Monitoring Side-Channel Signals Could Detect Malicious Software on IoT Devices

A $9.4 million grant from the Defense Advanced Research Projects Agency (DARPA) could lead to development of a new technique for wirelessly monitoring Internet of Things (IoT) devices for malicious software – without affecting the operation of the ubiquitous but low-power equipment.

The technique will rely on receiving and analyzing side-channel signals, electromagnetic emissions that are produced unintentionally by the electronic devices as they execute programs. These signals are produced by semiconductors, capacitors, power supplies and other components, and can currently be measured up to a half-meter away from operating IoT devices.

By comparing these unintended side-channel emissions to a database of what the devices should be doing when they are operating normally, researchers can tell if malicious software has been installed.

“We will be looking at how the program is changing its behavior,” explained Alenka Zajic, the project’s principal investigator and an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “If an Internet of Things device is attacked, the insertion of malware will affect the program that is running, and we can detect that remotely.”

The four-year project will also include two faculty members from Georgia Tech's School of Computer Science: Professors Milos Prvulovic and Alessandro Orso. Also part of the project will be a research team from Northrop-Grumman, headed by Matthew Welborn. Details of an early prototype of the side-channel technique, called “Zero-Overhead Profiling” because the monitoring doesn't affect the system being observed, were presented July 20th at the International Symposium on Software Testing and Analysis (ISSTA).

Within the next four years, an estimated 30 billion IoT devices will be in operation, doing everything from controlling home heating and air conditioning to sensing and managing critical infrastructure. The devices are usually small with limited processor power and memory. Their limited computing capabilities means they can’t run the kinds of malware protection software found on laptop computers, and they cannot use virtualization and other technology to protect the system software even when an application is taken over by an attacker. This means that once attackers compromise the internet-connected application, they typically “own” the entire IoT device and can even make it falsely respond to traditional queries about its own security status.

"The main challenge from a security perspective is to make these devices secure so somebody can't take them over," explained Zajic. "There will be a lot of processing power out there that needs to be monitored, but you can't just put traditional security software on that processor because is doesn't have enough power for both the security software and the tasks the device is supposed to be doing."

Zajic and Prvulovic pioneered research on measuring side-channel signals emitted from devices. These emissions differ from the signals the devices were intended to produce for communicating information across the Internet to other devices. The researchers have already shown that they can pick up the signals close to the devices using specially designed antennas, and one project goal is to extend the range to as much as three meters.

"When a processor executes instructions, values are represented as ones and zeroes, which creates a fluctuation in the current," Zajic said. "That creates changes in the electromagnetic field we are measuring, providing a pattern for what each part of the program looks like on a spectrum analyzer."

Key to detecting changes in the signals is getting a "before" recording of what these signals should look like to draw a comparison with an "after" set of signals for each combination of device and software. The researchers plan to evaluate each IoT device, sampling and recording its typical operation to create a database. To avoid recording overwhelming amounts of data, the system will take periodic samples from different stages of program loops.

"If somebody inserts something into the program loop, the peaks in the spectrum will shift and we can detect that," Zajic said. "This is something that we can monitor in real time using advanced pattern-matching technology that uses machine learning to improve its performance."

Detecting malware, however, is more of a challenge.

“The technique is currently 95 percent accurate at profiling – pinpointing the exact point in the IoT program code that is currently executing,” explained Prvulovic. “However, detection of malware is a much more difficult problem. Profiling is about identifying which part of the program is the best match for the signal, whereas malware detection is about detecting, with sufficient confidence, that the signal does not match any part of the original program, even when the malware is designed to resemble the original code of the application.”

Zajic and Prvulovic have been studying a wide range of devices to determine the emissions produced.

“We have more than one source on a circuit board, so we have been trying to localize the sources so we can build an antenna to give us the best possible signal,” said Zajic. “There are multiple places on the board where you connect to the same information, though it may be modulated at different frequencies.”

Ultimately, researchers expect the project – dubbed Computational Activity Monitoring by Externally Leveraging Involuntary Analog Signals (CAMELIA) – to be capable of monitoring several IoT devices simultaneously. That will require development of advanced processing techniques able to differentiate signals from each device, and new antennas able to pick up the signals from a greater distance.

CAMELIA is part of a DARPA program called Leveraging the Analog Domain for Security (LADS), which is investing in six different initiatives to address IoT security. The Georgia Tech-Northrop Grumman project is the only one of the projects led by an academic institution.

The research is supported by the DARPA LADS program under contract FA8650-16-C-7620. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsoring agency.

Research News

Georgia Institute of Technology

177 North Avenue

Atlanta, Georgia 30332-0181 USA

Media Relations Contacts: John Toon (404-894-6986) (jtoon@gatech.edu) or Ben Brumfield (404-385-1933) (ben.brumfield@comm.gatech.edu).

Writer: John Toon