{"556931":{"#nid":"556931","#data":{"type":"news","title":"Monitoring Side-Channel Signals Could Detect Malicious Software on IoT Devices","body":[{"value":"\u003Cp\u003EA $9.4 million grant from the Defense Advanced Research Projects Agency (DARPA) could lead to development of a new technique for wirelessly monitoring Internet of Things (IoT) devices for malicious software \u2013 without affecting the operation of the ubiquitous but low-power equipment.\u003C\/p\u003E\u003Cp\u003EThe technique will rely on receiving and analyzing side-channel signals, electromagnetic emissions that are produced unintentionally by the electronic devices as they execute programs. These signals are produced by semiconductors, capacitors, power supplies and other components, and can currently be measured up to a half-meter away from operating IoT devices.\u003C\/p\u003E\u003Cp\u003EBy comparing these unintended side-channel emissions to a database of what the devices should be doing when they are operating normally, researchers can tell if malicious software has been installed.\u003C\/p\u003E\u003Cp\u003E\u201cWe will be looking at how the program is changing its behavior,\u201d explained \u003Ca href=\u0022https:\/\/www.ece.gatech.edu\/faculty-staff-directory\/alenka-zajic\u0022\u003EAlenka Zajic\u003C\/a\u003E, the project\u2019s principal investigator and an assistant professor in the \u003Ca href=\u0022http:\/\/www.ece.gatech.edu\/\u0022\u003ESchool of Electrical and Computer Engineering\u003C\/a\u003E at the Georgia Institute of Technology. \u201cIf an Internet of Things device is attacked, the insertion of malware will affect the program that is running, and we can detect that remotely.\u201d\u003C\/p\u003E\u003Cp\u003EThe four-year project will also include two faculty members from Georgia Tech\u0027s \u003Ca href=\u0022http:\/\/www.scs.gatech.edu\/\u0022\u003ESchool of Computer Science\u003C\/a\u003E: Professors \u003Ca href=\u0022http:\/\/www.scs.gatech.edu\/people\/9736\/milos-prvulovics\u0022\u003EMilos Prvulovic\u003C\/a\u003E and \u003Ca href=\u0022http:\/\/www.scs.gatech.edu\/people\/9739\/alessandro-orsos\u0022\u003EAlessandro Orso\u003C\/a\u003E. Also part of the project will be a research team from Northrop-Grumman, headed by Matthew Welborn. Details of an early prototype of the side-channel technique, called \u201cZero-Overhead Profiling\u201d because the monitoring doesn\u0027t affect the system being observed, were presented July 20th at the International Symposium on Software Testing and Analysis (ISSTA).\u003C\/p\u003E\u003Cp\u003EWithin the next four years, an estimated 30 billion IoT devices will be in operation, doing everything from controlling home heating and air conditioning to sensing and managing critical infrastructure. The devices are usually small with limited processor power and memory. Their limited computing capabilities means they can\u2019t run the kinds of malware protection software found on laptop computers, and they cannot use virtualization and other technology to protect the system software even when an application is taken over by an attacker. This means that once attackers compromise the internet-connected application, they typically \u201cown\u201d the entire IoT device and can even make it falsely respond to traditional queries about its own security status.\u003C\/p\u003E\u003Cp\u003E\u0022The main challenge from a security perspective is to make these devices secure so somebody can\u0027t take them over,\u0022 explained Zajic. \u0022There will be a lot of processing power out there that needs to be monitored, but you can\u0027t just put traditional security software on that processor because is doesn\u0027t have enough power for both the security software and the tasks the device is supposed to be doing.\u0022\u003C\/p\u003E\u003Cp\u003EZajic and Prvulovic pioneered research on measuring side-channel signals emitted from devices. These emissions differ from the signals the devices were intended to produce for communicating information across the Internet to other devices. The researchers have already shown that they can pick up the signals close to the devices using specially designed antennas, and one project goal is to extend the range to as much as three meters.