Cybersecurity researchers have come up with a new approach that uses electromagnetic field emanations from Internet of Things (IoT) devices as a side-channel to gather precise information about different malware targeting embedded systems, even when obfuscation techniques have been used to thwart analysis.
The current research attempts to enhance malware analysis to prevent possible security risks. The rising adoption of IoT devices creates an appealing attack surface for threat actors due to their increased processing power and ability to run fully functional operating systems. The findings were revealed at the Annual Computer Security Applications Conference (ACSAC) by academics from the Research Institute of Computer Science and Random Systems (IRISA).
“[Electromagnetic] emanation that is measured from the device is practically undetectable by the malware,” researchers stated in a paper. “Therefore, malware evasion techniques cannot be straightforwardly applied unlike for dynamic software monitoring. Also, since a malware does not have control on outside hardware-level, a protection system relying on hard]ware features cannot be taken down, even if the malware owns the maximum privilege on the machine.”
The purpose is to use side-channel data to detect abnormalities in emanations that depart from previously known patterns and to issue an alert when unusual behavior resembling malware is seen about the system’s normal condition. Not only does this need no changes to the target devices, but the methodology used in the study also allows for the detection and categorization of stealthy malware such as kernel-level rootkits, ransomware, and DDoS botnets like Mirai, including undetected variations.
The side channel approach involves measuring electromagnetic emissions while executing 30 different malware binaries, as well as performing relatively harmless video, music, picture, and camera-related activities, to train a convolutional neural network (CNN) model for classifying real-world malware samples over three phases. Specifically, the framework accepts an executable as input and returns a malware label based purely on side-channel data.
The researchers used a Raspberry Pi 2B as a target device, which has a 900 MHz quad-core ARM Cortex A7 processor and 1 GB memory in a controlled setting. They acquired and amplified electromagnetic signals using an oscilloscope and a PA 303 BNC preamplifier, effectively predicting the three malware types and their associated families with 99.82 percent and 99.61 percent accuracy.