Raspberry Pi-based device uses electromagnetic waves to detect malware

Polycount

Posts: 3,011   +589
Staff member
In brief: Antivirus software typically relies on a combination of machine learning algorithms and frequently-updated malware definitions to protect our computers from outside threats. However, no antivirus software is perfect, and they will occasionally miss newer or heavily-disguised threats. That's why researchers from the Institute of Computer Science and Random Systems have sought to explore new methods of detecting hostile programs that don't rely on software solutions at all.

Instead, the team -- comprised of four members -- is taking advantage of electromagnetic pulses to detect harmful software; even when the target is obfuscated. Their approach is unorthodox, to say the least, but also fairly accurate based on their initial tests.

The technology the team developed uses a Raspberry Pi to connect with an infected or potentially-infected device. The Pi interfaces with an H-field probe and an oscilloscope: the former is what detects the magnetic waves emitting from a device and the latter visualizes them for a malware analyst to view.

According to the researchers, different varieties of malware give off specific electromagnetic waves. Since everything seems to give off such waves these days, it wasn't enough to just set up the system and analyze the oscilloscope's output. The Pi-based malware detector had to be trained on a variety of threats to improve its detection accuracy and root out false positives.

During the researchers' experiments, the Pi was able to predict three "generic malware types" and one "benign" class (non-harmful malware that might be more of an annoyance than anything) with an accuracy of about 99.82 percent. It doesn't matter, the team notes, what sort of obfuscation techniques the software in question might be using on the software side because their device doesn't rely on software; it operates at a higher level.

This research is still in its early stages, and this tech isn't going to be widely available to the public anytime soon. However, the potential for good is obvious: malware creators will undoubtedly find it difficult, if not impossible, to completely hide the electromagnetic traces their programs leave behind.

We can see a future in which this tech is used to feed antivirus databases and allow programs like Malwarebytes and Windows Defender to stay ahead of the curve and better protect their users. That would be ideal, anyway -- malware creators are nothing if not crafty, so perhaps they'll find some way around this detection system in the future.

Permalink to story.

 

Bullwinkle M

Posts: 709   +601
I wish I had a better understanding of this stuff. It sounds fascinating.
(Obligatory XP rant incoming) >

It is complete crap

I have been using Windows XP online since 2014 without a single malware problem

I do not have even one single Windows security update installed and do not even use security pack 3

It is running a native boot in a full admin account

It has remained immune to every single ransomware variant so far

There is no need for an oscilloscope and a raspberry pi to detect "SOME" malware when we can already stop "ALL" malware with the right knowledge and software

I study malware on a daily basis with this XP box and have been for several years now

You may not be able to duplicate this success with a "GENUINE" copy of Spyware Platform 10 or Malware Platform 11, but that is the fault of monopolies that demand you use a backdoor'd / weaponized spyware platform

It is EASY to secure an O.S. if the Monopolies would only allow you to do so

Guess what?
They DON'T!
 

mbrowne5061

Posts: 2,014   +1,205
I wish I had a better understanding of this stuff. It sounds fascinating.
To over-simplify it, the each operation on any electrical device has an electromagnetic signature. When you obfuscate an operation, all you're doing is layering multiple electromagnetic signals on top of one another, you aren't really changing any of the individual signals. This method, says 'ok, we know the malware has a 200MHz period, 2mV amplitude, and has some off-set signals at 10MHz - ignore everything that does not match that', and it is able to because that is relatively easy for a sufficiently advanced oscilloscope or signal analyzer, when drive by a computer (the Raspberry Pi, in this case). So now you have a setup configuration that completely ignores the obfuscation methods, and only pays attention to the malware itself.

All that said, I highly doubt you'll ever see this in your home, or even in a enterprise environment. Electronic measurement equipment is not cheap, and it is likely doing most of the heavy lifting here (the R Pi is just the repository of known malware signals, and is the computer that is configuring the scope or analyzer to check for each one). In all likelihood, this will be used by antivirus companies to refine their malware definitions, not as a piece of equipment for the end user. IMO.
 

scavengerspc

Posts: 2,588   +2,808
TechSpot Elite
To over-simplify it, the each operation on any electrical device has an electromagnetic signature. When you obfuscate an operation, all you're doing is layering multiple electromagnetic signals on top of one another, you aren't really changing any of the individual signals. This method, says 'ok, we know the malware has a 200MHz period, 2mV amplitude, and has some off-set signals at 10MHz - ignore everything that does not match that', and it is able to because that is relatively easy for a sufficiently advanced oscilloscope or signal analyzer, when drive by a computer (the Raspberry Pi, in this case). So now you have a setup configuration that completely ignores the obfuscation methods, and only pays attention to the malware itself.

All that said, I highly doubt you'll ever see this in your home, or even in a enterprise environment. Electronic measurement equipment is not cheap, and it is likely doing most of the heavy lifting here (the R Pi is just the repository of known malware signals, and is the computer that is configuring the scope or analyzer to check for each one). In all likelihood, this will be used by antivirus companies to refine their malware definitions, not as a piece of equipment for the end user. IMO.
So each type of operation has, basically, its own fingerprint? And this is trying to ID it when it happens?
 

cliffordcooley

Posts: 13,141   +6,438
To over-simplify it, the each operation on any electrical device has an electromagnetic signature. When you obfuscate an operation, all you're doing is layering multiple electromagnetic signals on top of one another, you aren't really changing any of the individual signals.
The frequencies are determined by bus frequencies. Not the applications that are talking on that bus.
 

