CE39 - Sécurité Globale et Cybersécurité

Automated Hardware Malware Analysis – AHMA

Malware classification through physical side-channel information

The Internet of Things is constituted of devices that are exponentially growing in number and in complexity. They often use numerous customized software and hardware, without taking into consideration security issues, which make them a target of choice for cybercriminals. The project presents the novel approach of using side-channel information, to not only detect if a device is infected by malware, but also to identify precisely the kind of threat that is targeting the device.

Malware classification through physical side-channel information from known, mutated, and unknown malware samples

Our objectives are to extend the usage of side-channel information to provide further insights into the hardware behavior when malware is executed. Our approach is to<br />(1) find and measure suitable additional side-channel sources on IoT devices, in combination with an analysis framework consisting of machine learning techniques for<br />(2) data preparation and<br />(3) malware classification of known (mutated) and unknown samples.

Using our approach a malware analyst is able to obtain precise knowledge about malware type and identity, even in the presence of software obfuscation techniques that may prevent static binary analysis.

We recorded a vast amount of electromagnetic emanation traces from a bare-metal IoT device infected by various in-the-wild malware samples. We preprocessed these records and use them to train different neural network models.
Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available, and so even on low-performance systems, without any overhead.
Moreover, our approach has the advantage that it cannot be easily detected and escaped by the malware attacker.

In our experiments, the test dataset constitutes over 19000 electromagnetic measurement traces on which we were able to predict four generic malware classes (and one benign class) with an accuracy of 99.66%.
Even more, our results show that we are able to classify altered malware samples with unseen obfuscation techniques during the training phase and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts.

We have demonstrated in this paper that by using simple neural network models, it is possible to gain considerable information about the state of a monitored device, by observing solely its electromagnetic emanations.
We were indeed able to not only detect but also determine the type of various malware infecting a Raspberry Pi 2B running a full GNU/Linux operating system, with an accuracy of 99.66 % on a test dataset including 19200 traces recording the activity of 28 different malware binaries (and one binary generating random benign activity). We demonstrated that software obfuscation techniques do not hinder our classification approach. Even more, we showed that it was possible to detect particular obfuscation and even classify between them (or groups of obfuscation techniques).

Remarkably, if we place our results in a malware detection scenario to be comparable to previous works on EM/power monitoring for malware detection, we achieve an accuracy of 100%.

Given our experimental results, malware analysts (defenders) may therefore profit from our methodology to gain information about the variant, type, forensic, and/or evolution of malware, particularly, in the context when software systems fail (due to malware evasion) or cannot be applied (due to restricted resources on the embedded device).

While these results were obtained in a controlled setup, as it is usually the case with malware analysis,
we believe that our methodology may be straightforwardly extendable to perform analysis in real-time.
Therefore, future work may concentrate on the extension of our approach to real-time user systems.
Other interesting directions could be the investigation of other platforms, to assess in which measure the knowledge learned by a model on a device can be transferred to another one.

* NDSS 2021, Rank 1 conference, (currently under review, passed the first round of review selection). Title: « Out of device malware analysis: leveraging IoT devices electromagnetic emanation to perform deep learning classification»
* RESSI 2019 : presentation for starting projects
* Presentation at Malware analysis day May 2019, IRISA, Rennes
* Project presentation at EDF, May 2019

The Internet of Things (IoT) will influence the majority of our daily life’s infrastructure. The IoT is still only in its early stages, but the number of internet-enabled devices is beginning to explode (likely to hit 50 billion by 2020). While efficiency and diffusion of IoT are increasing, security threats are becoming a far-reaching problem. Here we are particularly concentrating on ensuring the security of IoT nodes against malware threats, which may seriously disrupt daily life and economic activity or even reveal privacy critical data of users.
As state-of-the-art software monitoring techniques (static or dynamic) can still be circumvented by sophisticated attackers, we propose an automated hardware malware analysis (AHMA) framework that is non-intrusive and cannot easily be controlled or hidden by the malware attacker. AHMA uses side-channel information of the underlying hardware IoT device to detect if a device is infected by malware or in its typical running state. The framework includes supervised and unsupervised machine learning techniques to classify already known (mutated) malware as well as unknown malware.
As side-channel sources we will first concentrate on power consumption and/or electromagnetic emanation which is captured after a teardown of the device.
In this proposal we cover three real-world case studies:

1) Dedicated IoT devices
This first case study covers home routers and dedicated IoT devices which are designed to make our daily life easier and simpler. These devices often do not have any user interface and typically do not run standard operating systems that support the commonly used security tools (e.g. antivirus, firewall) or just do not have enough resources.
In this study we will rely on published malware samples as open-source and/or collaborate with researchers collecting IoT malware samples through honey pots. One of the most predominant Distributed Denial of Service (DDoS) IoT botnet in recent times is Mirai, which source code has been published as open- source. At its peak, Mirai infected 4000 IoT devices per hour and in the beginning of 2017 it was estimated to have more than half a million infected active IoT devices.

2) Connected cars
Early in 2018 another new variant of Mirai, called Mirai Okiru, targeted ARC-based IoT devices, which are widely used also in automotive applications. Therefore also devices inside connected cars could be enslaved to perform DDoS attacks.
Moreover, malware may directly attack the automotive system. In this context the motivation of attackers could be to breach drivers privacy, ransom, theft, sabotage, harm people and properties, disrupt transportation, and/or fun and publicity.
Any network interface, physical or wireless, could be exploited by malware to infect a vehicle. Given the large interconnectivity and multiple different architectures in this context of connected cars, additional to power consumption/ electromagnetic emanation we may observe new side-channel sources to detect malware which have not been considered and studied before.

3) Mobile phones/devices
In the last decade, Android became the most popular operating environment for smart devices, with almost 85% of the market share in the first quarter of 2017. This popularity makes it a very attractive target for malware attackers. However, its open application market and lax review mechanism have led to a rapid proliferation of Android malware as well as security threats.
In this case study, we aim at detecting recent malware samples on modern devices such as Nexus = 4 or Galaxy = S III using power consumption/ electromagnetic emanation.

Our novel framework is of high importance and impact for industries, and thus for users benefitting from increasing protection.

Project coordination

Annelie Heuser (Institut de Recherche en Informatique et Systèmes Aléatoires)

The author of this summary is the project coordinator, who is responsible for the content of this summary. The ANR declines any responsibility as for its contents.


IRISA Institut de Recherche en Informatique et Systèmes Aléatoires

Help of the ANR 342,518 euros
Beginning and duration of the scientific project: September 2018 - 42 Months

Useful links

Explorez notre base de projets financés



ANR makes available its datasets on funded projects, click here to find more.

Sign up for the latest news:
Subscribe to our newsletter