REMOTE: Robust External Malware Detection Framework by Using Electromagnetic Signals

Cyber-physical systems (CPS) are controlling many critical and sensitive aspects of our physical world while being continuously exposed to potential cyber-attacks. These systems typically have limited performance, memory, and energy reserves, which limits their ability to run existing advanced malware protection, and that, in turn, makes securing them very challenging. To tackle these problems, this paper proposes, Remote, a new robust framework to detect malware by externally observing Electromagnetic (EM) signals emitted by an electronic computing device (e.g., a microprocessor) while running a known application, in real-time and with a low detection latency, and without any a priori knowledge of the malware. Remote does not require any resources or infrastructure on, or any modifications to, the monitored system itself, which makes Remote especially suitable for malware detection on resource-constrained devices such as embedded devices, CPSs, and Internet of Things (IoT) devices where hardware and energy resources may be limited. To demonstrate the usability of Remote in real-world scenarios, we port two real-world programs (an embedded medical device and an industrial PID controller), each with a meaningful attack (a code-reuse and a code-injection attack), to four different hardware platforms. We also port shellcode-based DDoS and Ransomware attacks to five different standard applications on an embedded system. To further demonstrate the applicability of Remote to commercial CPS, we use Remote to monitor a Robotic Arm. Our results on all these different hardware platforms show that, for all attacks on each of the platforms, Remote successfully detects each instance of an attack and has < 0.1 percent false positives. We also systematically evaluate the robustness of Remote to interrupts and other system activity, to signal variation among different physical instances of the same device design, to changes over time, and to plastic enclosures and nearby electronic devices. This evaluation includes hundreds of measurements and shows that Remote achieves excellent accuracy (<0.1 percent false positive and >99.9 percent true positive rates) under all these conditions. We also compare Remote to prior work EDDIE [1] and SYNDROME [2], and demonstrate that these prior work are unable to achieve high accuracy under these variations.