Bowen Xiao Zhen was sent from The Temple of Consort
Qubits | Official account QbitAI
Without installing any antivirus software, can "hanging wire pulse" also pick out computer viruses?
And the accuracy rate is 99.82%, and the antivirus software is ashamed to see it.
First of all, please ask out our "patient", a Raspberry Pi that has undergone special treatment and incarnated into a microcomputer:
Numerous normal and abnormal behaviors, such as virus intrusion, service interruption, background process activity, etc., are occurring in this microcomputer.
Then let the AI connect with this blue-and-white oscilloscope, and stretch out a probe "suspension" to put on the CPU:
Soon, the AI discovered the malware on this computer!
Obviously it is a virus in the body of the Raspberry Pi, how can the probe be found as soon as it is released (without direct contact)?
The answer is: rely on electromagnetic waves.
A group of scholars from IRISA in France believe that viruses, spyware, worms and other malware will unconsciously leak "abnormal" electromagnetic waves that are different from the normal activities of the device when they are active.
Through the detection of external devices and the identification of different electromagnetic waves by AI, virus traces on "poisoned devices" can be found in the air.
They said the probe device is not connected to a "poisoned device" and therefore cannot be detected by malware such as viruses.
By not fighting guerrilla warfare in a room (poisoned device) with malware, the detection device will not trigger a counterattack, counterattack or further camouflage of the virus.
On the other hand, virus software that disguises itself as a rogue and has great functions cannot hide the electromagnetic radiation and heat dissipation of "poisoned devices".
The study is currently included in ACM's ACSAC 2021. According to the authors, for the most common types of malware, the recognition rate of this "suspension wire pulse" method is very high:
The @phunter_lau of the big bull in the technical circle even ridiculed "metaphysics to give a fatal blow":
So what kind of research is this?
Realistic "virus database"
To let AI learn to "suspense" diagnosis, it is necessary to learn to recognize diseases and avoid misdiagnosis.
So there are two types of electromagnetic wave datasets that need to be there.
On the one hand, it must first be made aware of enough "diseases", that is, the electromagnetic wave signals when malware appears.
Computer viruses, as we often call them, are actually just one of the broad types of malware.
Malware includes computer worms, Trojan horses, ransomware, spyware, and even some adware that can exploit vulnerabilities in IoT devices to damage them.
The researchers took samples from Virusign, a well-known malware collection community, and collected a total of 4790 32-bit ELF ARM malware samples.
They found that the following three types of malware are the most common:
The first, a DDoS attack, floods a website or network resource with malicious traffic, resulting in resource exhaustion and temporary interruption or suspension of network services, making it inaccessible to its normal users. Typical DDoS malware includes Mirai, Bashlite, etc.
The second, Ransomware, also known as denial-of-access attacks, requires the victim to pay a ransom to regain control by locking the device or systematically encrypting certain hard drive files. Typical representatives are GoNNaCry.
The third is kernel-state Rootkits. Rootkits is a collection of tools that can replace or change executable programs, while kernel-state Rootkits can not only access OS files, but also change functionality by adding or deleting code. For example, Keysniffer is able to log keylogg events and write to DebugFS.
It is not enough to grasp these basic "diseases", AI must also learn to recognize the further "disguise" of malware.
Obfuscation, for example, is a more common method of malware spoofing.
This approach, which deliberately obscures code and makes reverse engineering difficult, was originally a program designed to protect the value of IP. However, it was later used by hackers to weaken the antivirus software in order to escape its pursuit.
Based on this, the researchers used obfuscation techniques to further "upgrade" the malware and add it to the dataset.
This includes the processing of data using static code rewriting (opaque predicates, fake control flows, instruction substitution, control flow flattening) and dynamic code rewriting (packagers, code virtualization).
On the other hand, in addition to malware data, AI must also know the signal data under normal circumstances.
So in addition to the malicious "virus database", the developers also prepared a benign data set to simulate the "random burst" of virus intrusion events in real scenes.
What is benign data?
Examples include computing, device sleep, photo capture, network work connections, and long-running executable programs like media playback.
Since the Raspberry Pi deployed a Linux 4.19.57-v7 ARM v7l Raspbian Buster operating system, the developers collected ARM executables from the newly installed Linux system to generate a benign data set.
Throughout the process, the researchers collected a total of 100,000 copies of electromagnetic wave data for training the AI.
But before this data can be handed over to AI for training, it still needs to go through some processing, and it is divided into three steps from collecting the data to completing the training.
Time-frequency domain analysis is used to reduce noise effects
First, deploy a data collection device to collect signal data.
This data collection device is divided into two parts: the attacked device and the oscilloscope, of which the Raspberry Pi is the attacked device and the high-speed digitizer PicoScope 6407 (oscilloscope) is used to collect and transmit data.
The deployed data collection device is as follows, in which the PicoScope 6407 probe (EM probe) will be placed on the Raspberry Pi to collect signals:
The data is then preprocessed.
Since the collected electromagnetic wave signal is accompanied by a large amount of noise, the collected signal data needs to be analyzed in the time and frequency domain for feature acquisition:
Finally, train the AI with this data.
To select the most suitable AI for this experiment, the researchers trained four types of networks: SVM, NB, MLP, and CNN:
In the end they found that MLP and CNN were the best:
Among them, CNN is even better, and the architecture of the specific model is as follows:
The training results are as follows, of which only 1 of the 1963 benign data was mistested as DDoS; all the malware data of the rootkit type was correctly identified; and the recognition of DDoS and Ransomware was also good:
Of course, in addition to the separate malware types, the model classification effect after the use of obfuscation techniques is still good.
The logic of the whole process is as follows:
Among them, the Raspberry Pi represents the "attacked device", the oscilloscope uses a probe to collect electromagnetic signals externally, transmits it to the AI for prediction, and the AI then feeds the prediction back to the firewall to decide whether to block the malware.
The research came from the research institute IRISA, which is currently one of the largest research laboratories in the field of computer science and new technologies in France.
The price of the equipment is close to 90,000
Research aboard ACSAC 2021 is a "purely application-based" security conference.
However, foreign media, including Gizmodo, said that there is still a lot to be solved if it is to be truly applied to detect malware.
On the one hand, the benign data set used in this paper does not take into account all use cases, mainly involving pictures, audio and video, as well as the "routine activities" of some equipment working benignly.
The authors also mentioned in the paper that the original purpose of the paper was not to detect malware, but only to let AI learn to classify several types of malware. As for the actual detection effect is not bad, it is just their "accidental discovery".
On the other hand, the equipment used in this study is expensive.
The piccola 6407 digital converter alone has a price of nearly 90,000 yuan in China, at least it is not very close to the people:
If you want to put together this whole set of equipment, it is still a bit difficult from the perspective of funds (dog head).
I don't know if the researchers will consider making the cost of this equipment cheaper from the perspective of actual landing.
For the research itself, some netizens joked that this is "really taking the pulse":
Some people feel that this is a brilliant idea:
However, some netizens believe that this paper is just nonsense, it seems that the scope of application (Internet of Things) is too narrow, but the title rubbed on the field of relatively high heat.
Do you think this is reliable for using electromagnetic wave signals to detect malware?