Haixiang Wang,Jiyuan Li,Tianchen Zhang,Huan Ying,Jiajia Han,Xiaoyu Ji

DOI: https://doi.org/10.1109/itnec.2019.8729232

2019-01-01

Abstract:With the continuous development of smart grids, smart meter, one of the typical embedded equipment, is also becoming more intellectualized. Smart meters nowadays are capable of not only recording power consumption, but also uploading information to the electricity supplier for monitoring and billing, which makes the electric power dispatching and usage more efficient and convenient. However, the enhanced functions and computation power of the smart meter renders it more valuable and vulnerable for the adversary to conduct a cyber attack. One of the most common and important security threats of the smart meter is the malicious code due to its widespread and the easy access for adversaries. Therefore, it is of great criticalness to detect malicious code in the smart meters to safeguard the security of smart terminals. In this paper, we propose a novel approach that detects malicious code in embedded terminals, e.g., smart meters, with a Long Short Term Memory (LSTM) network based on the power consumption of the CPU or MCU of the device. The evaluation results demonstrate that the proposed method can effectively detect the malicious code in smart meters with an accuracy as high as 92%.

Jiachang Wen,Chen Yan,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/eeet58130.2022.00019

2022-01-01

Abstract:With the widespread use of new technologies such as mobile Internet, cloud computing, and Internet of Things in power systems, the number of terminal devices in power systems has increased dramatically, and the ensuing security vulnerabilities have increased, making terminal devices increasingly vulnerable to cyber attacks such as ransomware viruses. In this paper, we focus on the security of terminal devices in power systems and realize security monitoring of power terminals by collecting power consumption side channel information of power terminal devices in normal and abnormal states, using training device abnormality identification models using supervised learning algorithms with some time-domain frequency-domain feature information of power consumption as power consumption features of the devices.

Aidong Xu,Yixin Jiang,Yang Cao,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei247390.2019.9062014

2019-01-01

Abstract:With the rapid development of information technology and the Internet of Things, the common information technologies are being applied to the power grid. It brings about the tremendous improvement in productivity, yet breaks down the safety barrier, which makes the power grid a popular target for attacks. The Distribution Terminal Unit (DTU) is a critical part of the power grid because of the acts as access points in the substation and controls the grid equipment. However, DTUs are vulnerable to different types of attacks, which can cause significant property loss or even casualties To monitor the operation of DTU, we proposed a real-time monitoring system by analyzing the side-channel information of power consumption. To validate this idea, we design 3 types of attacks and collect the power information separately, then we choose representational power features and machine learning algorithm for detecting those attacks. We validate that it is feasible to detect attacks and achieves a detection accuracy above 99%.

Shane S. Clark,Hossen A. Mustafa,Benjamin Ransford,Jacob Sorber,Kevin Fu,Wenyuan Xu

DOI: https://doi.org/10.1007/978-3-642-40203-6_39

2013-01-01

Abstract:Computers plugged into power outlets leak identifiable information by drawing variable amounts of power when performing different tasks. This work examines the extent to which this side channel leaks private information about web browsing to an observer taking measurements at the power outlet. Using direct measurements of AC power consumption with an instrumented outlet, we construct a classifier that correctly identifies unlabeled power traces of webpage activity from a set of 51 candidates with 99% precision and 99% recall. The classifier rejects samples of 441 pages outside the corpus with a false-positive rate of less than 2%. It is also robust to a number of variations in webpage loading conditions, including encryption. When trained on power traces from two computers loading the same webpage, the classifier correctly labels further traces of that webpage from either computer. We identify several reasons for this consistently recognizable power consumption, including system calls, and propose countermeasures to limit the leakage of private information. Characterizing the AC power side channel may help lead to practical countermeasures that protect user privacy from an untrustworthy power infrastructure. © 2013 Springer-Verlag.

