How to Snare Malware

With around 200 billion Internet of Things (IoT) devices now in the world, chances are that you have at least a few in your own home. The variety of tasks handled by these can range from the slightly comical, like starting the coffee maker from a smartphone, to serious applications that track users' health, or monitor traffic. It is known that the amount of attention IoT device makers give to matters of security varies greatly, which is a major concern with so many of these devices out in the wild, and performing such important tasks.

Concerned by this current state of affairs, researchers at the University of Rennes have developed a new method to detect malware running on compromised IoT devices. Rather than resorting to more traditional ways of detecting malware, which tend to require modifications on the target device, they are using the electromagnetic radiation normally emitted by electronic devices in a novel way.

To simulate a compromised IoT device, the team first conducted a study of nearly five thousand malware samples. From this study, they identified three well-known malware variants (DDoS, ransomware, and kernel rootkits). They then developed some malware binaries that were representative of what is typically seen among these variants, then they loaded it onto a Raspberry Pi 2 Model B. Additionally, the researchers used some obfuscation techniques on their software, as would commonly be done with real malware to help it avoid being detected.

The malware detection device consists of a Picoscope 6407 oscilloscope connected to a H-Field probe, and a server to collect data captures. The H-Field probe is then positioned just above the main system processor on the Raspberry Pi to collect the electromagnetic signals that it emanates during the course of normal operation.

At this point, the team had nothing more than signal traces, which is not interpretable by itself. To make sense of this data, the team designed a convolutional neural network to classify samples into one of the ransomware, rootkit, DDoS, or benign classes. The network was trained on data from 3,000 traces each for 30 malware binaries, and 10,000 traces for benign activity. 20 percent of this dataset was held out for testing, and a very impressive greater than 98% classification accuracy was observed. It was possible for the algorithm to accurately classify malware variants that were unseen during training, which bodes well for the real world utility of this method in detecting newly developed malware.

This research may not be ready to make its way out of the lab just yet, but it does hint at the possibility of some interesting new avenues for malware detection in the future. Detecting malware type and identity with a high degree of accuracy, even in the presence of obfuscation, without modifying the target device presents us with an excellent opportunity to better secure our IoT devices.