Malware Detection in Embedded Systems Using Neural Network Model for Electromagnetic Side-Channel Signals

Abstract

We propose a novel malware detection system for critical embedded and cyber-physical systems (CPS). The system exploits electromagnetic (EM) side-channel signals from the device to detect malicious activity. During training, the system models EM emanations from an uncompromised device using a neural network. These EM patterns act as fingerprints for the normal program activity. Next, we continuously monitor the target device’s EM emanations. Any deviation in the device’s activity causes a variation in the EM fingerprint, which in turn violates the trained model, and is reported as an anomalous activity. The system can monitor the target device remotely (without any physical contact), and does not require any modification to the monitored system. We evaluate the system with different malware behavior (DDoS, ransomware, and code modification) on different applications using an Altera Nios-II soft-processor. Experimental evaluation reveals that our framework can detect DDoS and ransomware with 100% accuracy (AUC = 1.0), and stealthier code modification (which is roughly a 5 μ s long attack) with an AUC ≈ 0.99, from distances up to 3 m. In addition, we execute control-flow hijack, DDoS, and ransomware on different applications using an A13-OLinuXino—a Cortex A8 ARM processor single board computer with Debian Linux OS. Furthermore, we evaluate the practicality and the robustness of our system on a medical CPS, implemented using two different devices (TS-7250 and A13-OLinuXino), while executing control-flow hijack attack. Our evaluations show that our framework can detect these attacks with perfect accuracy.