Researchers have developed a unique strategy that uses electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to gain accurate knowledge about the many types of malware targeting embedded systems, even when obfuscation tactics are used to thwart analysis.
The findings were presented at the Annual Computer Security Applications Conference (ACSAC) last month by a group of academics from the Research Institute of Computer Science and Random Systems (IRISA).
The current research attempts to enhance malware analysis to prevent possible security threats, with the rising adoption of IoT appliances creating an appealing attack surface for threat actors, in part due to their increased processing power and ability to run fully functional operating systems.
“[Electromagnetic] emanation that is measured from the device is practically undetectable by the malware,” the researchers said in a paper. “Therefore, malware evasion techniques cannot be straightforwardly applied unlike for dynamic software monitoring. Also, since a malware does not have control on outside hardware-level, a protection system relying on hard]ware features cannot be taken down, even if the malware owns the maximum privilege on the machine.”
The purpose is to use side-channel data to detect abnormalities in emanations when they diverge from previously known patterns and to trigger an alarm when suspicious behavior resembling malware is detected in contrast to the system’s usual condition.
Not only does this require no changes to the target devices, but the framework developed in the study also allows for the detection and classification of stealthy malware such as kernel-level rootkits, ransomware, and distributed denial-of-service (DDoS) botnets like Mirai, as well as variants not previously seen.
The side channel approach involves measuring electromagnetic emissions while executing 30 different malware binaries as well as performing benign video, music, picture, and camera-related activities in order to train a convolutional neural network (CNN) model for classifying real-world malware samples over three phases. The framework, in particular, accepts an executable as input and generates a malware label based only on side-channel data.
The researchers used a Raspberry Pi 2B as a target device, which has a 900 MHz quad-core ARM Cortex A7 processor and 1 GB memory, with electromagnetic signals acquired and amplified using a combination of an oscilloscope and a PA 303 BNC preamplifier, effectively predicting the three malware types and their associated families with an accuracy of 99.82 percent and 99.61 percent in an experimental setup.
“[B]y using simple neural network models, it is possible to gain considerable information about the state of a monitored device, by observing solely its [electromagnetic] emanations,” the researchers concluded. “Our system is robust against various code transformation/obfuscation, including random junk insertion, packing, and virtualization, even when the transformation is previously not known to the system.”