Tao Zhao,Xiaoyu Ji,Wenyuan Xu,Aidong Xu,Yixin Jiang,Yang Cao

DOI: https://doi.org/10.1109/ei247390.2019.9061849

2019-01-01

Abstract:With the increase of power terminal devices and IoT devices which are accessed to the power grid, their security issues are becoming more and more important. While the microgrid controllers are served as the central core of the entire microgrid, the attacks on microgrid controllers and other power end devices have been launched in recent years. It's obvious that the current safety protection measures for power end devices are insufficient. However, microgrid controllers cannot be protected by traditional intrusion detection systems or anti-virus software. Motivated by these concerns, this paper proposes a non-intrusive malicious code security monitoring scheme based on a power side channel. The core idea is to measure the power consumption data of the microgrid controller, to extract the power consumption feature, and to identify the abnormality sample through CWRNN neural network to determine whether the microgrid controller is attacked or not. The advantage of this method is that it can effectively detect unknown attacks without modifying the original software system. What's more, the method is evaluated in the experimental test, and the detection accuracy can reach to 92%.

Juchuan Zhang,Xiaoyu Ji,Yuehan Chi,Yi‐Chao Chen,Bin Wang,Wenyuan Xu

DOI: https://doi.org/10.1145/3448300.3468291

2021-01-01

Abstract:Trade secrets such as intellectual properties are the inherent values for firms. Although companies have exploited strict access management policies and isolated their networks from the public Internet, trade secrets are still vulnerable to side-channel attacks. Side-channels can reveal the computing processes of computers in forms of various physical signals such as light, electromagnetism, and even heat. Such side-channels can bypass the isolation mechanism and therefore bring about severe threats. However, existing side-channels can only perform well within a short-distance (e.g., less than 1 meter) due to the high attenuation of signals. In this paper, we seek to utilize the built-in power lines in a building and construct a power side-channel that enables remote, i.e., cross-outlet attack against trade secrets. To this end, we investigate the power factor correction (PFC) module inside the power supply units of commodity computers and find that the PFC signals observed from an outlet can precisely reveal the power consumption information of all the connected devices, even from the outlets in adjacent rooms. Based upon this insight, we design and implement OutletSpy, a power side-channel attack that can infer application launching from a remote outlet and therefore enjoys the stealthiness property. We validate and evaluate OutletSpy with a dataset under different background APPs, time variations and different locations. The experiment results show OutletSpy can infer the application launching with 98.25% accuracy.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/tcsii.2020.2999875

2020-01-01

Abstract:In this brief, we analyze the damage caused by malware-induced cyber attacks in Cyber-Physical Power Systems (CPPSs). Incubation period and detection probability of the malware are considered in our analytical framework. From attacker's perspective, the trade-off between attack effectiveness and detection risk is studied to help choose the best attack timing and obtain the maximum payoff. Moreover, we conduct case studies in CPPSs formed by coupling IEEE 118-Bus System with scale-free communication networks. Simulation results reveal that the maximum expected payoff for the attacker is affected by the coupling pattern and the structure of communication network in CPPSs.

Jarilyn M. Hernández Jiménez,Jeffrey A. Nichols,Katerina Goseva-Popstojanova,Stacy Prowell,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1705.01977

2017-05-05

Abstract:Malware detection is challenging when faced with automatically generated and polymorphic malware, as well as with rootkits, which are exceptionally hard to detect. In an attempt to contribute towards addressing these challenges, we conducted a proof of concept study that explored the use of power consumption for detection of malware presence in a general-purpose computer. The results of our experiments indicate that malware indeed leaves a signal on the power consumption of a general-purpose computer. Specifically, for the case study based on two different rootkits, the data collected at the +12V rails on the motherboard showed the most noticeable increment of the power consumption after the computer was infected. Our future work includes experimenting with more malware examples and workloads, and developing data analytics approach for automatic malware detection based on power consumption.

Cryptography and Security

Ziming Zhao,Zhaoxuan Li,Tingting Li,Fan Zhang

DOI: https://doi.org/10.1109/tcad.2024.3444712

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. A series of solutions based on system calls, system logs, or hardware performance counters achieve promising results. However, such internal monitors are easily tampered with, especially against adaptive adversaries. In addition, existing system log records typically exhibit substantial volume, resulting in data explosion problems. In this article, we present TPE-Det, a side-channel-based external monitor to cope with these issues. Specifically, TPE-Det leverages the serial peripheral interface bus to extract the on-chip traces and designs a recovery pipeline for operating logs. The advantages of this external monitor are adversary-unperceived and tamper-proof. The restored logs mainly include file operation commands, which are lightweight compared to complete records. Meanwhile, we deploy a series of machine learning models with respect to statistical, sequence, and graph features to identify malware. Empirical evaluation shows that our proposal has tamper-proof capability, high-detection accuracy, and low-time/space overhead compared to state-of-the-art methods.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Shijia Wei,Aydin Aysu,Michael Orshansky,Andreas Gerstlauer,Mohit Tiwari

