Play Video

Tool hunts for ‘power anomalies’ to find malware

A new method detects the presence of malware in large-scale embedded computer systems by monitoring power usage and identifying unusual surges as signs of unwelcome security threats.

Malware is evasive, intelligent, and sneaky. No sooner than anti-virus software updates to combat the latest attacks, a computer virus will have already evolved into something harder to detect and potentially more damaging to a computer system.

But malware isn’t without vulnerabilities. Researchers have found an additional line of defense to detect threats malware poses that doesn’t rely on existing anti-virus software programs’ detection and protection.

The researchers presented their work at the annual IEEE International Symposium on Hardware Oriented Security and Trust in Washington, DC.

Monitor the power

In their presentation, the team outlined how they developed an external device that can plug into a system and observe and monitor its power usage. Engineers can identify certain power usage signatures as evidence of the presence of malware as well as determine how much of a threat they are to a compromised system. Because the device is a separate piece of hardware, it is not at risk of infection in the same way anti-virus software programs already built into computer systems are frequently.

Whole systems—hardware and software—are now at risk from the latest series of cyberattacks. And malware is frequently designed to appear benign so that it can blend in with other applications on a computer system. However, malware cannot manipulate a system’s power usage, and the engineers realized this offered an opportunity to observe and identify power signatures that differ from known benign behavior, referred to as “power anomalies.”

The new detection tool tracks power fluctuations specifically in embedded systems—from smartphones to industrial remote-control systems in power plants.

“We know what power consumption looks like when embedded systems are operating at normal levels,” says Mohit Tiwari, assistant professor in the Cockrell School’s electrical and computer engineering department at the University of Texas at Austin. “By looking for power anomalies, we can tell with reasonable accuracy when malware is present in a system.”

Some malware, however, can conceal their presence by mirroring the power usage of benign programs. The researchers also studied the extent of damage such evasive malware can do.

“The real technical contribution of this work has been our ability to successfully model malware that conceal themselves by mimicking the power signatures of benign programs,” Tiwari says. “Models of evasive malware can then be used to determine the extent of damage that power detectors can protect against.”

A separate device

Using power to detect the presence of malware isn’t the only clever part to this technology. The researchers also realized any detection system needed to be an external device that they could plug into a system. As a separate, unconnected device, it is protected from attack. Current software security programs reside within the same systems that malware targets, making them just as vulnerable to attack as other applications on any computer. By using an external monitoring system that literally plugs into a network and shows the distribution of power, engineers can detect security breaches.

“While we can’t detect the specific kind of malware attacking a system, we can determine how much of a threat it is and to what extent it could cause problems,” Tiwari says.

The other advantage of measuring power to detect malware is that the constant adaptation of cyberthreats doesn’t affect the detection tool.

“Malware keeps evolving in order to outsmart anti-virus software, meaning engineers must also continuously retrain their programs,” says Shijia Wei, a PhD candidate in the electrical and computer engineering department. “With our device, we can force the malware to mimic benign programs on embedded systems, and this can greatly reduce the potential damage an attack can cause.”

At this point, the technology is only capable of detecting the presence of unwanted bugs. It cannot eliminate the security threat itself, but that is the team’s next step.

Additional researchers from UT Austin and North Carolina State University contributed to the work. Lockheed Martin funded the study.

Source: UT Austin