Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification

Abstract: The Internet of Things (IoT) is constituted of devices that are exponentially growing in number and in complexity. They use numerous customized firmware and hardware, without taking into consideration security issues, which make them a target for cybercriminals, especially malware authors.We will present a novel approach of using side channel information to identify the kinds of threats that are targeting the device. Using our approach, a malware analyst is able to obtain precise knowledge about malware type a… Show more

“…WattsUpDoc [16] was one of the earliest efforts in malware detection through hardware side-channel that demonstrated the measurement of power usage on medical embedded devices. Recently in [50,56], the authors proposed to detect and classify malware by observing EM signals. This type of work only detects busy malware under its behavioral activity, however fails to detect stealthy rootkits after their installation.…”

“…Recent work to detect malware using EM [36,50,56] [22], SHA1 [54]). Even attacks over short distance such as Screaming channels [15], which succeeded in breaking AES by exploiting wireless communication, are possible.…”

“…In the field of physical side-channel analysis of cryptographic algorithms, several methods have been published relying on statistical measures such as mean and variance, for example, the normalized inter-class variance (NICV) [7], SOST/SOSD [25], Pearson correlation coefficient [30,42], TVLA [55]. The authors of [50] demonstrate how to extract features from spectrograms using NICV to discover frequency bandwidths that may reveal behavioral information about the binaries. We propose an improvement by coupling the NICV with an hill climbing algorithm, as described in Section 5.3.1, to optimize the bandwidth extraction.…”

“…Given the most informative bandwidth, our goal is to identify rootkit activity as effectively as possible while also classifying specific rootkit properties. For multi-class classification, we use the algorithms provided by [50] that include Naive Bayes (NB), Support Vector Machines (SVM), and Multi-layer Perceptions (MLP). In this work, we also focus on detection which is a two-class classification.…”

“…Generic malware detection solutions rely on static or dynamic analysis that still have various shortcomings. In particular, major problems are related to the diversity of IoT architectures [17], obfuscation techniques [50], and the fact that most IoT devices have limited resources or accessibility.…”

ULTRA: Ultimate Rootkit Detection over the Air

“…WattsUpDoc [16] was one of the earliest efforts in malware detection through hardware side-channel that demonstrated the measurement of power usage on medical embedded devices. Recently in [50,56], the authors proposed to detect and classify malware by observing EM signals. This type of work only detects busy malware under its behavioral activity, however fails to detect stealthy rootkits after their installation.…”

“…Recent work to detect malware using EM [36,50,56] [22], SHA1 [54]). Even attacks over short distance such as Screaming channels [15], which succeeded in breaking AES by exploiting wireless communication, are possible.…”

“…In the field of physical side-channel analysis of cryptographic algorithms, several methods have been published relying on statistical measures such as mean and variance, for example, the normalized inter-class variance (NICV) [7], SOST/SOSD [25], Pearson correlation coefficient [30,42], TVLA [55]. The authors of [50] demonstrate how to extract features from spectrograms using NICV to discover frequency bandwidths that may reveal behavioral information about the binaries. We propose an improvement by coupling the NICV with an hill climbing algorithm, as described in Section 5.3.1, to optimize the bandwidth extraction.…”

“…Given the most informative bandwidth, our goal is to identify rootkit activity as effectively as possible while also classifying specific rootkit properties. For multi-class classification, we use the algorithms provided by [50] that include Naive Bayes (NB), Support Vector Machines (SVM), and Multi-layer Perceptions (MLP). In this work, we also focus on detection which is a two-class classification.…”

“…Generic malware detection solutions rely on static or dynamic analysis that still have various shortcomings. In particular, major problems are related to the diversity of IoT architectures [17], obfuscation techniques [50], and the fact that most IoT devices have limited resources or accessibility.…”

ULTRA: Ultimate Rootkit Detection over the Air

Increasing IoT Security by Supply Power Measurement

An empirical study of problems and evaluation of IoT malware classification label sources