DOI: https://doi.org/10.1109/hst.2019.8740838

2019-05-01

Abstract:High-assurance embedded systems are deployed for decades and expensive to re-certify – hence, each new attack is an unpatchable problem that can only be detected by monitoring out-of-band channels such as the system’s power trace or electromagnetic emissions. Micro-Architectural attacks, for example, have recently come to prominence since they break all existing software-isolation based security – for example, by hammering memory rows to gain root privileges or by abusing speculative execution and shared hardware to leak secret data. This work is the first to use anomalies in an embedded system’s power trace to detect evasive micro-architectural attacks. To this end, we introduce power-mimicking micro-architectural attacks – including DRAM-rowhammer attacks, side/covert-channel and speculation-driven attacks – to study their evasiveness. We then quantify the operating range of the power-anomalies detector using the Odroid XU3 board – showing that rowhammer attacks cannot evade detection while covert channel and speculation-driven attacks can evade detection but are forced to operate at a 36 × and 7 × lower bandwidth . Our power-anomaly detector is efficient and can be embedded-of-band into (e.g.,) programmable batteries. While rowhammer, side-channel, and speculation-driven attack defenses require invasive code- and hardware-changes in general-purpose systems, we show that power-anomalies are a simple and effective defense for embedded systems. Power-anomalies can help future-proof embedded systems against vulnerabilities that are likely to emerge as new hardware like phase-change memories and accelerators become mainstream.

Paul Maxwell,David Niblick,Daniel C. Ruiz

DOI: https://doi.org/10.1109/ICAICA52286.2021.9498094

2020-12-04

Abstract:Cybersecurity continues to be a difficult issue for society especially as the number of networked systems grows. Techniques to protect these systems range from rules-based to artificial intelligence-based intrusion detection systems and anti-virus tools. These systems rely upon the information contained in the network packets and download executables to function. Side channel information leaked from hardware has been shown to reveal secret information in systems such as encryption keys. This work demonstrates that side channel information can be used to detect malware running on a computing platform without access to the code involved.

Cryptography and Security

Dimitrios Myridakis,Georgios Spathoulas,Athanasios Kakarountas,Dimitrios Schinianakis

DOI: https://doi.org/10.3390/fi12030048

2020-03-10

Future Internet

Abstract:The continuous growth of the number of Internet of Things (IoT) devices and their inclusion to public and private infrastructures has introduced new applciations to the market and our day-to-day life. At the same time, these devices create a potential threat to personal and public security. This may be easily understood either due to the sensitivity of the collected data, or by our dependability to the devices’ operation. Considering that most IoT devices are of low cost and are used for various tasks, such as monitoring people or controlling indoor environmental conditions, the security factor should be enhanced. This paper presents the exploitation of side-channel attack technique for protecting low-cost smart devices in an intuitive way. The work aims to extend the dataset provided to an Intrusion Detection Systems (IDS) in order to achieve a higher accuracy in anomaly detection. Thus, along with typical data provided to an IDS, such as network traffic, transmitted packets, CPU usage, etc., it is proposed to include information regarding the device’s physical state and behaviour such as its power consumption, the supply current, the emitted heat, etc. Awareness of the typical operation of a smart device in terms of operation and functionality may prove valuable, since any deviation may warn of an operational or functional anomaly. In this paper, the deviation (either increase or decrease) of the supply current is exploited for this reason. This work aimed to affect the intrusion detection process of IoT and proposes for consideration new inputs of interest with a collateral interest of study. In parallel, malfunction of the device is also detected, extending this work’s application to issues of reliability and maintainability. The results present 100% attack detection and this is the first time that a low-cost security solution suitable for every type of target devices is presented.

