Reports from the Heart of the Machine
Edit: mayoy, canoe
We always say that the network security of IoT devices is difficult to guarantee, and now some people have made arrangements with the method of "dimensionality reduction and combat".
The Internet of Things (IoT) is made up of an exponentially growing number and complexity of devices, and while using a large number of customized firmware and hardware, it is difficult for manufacturers to fully consider security issues, making IoT easy targets for cybercrime, especially those with malware attacks.
Today, many of the world's largest enterprises are grappling with increasingly widespread and sophisticated malware attacks. But an interesting new malware detection technique can help businesses root out these threats without the need for any software.
A team of researchers from the French Institute for Computer Science and Stochastic Systems has created a Raspberry Pi-centric anti-malware system that scans devices for electromagnetic waves to detect malware.
Thesis link: https://hal.archives-ouvertes.fr/hal-03374399/document
The security device uses an oscilloscope (Picoscope 6407) and an H-Field probe connected to the Raspberry Pi 2B to detect anomalies in specific electromagnetic waves emitted by the attacked computer. The researchers said the technique was used to "obtain accurate information about the type and identity of the malware." The detection system then relies on convolutional neural networks (CNNs) to determine whether the collected data indicates a threat.
With this technique, the researchers claim that they can record 100,000 measurement traces of IoT devices infected by real malware samples and predict three generic and one benign malware categories with up to 99.82 percent accuracy.
Most importantly, this detection technology does not require any software, and the device being scanned does not need to be operated in any way. Therefore, it is not feasible for the attacker to attempt to hide malicious code using obfuscation techniques.
"Our method does not require any modifications to the target device. As a result, it can be deployed independently of the available resources without any overhead. In addition, the advantage of this approach is that malware authors can hardly detect and circumvent it." The researchers wrote in the paper.
The system is designed for research purposes only, rather than being released as a commercial product, and it could inspire more security teams to look into new ways to detect malware using electromagnetic waves. Research is currently in its early stages, and neural networks need to be further trained to have practical uses.
In a sense, such a system is also a unique way to protect devices, which makes it difficult for the authors of malware to hide code, but the technology is far from being available to the public.
At the price of the Raspberry Pi, this could be a low-cost method of detecting malware, while other electromagnetic wave scanning devices can cost thousands of dollars. Despite the limitations, from another perspective, this neat setup may one day help protect devices from large attacks.
Research details
The team came up with a classification framework for malware that takes an executable file as input and outputs its predictive labels based solely on electromagnetic wave-side channel information.
Figure 1 illustrates the workflow: First, the researchers define a threat model that collects electromagnetic wave emission information when the malware is running on the target device. They built an infrastructure capable of running malware with a realistic user environment while preventing infection with the host controller system. Then, because the acquired data is very noisy, a preprocessing step is required to isolate the relevant information signals. Finally, using this output, the researchers trained neural network models and machine learning algorithms to classify malware types, binaries, obfuscation methods, and detect whether an executable file was packaged.
Experiments and results
The first step in this research experiment is data acquisition.
First of all, the selection of the target device is crucial for EM side channel analysis. The researchers identified three main requirements:
It must be a multi-purpose embedded device to support as much malware as possible, not a specific set of malware or devices;
Its CPU must have a prominent architecture to avoid a lack of support for new IoT malware;
It must be vulnerable to EM side-channel attacks.
The study ultimately selected the Raspberry Pi 2B as the target device with 900 MHz quad-core ARM Cortex-A7 with 1 GB of memory.
To support malware datasets, including Mirai and Bashlite, the study implemented a synthetic environment for a central malicious C&C server model. As shown in Figure 2 below, in a variety of attack scenarios, the C&C server is used to randomly issue different commands to the botnet clients.
In terms of electromagnetic signal acquisition, the study used low- to mid-range measurement settings to monitor the Raspberry Pi under the execution of benign and malicious data sets. As shown in Figure 3 below, it consists of a 1GHz bandwidth oscilloscope (Picoscope 6407) connected to an H-field probe (Langer RF-R 0.3-3), which uses Langer PA-303 +30dB to amplify the EM signal. To capture the long execution of malware, the signal is sampled at a sampling rate of 2MHz.
The feature selection process for NICV on a spectrogram is shown in Figure 4 below.
The results of the experiment are shown in Table 3. The first column is the name of the scenario, the second column states the number of outputs (classes) of the network, and the other columns show the accuracy of the optimal amount of bandwidth and the accuracy and recall of the two neural network models, as well as the two machine learning algorithms on the test dataset.
classify. The researchers used traces measured during the activity of 30 malware samples, plus traces of benign activity (random, video, music, pictures, camera activity), both of which were performed in a random user environment to avoid bias.
Malware binary code is a variation of five families: gonnacry, keysniffer, maK it, mirai, and bashlite, including seven different obfuscation techniques.
In this case, the researchers aimed to retrieve the type of malware that infected the device at the time of entry. Here involves a 4-level classification problem: ransomware, rootkit, DDoS, and benign. All models are very effective for this problem (> 98% accuracy), and obviously confusion does not hinder type classification.
It can be observed that CNNs (99.82%) are slightly more accurate than MLP, NB, and SVMs. Figure 5(a) shows the prediction class (prediction label) for each executed binary confusion matrix. The darker the color, the higher the proportion of labels that are correctly predicted. There is no confusion between the benign rootkit class and any other class, and there is a little confusion between bidirectional DDos and ransomware. The confusion matrix is shown in Figure 5(b), which indicates that most types can be classified correctly and that confusion does not hinder classification. Figure 5(c) shows that for each obfuscation technique, the CNN predicts the correct classification label.
The study shows that by using a simple neural network model, the status of the monitored device can be understood by simply observing its EM radiation, and the type of malware that attacked the Raspberry Pi (running Linux OS) can be determined with 99.89% accuracy on the test dataset. In addition, the study demonstrates that software obfuscation techniques do not hinder their classification methods. This work opens up new directions for behavioral analysis through electromagnetic radiation.
Reference Links:
https://gizmodo.com/raspberry-pi-can-detect-malware-by-scanning-for-electro-1848339130
Use Python to quickly build an NVIDIA RIVA-based intelligent Q&A bot
NVIDIA Riva is an SDK that uses GPU acceleration to rapidly deploy high-performance conversational AI services for rapid development of speech AI applications. Riva is designed to provide easy, fast access to conversational AI capabilities, out of the box, and to quickly build high-level conversational AI services with a few simple commands and API operations.
January 26, 2022, 19:30-21:00, the latest issue of online sharing mainly introduces:
Introduction to Conversational AI and NVIDIA Riva
Build a speech recognition module with NVIDIA Riva
Build intelligent Q&A modules with NVIDIA Riva
Build speech synthesis modules with NVIDIA Riva