Electromagnetic (EM) emanations can be recorded and used to detect and identify malware running on IoT devices, a group of researchers working at IRISA have proven.
The setup for collecting EM emanations
This novel malware detection approach also offers additional advantages: as no specific software has to be installed on the monitored device, it can hardly be detected by the malware and evaded by the malware authors.
“Also, since a malware does not have control on outside hardware-level events (e.g. on EM emanation, heat dissipation), a protection system relying on hardware features cannot be taken down, even if the malware owns the maximum privilege on the machine. Therefore, with EM emanation it becomes possible to detect stealthy malware (e.g. kernel-level rootkits), which are able to prevent software-based analysis methods,” the researchers noted.
Another advantage is that monitoring EM emanation does not require any modification of the target device, meaning that the method does not rely on specific device architecture, OS, or computational capability.
A new approach to detect IoT malware
To test their approach, the researchers have selected a Raspberry Pi single-board computer as the target device, and have collected its EM emanations during the execution of malware and benign apps (with different obfuscation methods) by using an oscilloscope and an H-field probe to record the EM signal.
Tens of thousands spectrograms were generated from the collected EM activity and have been used to train several machine learning models to achieve malware classification.
The malware classification framework
“The malware binaries are variations of five families: gonnacry, keysniffer, maK_It, mirai and bashlite, including seven different obfuscation techniques,” the researchers shared.
The proposed goal was to see whether the setup will correctly classify the executed binaries into one of four classes: ransomware, rootkit, DDoS, and benign. As it turned out, all models have proven to be extremely efficient at this (> 98% accuracy), and Convolutional Neural Network (CNN) especially (99.82% accuracy). They are also extremely accurate when it comes to identifying the actual malware family, not just the type.
A boon for malware analysts
The proliferation of Internet of Things (IoT) devices continues unabated. Some of them have considerable processing power and operating systems with multi-core processors, which means that they could be and are vulnerable to similar threats as general purpose computers. But IoT-specific malware detection solutions are still a work in progress.
Duy-Phuc Pham, Damien Marion, Matthieu Mastio and Annelie Heuser’s proposed solution is likely to be particularly useful for malware analysts, as it’s capable of detecting new malware, no matter what obfuscation techniques the malware developers use.
“While previous solutions such as signature-based packer detection can be evaded, our results show that we can distinguish between obfuscation techniques solely based on EM traces, which gives the opportunity to analyze the evolution of IoT malware since new obfuscation techniques will be reformed to thwart detection,” they noted.
“Given our experimental results, malware analysts therefore profit from our robust methodology to gain a better understanding about the variant, type/family, forensic, and/or evolution of malware groups and campaigns, particularly in the context when software systems fail (due to malware evasion) or cannot be applied (due to restricted resources or update processes on the embedded device).”