New malware detector identifies bugs by monitoring power consumption

AUSTIN, Texas — Malware is evasive, clever, and sneaky. As soon as anti-virus software is updated to combat the latest attacks, a computer virus will have already evolved into something harder to detect and potentially more damaging to a computer system.

But malware is not without vulnerabilities. Engineers from the University of Texas at Austin and North Carolina State University have found an extra line of defense in detecting threats posed by malware that don’t rely on the detection and protection provided by existing antivirus software. Their method detects the presence of malware in large-scale embedded computer systems by monitoring power consumption and identifying unusual power surges as signs of unwanted security threats.

The Cockrell School of Engineering UT team presented their work this week at the annual IEEE International Symposium on Hardware-Oriented Security and Trust (HOST) in Washington, D.C.

The study was led by Shijia Wei, who holds a Ph.D. candidate in the electrical and computer engineering department of the Cockrell School; his adviser, assistant professor Mohit Tiwari; and his colleagues, Professor Michael Orshansky and Associate Professor Andreas Gerstlauer. Aydin Aysu, an assistant professor of electrical and computer engineering at North Carolina State University, also collaborated on the research.

In their presentation, the team explains how they developed an external device that can be plugged into a system and observe and monitor its power consumption. Engineers can identify certain power consumption signatures as evidence of malware and determine how much of a threat it poses to a compromised system. Since the device is a separate piece of hardware, it is not at risk of infection in the same way that antivirus software already built into computer systems is frequently vulnerable.

Entire systems – hardware and software – are now at risk from the latest round of cyberattacks. And malware is often designed to appear benign so that it can blend in with other applications on a computer system. However, a system’s power consumption cannot be manipulated, and UT engineers realized this provided an opportunity to observe and identify power signatures that differ from known benign behavior, called “power anomalies”.

The new detection tool tracks power fluctuations specifically in embedded systems – from smartphones to industrial remote control systems in power plants.

“We know what power consumption looks like when in-vehicle systems are operating at normal levels,” Tiwari said. “By looking for power anomalies, we can tell with reasonable accuracy when malware is present in a system.”

But some malware is even designed to conceal its presence by mirroring the power consumption of benign programs. UT engineers have also studied the extent of the damage this evasive malware can cause.

“The real technical contribution of this work was our ability to successfully model malware that cloaks itself by mimicking the power signatures of benign programs,” Tiwari said. “Evasive malware models can then be used to determine the extent of damage that power detectors can protect against.”

Using power to detect the presence of malware isn’t the only clever part of this technology. The researchers also realized that any detection system had to be designed as an external device that could be plugged into a system. As a separate, unconnected device, it could not be at risk of attack. Today’s software security programs reside on the same systems that are targeted by malware, making them just as vulnerable to attack as other applications used on any computer. By using an external monitoring system that literally plugs into a network and shows power distribution, engineers can detect security vulnerabilities.

“While we can’t detect the specific type of malware attacking a system, we can determine the scale of the threat and how much trouble it might cause,” Tiwari said.

The other benefit of measuring malware detection power is that it is unaffected by constantly adapting cyber threats.

“Malware continues to evolve in order to outwit antivirus software, which means engineers must also continually retrain their programs,” Wei said. “With our device, we can force malware to mimic benign programs on embedded systems, which can significantly reduce the potential damage an attack can cause.”

At this point, the technology is only able to detect the presence of unwanted bugs. It can’t eliminate the security threat itself, but it’s the team’s next step.

This research project was funded by Lockheed Martin.


Comments are closed.