Ziming Zhao,Zhaoxuan Li,Jiongchi Yu,Fan Zhang,Xiaofei Xie,Haitao Xu,Binbin Chen

DOI: https://doi.org/10.1109/tmc.2023.3311012

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextual semantics from cross-source traffic, and previous host-side methods could be adversary-perceived and expose risks for tampering. More importantly, a single perspective cannot comprehensively track the multi-stage lifecycle of IoT malware. In this paper, we present ${\sf CMD}$ , a co-analyzed IoT malware detection and forensics system by combining hardware and network domains. For the network part, ${\sf CMD}$ proposes a tailored capsule neural network to capture the contextual semantics from cross-source traffic. For the hardware part, ${\sf CMD}$ designs an entire file operation recovery process in a side-channel manner by leveraging the Serial Peripheral Interface (SPI) signals from on-chip traces. These traffic provenance and operating logs information could benefit the anti-virus countermeasures for security practitioners. By practical evaluation, we demonstrate that ${\sf CMD}$ realizes outstanding detection effects ( e.g., $\sim$ 99.88% F1-score) compared with seven state-of-the-art methods, and recovers 96.88% $\sim$ 99.75% operation commands even if against adaptive adversaries (that could kill processes or tamper with operation log files). A by-product benefit of such an external monitor is ${\sf CMD}$ introduces zero latency on the IoT device, and incurs negligible IoT CPU utilization. Also, since SPI focuses on file operations, the proposed hardware trace forensics does not have the data explosion problem like previous work, e.g., recovered logs of ${\sf CMD}$ only take up limited extra space overhead ( e.g., $\sim$ 0.2 MB per malware). Furthermore, we provide the model interpretability for the capsule network and develop a case study (Hajime) of the operation logs recovery.

Guoming Zhang,Xiaoyu Ji,Yanjie Li,Wenyuan Xu

DOI: https://doi.org/10.3390/s20133635

2020-06-28

Abstract:As a critical component in the smart grid, the Distribution Terminal Unit (DTU) dynamically adjusts the running status of the entire smart grid based on the collected electrical parameters to ensure the safe and stable operation of the smart grid. However, as a real-time embedded device, DTU has not only resource constraints but also specific requirements on real-time performance, thus, the traditional anomaly detection method cannot be deployed. To detect the tamper of the program running on DTU, we proposed a power-based non-intrusive condition monitoring method that collects and analyzes the power consumption of DTU using power sensors and machine learning (ML) techniques, the feasibility of this approach is that the power consumption is closely related to the executing code in CPUs, that is when the execution code is tampered with, the power consumption changes accordingly. To validate this idea, we set up a testbed based on DTU and simulated four types of imperceptible attacks that change the code running in ARM and DSP processors, respectively. We generate representative features and select lightweight ML algorithms to detect these attacks. We finally implemented the detection system on the windows and ubuntu platform and validated its effectiveness. The results show that the detection accuracy is up to 99.98% in a non-intrusive and lightweight way.

Daniel Park,Hannah Powers,Benji Prashker,Leland Liu,Bülent Yener,Bulent Yener

DOI: https://doi.org/10.1109/icmla51294.2020.00173

2020-12-01

Abstract:With the increased deployment of IoT and edge devices into commercial and user networks, these devices have become a new threat vector for malware authors. It is imperative to protect these devices as they become more prevalent in commercial and personal networks. However, due to their limited computational power and storage space, especially in the case of battery-powered devices, it is infeasible to deploy state-of-the-art malware detectors onto these systems. In this work, we propose using and extracting features from Markov matrices constructed from opcode traces as a low cost feature for unobfuscated and obfuscated malware detection. We empirically show that our approach maintains a high detection rate while consuming less power than similar work.

Ethan Chen,John Kan,Bo-Yuan Yang,Jimmy Zhu,Vanessa Chen

DOI: https://doi.org/10.3390/s21248288

IF: 3.9

2021-12-11

Sensors

Abstract:Rapid growth of sensors and the Internet of Things is transforming society, the economy and the quality of life. Many devices at the extreme edge collect and transmit sensitive information wirelessly for remote computing. The device behavior can be monitored through side-channel emissions, including power consumption and electromagnetic (EM) emissions. This study presents a holistic self-testing approach incorporating nanoscale EM sensing devices and an energy-efficient learning module to detect security threats and malicious attacks directly at the front-end sensors. The built-in threat detection approach using the intelligent EM sensors distributed on the power lines is developed to detect abnormal data activities without degrading the performance while achieving good energy efficiency. The minimal usage of energy and space can allow the energy-constrained wireless devices to have an on-chip detection system to predict malicious attacks rapidly in the front line.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Min-Hao Wu,Fu-Hau Hsu,Jian-Hong Hunag,Keyuan Wang,Yen-Yu Liu,Jian-Xin Chen,Hao-Jyun Wang,Hao-Tsung Yang