\u003C\/p\u003E\u003Cp\u003E\u0022When a processor executes instructions, values are represented as ones and zeroes, which creates a fluctuation in the current,\u0022 Zajic said. \u0022That creates changes in the electromagnetic field we are measuring, providing a pattern for what each part of the program looks like on a spectrum analyzer.\u0022\u003C\/p\u003E\u003Cp\u003EKey to detecting changes in the signals is getting a \u0022before\u0022 recording of what these signals should look like to draw a comparison with an \u0022after\u0022 set of signals for each combination of device and software. The researchers plan to evaluate each IoT device, sampling and recording its typical operation to create a database. To avoid recording overwhelming amounts of data, the system will take periodic samples from different stages of program loops.\u003C\/p\u003E\u003Cp\u003E\u0022If somebody inserts something into the program loop, the peaks in the spectrum will shift and we can detect that,\u0022 Zajic said. \u0022This is something that we can monitor in real time using advanced pattern-matching technology that uses machine learning to improve its performance.\u0022\u003C\/p\u003E\u003Cp\u003EDetecting malware, however, is more of a challenge.\u003C\/p\u003E\u003Cp\u003E\u201cThe technique is currently 95 percent accurate at profiling \u2013 pinpointing the exact point in the IoT program code that is currently executing,\u201d explained Prvulovic. \u201cHowever, detection of malware is a much more difficult problem. Profiling is about identifying which part of the program is the best match for the signal, whereas malware detection is about detecting, with sufficient confidence, that the signal does not match any part of the original program, even when the malware is designed to resemble the original code of the application.\u201d\u003C\/p\u003E\u003Cp\u003EZajic and Prvulovic have been studying a wide range of devices to determine the emissions produced.\u003C\/p\u003E\u003Cp\u003E\u201cWe have more than one source on a circuit board, so we have been trying to localize the sources so we can build an antenna to give us the best possible signal,\u201d said Zajic. \u201cThere are multiple places on the board where you connect to the same information, though it may be modulated at different frequencies.\u201d\u003C\/p\u003E\u003Cp\u003EUltimately, researchers expect the project \u2013 dubbed Computational Activity Monitoring by Externally Leveraging Involuntary Analog Signals (CAMELIA) \u2013 to be capable of monitoring several IoT devices simultaneously. That will require development of advanced processing techniques able to differentiate signals from each device, and new antennas able to pick up the signals from a greater distance.\u003C\/p\u003E\u003Cp\u003ECAMELIA is part of a DARPA program called Leveraging the Analog Domain for Security (LADS), which is investing in six different initiatives to address IoT security. The Georgia Tech-Northrop Grumman project is the only one of the projects led by an academic institution.\u003C\/p\u003E\u003Cp\u003E\u003Cem\u003EThe research is supported by the DARPA LADS program under contract FA8650-16-C-7620. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsoring agency.\u003C\/em\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EResearch News\u003C\/strong\u003E\u003Cbr \/\u003E\u003Cstrong\u003EGeorgia Institute of Technology\u003C\/strong\u003E\u003Cbr \/\u003E\u003Cstrong\u003E177 North Avenue\u003C\/strong\u003E\u003Cbr \/\u003E\u003Cstrong\u003EAtlanta, Georgia 30332-0181 USA\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EMedia Relations Contacts\u003C\/strong\u003E: John Toon (404-894-6986) (\u003Ca href=\u0022mailto:jtoon@gatech.edu\u0022\u003Ejtoon@gatech.edu\u003C\/a\u003E) or Ben Brumfield (404-385-1933) (\u003Ca href=\u0022mailto:ben.brumfield@comm.gatech.edu\u0022\u003Eben.brumfield@comm.gatech.edu\u003C\/a\u003E).\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EWriter:\u003C\/strong\u003E John Toon\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EA $9.4 million grant from the Defense Advanced Research Projects Agency (DARPA) could lead to development of a new technique for wirelessly monitoring Internet of Things (IoT) devices for malicious software \u2013 without affecting the operation of the ubiquitous but low-power equipment.