Vol. 9 No. 1 (2024): Proceedings of Botconf 2024
Conference proceedings

IoT Malware and Rookit Detections Using Electromagnetic Insights: Unveiling the Unseen

PDF
  • Damien Marion,
  • Duy-Phuc Pham,
  • Annelie Heuser
Damien Marion
Univ Rennes, CNRS, Inria, IRISA
Duy-Phuc Pham
Trellix
Annelie Heuser
Univ Rennes, CNRS, Inria, IRISA

Published 2025-05-22

Keywords

  • Malware classification, obfuscation, side-channel analysis, rootkit detection, software-defined radio (SDR), machine learning, deep learning, Electromagnetic, IoT devices

Copyright (c) 2024 Damien Marion, Duy-Phuc Pham, Annelie Heuser (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Marion, D., Pham, D.-P., & Heuser, A. (2025). IoT Malware and Rookit Detections Using Electromagnetic Insights: Unveiling the Unseen. The Journal on Cybercrime and Digital Investigations, 9(1), 20-27. https://doi.org/10.18464/cybin.v9i1.51

Download Citation

Abstract

The Internet of Things (IoT) is a collection of interconnected devices, becoming increasingly complicated and suffering from inadequate security measures. 
They frequently employ outdated hardware and software without taking security risks into account, which makes them a target for cybercriminals, particularly those specializing in malware and rootkits. In this paper, we will present two strategies for exploiting electromagnetic side channels and address two challenges: malware classification in the presence of obfuscations and rootkit detection. Our approach focuses on IoT devices, specifically targeting ARM and MIPS architectures in Raspberry Pi and Creator CI20 devices. The framework employs advanced data preprocessing methods, allowing analysts to select a variety of machine learning and deep learning models based on their specific requirements.
 
Our finding were published separately at (including data and codes):
- ACSAC-2021: "Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification" (with an extended version presented at hardwear.io’22 USA),
- RAID-2022:  "ULTRA: Ultimate Rootkit Detection over the Air".

PDF

References

  1. D.-P. Pham, D. Marion, M. Mastio, and A. Heuser, “Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification,” in Annual Computer Security Applications Conference (ACSAC), 2021.
  2. D.-P. Pham, D. Marion, and A. Heuser, “ULTRA: Ultimate Rootkit Detection over the Air,” in 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2022.
  3. K. Riad, T. Huang, and L. Ke, “A dynamic and hierarchical access control for IoT in multi-authority cloud storage,” Journal of Network and Computer Applications, vol. 160, p. 102633, 2020.
  4. V. Adat and B. B. Gupta, “Security in Internet of Things: issues, challenges, taxonomy, and architecture,” Telecommunication Systems, vol. 67, no. 3, pp. 423–441, 2018.
  5. V. Rey, P. M. Sánchez Sánchez, A. Huertas Celdrán, and G. Bovet, “Federated Learning for Malware Detection in IoT Devices,” vol. 204, p. 108693, 2021. Accessed on 2022-01-14.
  6. E. Cozzi, M. Graziano, Y. Fratantonio, and D. Balzarotti, “Understanding linux malware,” in S&P 2018, 39th IEEE Symposium on Security and Privacy, May 21-23, 2018, San Francisco, CA, USA (IEEE, ed.), (San Francisco), 2018. 2018 IEEE.
  7. S. S. Clark, B. Ransford, A. Rahmati, S. Guineau, J. Sorber, W. Xu, and K. Fu, “WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices,” in 2013 USENIX Workshop on Health Information Technologies (HealthTech 13), (Washington, D.C.), USENIX Association, Aug. 2013
  8. N. Sehatbakhsh, A. Nazari, M. Alam, F. Werner, Y. Zhu, A. Zajic, and M. Prvulovic, “REMOTE: Robust External Malware Detection Framework
  9. by Using Electromagnetic Signals,” IEEE Transac tions on Computers, vol. 69, no. 3, pp. 312–326, 2020.
  10. I. Kyte, P. Zavarsky, D. Lindskog, and R. Ruhl, “Enhanced side-channel analysis method to detect hardware virtualization based rootkits,” in World Congress on Internet Security (WorldCIS-2012), pp. 192–201, 2012.
  11. P. Luckett, J. T. McDonald, W. B. Glisson, R. Benton, J. Dawson, and B. A. Doyle, “Identifying stealth malware using CPU power consumption
  12. and learning algorithms,” Journal of Computer Security, vol. 26, no. 5, pp. 589–613, 2018.
  13. R. Bridges, J. H. Jiménez, J. Nichols, K. Goseva-Popstojanova, and S. Prowell, “Towards malware detection via cpu power consumption: Data collection design and analytics,” in 2018 17th IEEE International Conference On Trust,
  14. Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 1680–1684, IEEE, 2018.
  15. F. Ding, H. Li, F. Luo, H. Hu, L. Cheng, H. Xiao, and R. Ge, “DeepPower: Non-intrusive and Deep Learning-based Detection of IoT Malware Using
  16. Power Side Channels,” in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 33–46, 2020.
  17. X. Wang, Q. Zhou, J. Harer, G. Brown, S. Qiu, Z. Dou, J. Wang, A. Hinton, C. A. Gonzalez, and P. Chin, “Deep learning-based classification and anomaly detection of side-channel signals,” in Cyber Sensing 2018, vol. 10630, p. 1063006, International Society for Optics and Photonics, 2018.
  18. A. Baliga, V. Ganapathy, and L. Iftode, “Detecting Kernel-Level Rootkits Using Data Structure Invariants,” IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 5, pp. 670–684, 2011.
  19. N. L. Petroni Jr, T. Fraser, J. Molina, and W. A. Arbaugh, “Copilot-a Coprocessor-based Kernel Runtime Integrity Monitor.,” in USENIX security symposium, pp. 179–194, San Diego, USA, 2004.
  20. S. Bhasin, J.-L. Danger, S. Guilley, and Z. Najm, “NICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage,” in International Symposium on Electromagnetic Compatibility (EMC ’14 / Tokyo), IEEE, May 12-16 2014. eprint version: https://eprint.iacr.org/2013/717.pdf.