat for many cryptographic implementations. In: Cyber Sensing 2018, vol. 10630, p. 1063005. International Society for Optics and Photonics
Khashei M, Bijari M (2010) An artificial neural network (p, d, q) model for timeseries forecasting. Expert Systems with applications 37(1):479–489
Kim H, Smith J, Shin KG (2008) Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of the 6th international conference on mobile systems, applications, and services, pp 239–252. ACM
Krizhevsky A, Sutskever I, Hinton G (2012) Imagenet classification with deep convolutional neural networks. In: Advances in neural information processing systems, pp 1097–1105
Langner R (2011) Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 9(3):49–51
LeCun Y, Bengio Y, Hinton G (2015) Deep learning. Nature 521(7553):436
Lee I, Sokolsky O (2010) Medical cyber physical systems. In: 2010 47th ACM/IEEE design automation conference (DAC), pp 743–748. IEEE
Liu L, Yan G, Zhang X, Chen S (2009) Virusmeter: preventing your cellphone from spies. In: International workshop on recent advances in intrusion detection, pp 244–264. Springer
Liu Y, Wei L, Zhou Z, Zhang K, Xu W, Xu Q (2016) On code execution tracking via power side-channel. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 1019–1031. ACM
Malhotra P, Vig L, Shroff G, Agarwal P (2015) Long short term memory networks for anomaly detection in time series. In: Proceedings, p. 89. Presses universitaires de Louvain
McMillan R (2010) Siemens: stuxnet worm hit industrial systems. Computerworld, 14
Nair V, Hinton G (2010) Rectified linear units improve restricted Boltzmann machines. In: Proceedings of the 27th international conference on machine learning (ICML-10), pp 807–814
Nakashima E, Mufson S (2008) Hackers have attacked foreign utilities, CIA analyst says. Washington Post
Nazari A, Sehatbakhsh N, Alam M, Zajic A, Prvulovic M (2017) Eddie: Em-based detection of deviations in program execution. In: 2017 ACM/IEEE 44th annual international symposium on computer architecture (ISCA), pp 333–346. IEEE
Newsome J, Song DX (2005) Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software
Ozsoy M, Khasawneh KN, Donovick C, Gorelik I, Abu-Ghazaleh NB, Ponomarev D (2016) Hardware-based malware detection using low-level architectural features. IEEE Trans Comput 65(11):3332–3344
Richards R (2016) High-assurance cyber military systems (HACMS). DARPA, mil
Rothermel G, Elbaum S, Kinneer A, Do H (2006) Software-artifact infrastructure repository. URL http://sir.unl.edu/portal
Rumelhart DE, Hinton G, Williams RJ (1986) Learning representations by back-propagating errors. Nature 323(6088):533
Sametinger J, Rozenblit J, Lysecky R, Ott P (2015) Security challenges for medical devices. Commun ACM 58(4):74–82
Sehatbakhsh N, Alam M, Nazari A, Zajic A, Prvulovic M (2018) Syndrome: spectral analysis for anomaly detection on medical IoT and embedded devices. In: 2018 IEEE international symposium on hardware oriented security and trust (HOST), pp 1–8. https://doi.org/10.1109/HST.2018.8383884
Sehatbakhsh N, Nazari A, Zajic A, Prvulovic M (2016) Spectral profiling: observer-effect-free profiling by monitoring EM emanations. In: The 49th annual IEEE/ACM international symposium on microarchitecture, p. 59. IEEE Press
Ticknor JL (2013) A Bayesian regularized artificial neural network for stock market forecasting. Expert Systems with Applications 40(14):5501–5506
Wang X, Zhou Q, Harer J, Brown G, Qiu S, Dou Z, Wang J, Hinton A, Gonzalez CA, Chin P (2018) Deep learning-based classification and anomaly detection of side-channel signals. In: Cyber Sensing 2018, vol 10630, pp 1063006. International Society for Optics and Photonics
Wijnen B, Hunt EJ, Anzalone GC, Pearce JM (2014) Open-source syringe pump library, vol 9, p e107216
Zajic A, Prvulovic M (2014) Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Trans Electromagn Compat 56(4):885–893
Zeiler MD, Ranzato M, Monga R, Mao M, Yang K, Le QV, Nguyen P, Senior A, Vanhoucke V, Dean J et al (2013) On rectified linear units for speech processing. In: 2013 IEEE international conference on acoustics, speech and signal processing (ICASSP), pp 3517–3521. IEEE
Funding
This work has been supported, in part, by NSF grant 1563991 and DARPA LADS contract FA8650-16-C-7620. The views and findings in this paper are those of the authors and do not necessarily reflect the views of NSF and DARPA.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Khan, H.A., Sehatbakhsh, N., Nguyen, L.N. et al. Malware Detection in Embedded Systems Using Neural Network Model for Electromagnetic Side-Channel Signals. J Hardw Syst Secur 3, 305–318 (2019). https://doi.org/10.1007/s41635-019-00074-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-019-00074-w