DOI: https://doi.org/10.3390/electronics13183717

IF: 2.9

2024-09-20

Electronics

Abstract:This manuscript introduces MPSD (Malicious PowerShell Script Detector), an advanced tool to protect Windows systems from malicious PowerShell commands and scripts commonly used in fileless malware attacks. These scripts are often hidden in Office document macros or downloaded remotely via PowerShell, posing significant threats to corporate networks. A 2018 report revealed that 77% of successful cyberattacks involved fileless malware, with PowerShell being the primary attack method, as highlighted in Red Canary's 2022 report. To counter these threats, MPSD leverages the Antimalware Scan Interface (AMSI) to intercept and analyze real-time PowerShell scripts, preventing their execution. It further utilizes VirusTotal to filter out malicious scripts. Unlike traditional methods that rely on direct access to scripts, MPSD detects them before execution, addressing the challenge of hidden or obfuscated scripts. Experimental results show that MPSD outperforms well-known antivirus engines, with a low false-negative rate of 1.83%. MPSD is highly effective against evasion techniques like concatenation, encoding, and reordering, making it a robust tool in the cybersecurity landscape.

engineering, electrical & electronic,computer science, information systems,physics, applied

Antonio Nappa,Panagiotis Papadopoulos,Matteo Varvello,Daniel Aceituno Gomez,Juan Tapiador,Andrea Lanzi

DOI: https://doi.org/10.48550/arXiv.2109.02979

2021-10-06

Abstract:Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to <a class="link-external link-http" href="http://detect.The" rel="external noopener nofollow">this http URL</a> most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

Cryptography and Security

Harshit Kumar,Biswadeep Chakraborty,Sudarshan Sharma,Saibal Mukhopadhyay

DOI: https://doi.org/10.1109/TIFS.2023.3318969

2023-09-15

Abstract:Hardware-based Malware Detectors (HMDs) have shown promise in detecting malicious workloads. However, the current HMDs focus solely on the CPU core of a System-on-Chip (SoC) and, therefore, do not exploit the full potential of the hardware telemetry. In this paper, we propose XMD, an HMD that uses an expansive set of telemetry channels extracted from the different subsystems of SoC. XMD exploits the thread-level profiling power of the CPU-core telemetry, and the global profiling power of non-core telemetry channels, to achieve significantly better detection performance than currently used Hardware Performance Counter (HPC) based detectors. We leverage the concept of manifold hypothesis to analytically prove that adding non-core telemetry channels improves the separability of the benign and malware classes, resulting in performance gains. We train and evaluate XMD using hardware telemetries collected from 723 benign applications and 1033 malware samples on a commodity Android Operating System (OS)-based mobile device. XMD improves over currently used HPC-based detectors by 32.91% for the in-distribution test data. XMD achieves the best detection performance of 86.54% with a false positive rate of 2.9%, compared to the detection rate of 80%, offered by the best performing signature-based Anti-Virus(AV) on VirusTotal, on the same set of malware samples.

Cryptography and Security

Cristiano Pegoraro Chenet,Alessandro Savino,Stefano Di Carlo

DOI: https://doi.org/10.1109/access.2024.3388716

IF: 3.9

2024-04-27

IEEE Access

Abstract:This paper delves into the dynamic landscape of computer security, where malware poses a paramount threat. Our focus is a riveting exploration of the recent and promising hardware-based malware detection approaches. Leveraging hardware performance counters and machine learning prowess, hardware-based malware detection approaches bring forth compelling advantages such as real-time detection, resilience to code variations, minimal performance overhead, protection disablement fortitude, and cost-effectiveness. Navigating through a generic hardware-based detection framework, we meticulously analyze the approach, unraveling the most common methods, algorithms, tools, and datasets that shape its contours. This survey is not only a resource for seasoned experts but also an inviting starting point for those venturing into the field of malware detection. However, challenges emerge in detecting malware based on hardware events. We struggle with the imperative of accuracy improvements and strategies to address the remaining classification errors. The discussion extends to crafting mixed hardware and software approaches for collaborative efficacy, essential enhancements in hardware monitoring units, and a better understanding of the correlation between hardware events and malware applications.

computer science, information systems,telecommunications,engineering, electrical & electronic