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"DARPA awards $9.4 million to develop a new technique for monitoring IoT devices."}],"uid":"27303","created_gmt":"2016-07-31 19:19:16","changed_gmt":"2016-10-08 03:22:12","author":"John Toon","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2016-08-01T00:00:00-04:00","iso_date":"2016-08-01T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"556881":{"id":"556881","type":"image","title":"Measuring side-channel emissions","body":null,"created":"1470006053","gmt_created":"2016-07-31 23:00:53","changed":"1475895355","gmt_changed":"2016-10-08 02:55:55","alt":"Measuring side-channel emissions","file":{"fid":"206645","name":"side-channel15.jpg","image_path":"\/sites\/default\/files\/images\/side-channel15.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/side-channel15.jpg","mime":"image\/jpeg","size":1139465,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/side-channel15.jpg?itok=nGL7Gyp_"}},"556891":{"id":"556891","type":"image","title":"Measuring side-channel emissions2","body":null,"created":"1470006138","gmt_created":"2016-07-31 23:02:18","changed":"1475895355","gmt_changed":"2016-10-08 02:55:55","alt":"Measuring side-channel emissions2","file":{"fid":"206646","name":"side-channel18.jpg","image_path":"\/sites\/default\/files\/images\/side-channel18.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/side-channel18.jpg","mime":"image\/jpeg","size":1004709,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/side-channel18.jpg?itok=lFWMQvV8"}},"556901":{"id":"556901","type":"image","title":"Systematic side-channel measurement","body":null,"created":"1470006254","gmt_created":"2016-07-31 23:04:14","changed":"1475895355","gmt_changed":"2016-10-08 02:55:55","alt":"Systematic side-channel measurement","file":{"fid":"206647","name":"side-channel12.jpg","image_path":"\/sites\/default\/files\/images\/side-channel12.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/side-channel12.jpg","mime":"image\/jpeg","size":1480456,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/side-channel12.jpg?itok=HZjMG6fa"}},"556911":{"id":"556911","type":"image","title":"Signal outputs from electronic devices","body":null,"created":"1470006358","gmt_created":"2016-07-31 23:05:58","changed":"1475895355","gmt_changed":"2016-10-08 02:55:55","alt":"Signal outputs from electronic devices","file":{"fid":"206648","name":"side-channel13.jpg","image_path":"\/sites\/default\/files\/images\/side-channel13.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/side-channel13.jpg","mime":"image\/jpeg","size":1866503,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/side-channel13.jpg?itok=glNR8iMJ"}},"556921":{"id":"556921","type":"image","title":"Studying side-channel signals","body":null,"created":"1470006479","gmt_created":"2016-07-31 23:07:59","changed":"1475895358","gmt_changed":"2016-10-08 02:55:58","alt":"Studying side-channel signals","file":{"fid":"206649","name":"side-channel1.jpg","image_path":"\/sites\/default\/files\/images\/side-channel1.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/side-channel1.jpg","mime":"image\/jpeg","size":1736216,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/side-channel1.jpg?itok=0SMAwa6c"}}},"media_ids":["556881","556891","556901","556911","556921"],"groups":[{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"135","name":"Research"}],"keywords":[{"id":"11173","name":"Alenka Zajic"},{"id":"64421","name":"Internet-of-Things"},{"id":"97401","name":"IoT"},{"id":"172220","name":"malicious"},{"id":"7772","name":"malware"},{"id":"168627","name":"side-channel"},{"id":"169696","name":"side-channel signal"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"},{"id":"39451","name":"Electronics and Nanotechnology"},{"id":"39481","name":"National Security"}],"news_room_topics":[{"id":"71881","name":"Science and Technology"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EJohn Toon\u003C\/p\u003E\u003Cp\u003EResearch News\u003C\/p\u003E\u003Cp\u003E(404) 894-6986\u003C\/p\u003E","format":"limited_html"}],"email":["jtoon@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}