DARPA Invests in IoT Malware Detection

This post is also available in: עברית (Hebrew)

US DARPA (Defense Advanced Research Projects Agency) invests in the Internet of Things (IoT) monitoring field.  A $9.4 million grant could lead to development of a new technique for wirelessly monitoring IoT devices for malicious software – without affecting the operation of the equipment. The technology is based on side-channel signals monitoring.

The CAMELIA project (Computational Activity Monitoring by Externally Leveraging Involuntary Analog Signals) is part of a DARPA program called Leveraging the Analog Domain for Security (LADS), which is investing in six different initiatives to address IoT security.

According to Georgia Tech Research Horizons, the technique will rely on receiving and analyzing side-channel signals, electromagnetic emissions that are produced unintentionally by the electronic devices as they execute programs. These signals are produced by semiconductors, capacitors, power supplies and other components, and can currently be measured up to a half-meter away from operating IoT devices.

By comparing these unintended side-channel emissions to a database of what the devices should be doing when they are operating normally, researchers can tell if malicious software has been installed.

The research team from the School of Electrical and Computer Engineering at the Georgia Institute of Technology pioneered research on measuring side-channel signals emitted from devices. These emissions differ from the signals the devices were intended to produce for communicating information across the Internet to other devices. The researchers have already shown that they can pick up the signals close to the devices using specially designed antennas, and one project goal is to extend the range to as much as 3 meters.

“When a processor executes instructions, values are represented as ones and zeroes, which creates a fluctuation in the current,” says Alenka Zajik, project’s leader. “That creates changes in the electromagnetic field we are measuring, providing a pattern for what each part of the program looks like on a spectrum analyzer.”

Key to detecting changes in the signals is getting a “before” recording of what these signals should look like to draw a comparison with an “after” set of signals for each combination of device and software. The researchers plan to evaluate each IoT device, sampling and recording its typical operation to create a database.

The technique is currently 95% accurate at profiling – pinpointing the exact point in the IoT program code that is currently executing,” according to researchers.  Malware detection is about detecting, with sufficient confidence, that the signal does not match any part of the original program, even when the malware is designed to resemble the original code of the application

Ultimately, researchers expect the project to be capable of monitoring several IoT devices simultaneously.