mbrowne5061

Posts: 2,014   +1,205
So each type of operation has, basically, its own fingerprint? And this is trying to ID it when it happens?
Essentially, yes. An malware writers try to obfuscate their programs by adding additional 'fingerprints' on top of each other. This method works because it can tell the fingerprints apart from one another by the 'ink'.
The frequencies are determined by bus frequencies. Not the applications that are talking on that bus.
Bus frequencies play a major role, but they aren't the sole factor in an electromagnetic signature. You also have the actual switching of the logic gates that are opened and closed as a result of the program itself. I stuck with frequency because that is probably the most 'advanced' bit of electrical engineering a layman might know. Everyone has probably seen an oscilloscope at some point, fewer people have seen network analyzer, signal analyzers, logic analyzers, power analyzer, etc. All of these can be used when trying to figure out what a piece of software is doing on a processor, especially if you already know what the architecture of the processor looks like.
 

cliffordcooley

Posts: 13,141   +6,438
Bus frequencies play a major role, but they aren't the sole factor in an electromagnetic signature. You also have the actual switching of the logic gates that are opened and closed as a result of the program itself. I stuck with frequency because that is probably the most 'advanced' bit of electrical engineering a layman might know.
Yes and you expect us to believe you can predict which movie is playing based on color of the current screen pixel at any given time. Unless you have it mapped out and actually know when that pixel is going to be a specific color. It will be a failed attempt. There are no patterns to logic gates. I couldn't (and neither could you) guess a random number between 0 and 255, much less a 64 bit value. The idea is not to return false positives while finding positives.

There are better ways to monitor traffic than EMF. And that is exactly what your active anti-virus does. If you can't catch it by monitoring traffic by application. Then you will never know how to by EMF. For one EMF will have cross-talk from all parallel channels. Cross-talk from only two bits will scramble the transmission. That is why shielding is used in cabling. Once the channels are blended there is no way to know what was sent.
 

Bruno M. Villar

Posts: 35   +6
Actually, if this kind of technology falls on wrong hands, criminals can do the same effect the opposite way. Imagine not detecting malware as a threat, but the O.S itself or your favorite app, or that cripto currency servers that you believe will turn you into a millionaire in the next few weeks and that you throwed your mother's life savings into it. Outrageous.
 

Bruno M. Villar

Posts: 35   +6
Actually, if this kind of technology falls on wrong hands, criminals can do the same effect the opposite way. Imagine not detecting malware as a threat, but the O.S itself or your favorite app, or that cripto currency servers that you believe will turn you into a millionaire in the next few weeks and that you throwed your mother's life savings into it. Outrageous.
In terms of windows operational system itself, we can consider it would be detected as the skynet itself
 

human7

Posts: 44   +29
It isn't surprising at all that this could work. Researchers have known for a while that you could use similar side-channel style monitoring to surveil or tamper with legitimate programs, as well, and plenty of research into those techniques continues. It's nice to see that side-channel attacks can be used against malware, but the trick will be securing the systems in a way such that this is their only purpose. Like with antimalware software today, it will ultimately come down to trust.
 

human7

Posts: 44   +29
Yes and you expect us to believe you can predict which movie is playing based on color of the current screen pixel at any given time. Unless you have it mapped out and actually know when that pixel is going to be a specific color. It will be a failed attempt. There are no patterns to logic gates. I couldn't (and neither could you) guess a random number between 0 and 255, much less a 64 bit value. The idea is not to return false positives while finding positives.

There are better ways to monitor traffic than EMF. And that is exactly what your active anti-virus does. If you can't catch it by monitoring traffic by application. Then you will never know how to by EMF. For one EMF will have cross-talk from all parallel channels. Cross-talk from only two bits will scramble the transmission. That is why shielding is used in cabling. Once the channels are blended there is no way to know what was sent.

With respect, the flaw in the argument here is the assumption that the distribution of values that you see is random. While you or I cannot discern what is going on from a particularly weak or noisy signal, it very well would be possible to make accurate predictions (within some error margin as predictions always are). The part of "unless you mapped it out" is what training machine learning algorithms is all about. We cannot program specific rules to describe the target, but a machine is capable of learning what that target represents.

For example, how do you recognize a cat from an image? Nobody has been very successful in writing out an algorithm which can do this, but we have been successful in writing algorithms which can learn how to do this, and the most successful models (the resulting algorithms that can make the predictions) are quite complicated and difficult for us to intuitively understand.

And so it is with predicting a movie based on observing the color changes of a pixel, or with monitoring EM radiation coming from a computer, or what have you.

You are right, of course, that the researches here would need to know what malicious software is (from software anti-virus) in order to train an EMF detection system. But another approach is to train an EMF detection system on a known clean system with a specific workload, and then to scan for anything that deviates from that workload.
 

mbrowne5061

Posts: 2,014   +1,205
Yes and you expect us to believe you can predict which movie is playing based on color of the current screen pixel at any given time. Unless you have it mapped out and actually know when that pixel is going to be a specific color. It will be a failed attempt. There are no patterns to logic gates. I couldn't (and neither could you) guess a random number between 0 and 255, much less a 64 bit value. The idea is not to return false positives while finding positives.

There are better ways to monitor traffic than EMF. And that is exactly what your active anti-virus does. If you can't catch it by monitoring traffic by application. Then you will never know how to by EMF. For one EMF will have cross-talk from all parallel channels. Cross-talk from only two bits will scramble the transmission. That is why shielding is used in cabling. Once the channels are blended there is no way to know what was sent.
I mean, I am only explaining the tools used; take your issue with the validity and effectiveness of their use up with the paper's authors.
To riff off your example, I just explained what a 'camera' was and how it could let you look at pixels, and you're taking issue with whether the information in these pixels could ever be interpreted into a useful signal.