TY - JOUR
T1 - IDEA
T2 - Intrusion Detection through Electromagnetic-Signal Analysis for Critical Embedded and Cyber-Physical Systems
AU - Khan, Haider Adnan
AU - Sehatbakhsh, Nader
AU - Nguyen, Luong N.
AU - Callan, Robert L.
AU - Yeredor, Arie
AU - Prvulovic, Milos
AU - Zajic, Alenka
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2021/5/1
Y1 - 2021/5/1
N2 - We propose a novel framework called IDEA that exploits electromagnetic (EM) side-channel signals to detect malicious activity on embedded and cyber-physical systems (CPS). IDEA first records EM emanations from an uncompromised reference device to establish a baseline of reference EM patterns. IDEA then monitors the target device's EM emanations. When the observed EM emanations deviate from the reference patterns, IDEA reports this as an anomalous or malicious activity. IDEA does not require any resource or infrastructure on, or any modification to, the monitored system itself. In fact, IDEA is isolated from the target device, and monitors the device without any physical contact. We evaluate IDEA by monitoring the target device while it is executing embedded applications with malicious code injections such as Distributed Denial of Service (DDoS), Ransomware and code modification. We further implement a control-flow hijack attack, an advanced persistent threat, and a firmware modification on three CPSs: an embedded medical device called SyringePump, an industrial Proportional-Integral-Derivative (PID) Controller, and a Robotic Arm, using a popular embedded system, Arduino UNO. The results demonstrate that IDEA can detect different attacks with excellent accuracy (AUC > 99.5%, and 100 percent detection with less than 1 percent false positives) from distances up to 3 m.
AB - We propose a novel framework called IDEA that exploits electromagnetic (EM) side-channel signals to detect malicious activity on embedded and cyber-physical systems (CPS). IDEA first records EM emanations from an uncompromised reference device to establish a baseline of reference EM patterns. IDEA then monitors the target device's EM emanations. When the observed EM emanations deviate from the reference patterns, IDEA reports this as an anomalous or malicious activity. IDEA does not require any resource or infrastructure on, or any modification to, the monitored system itself. In fact, IDEA is isolated from the target device, and monitors the device without any physical contact. We evaluate IDEA by monitoring the target device while it is executing embedded applications with malicious code injections such as Distributed Denial of Service (DDoS), Ransomware and code modification. We further implement a control-flow hijack attack, an advanced persistent threat, and a firmware modification on three CPSs: an embedded medical device called SyringePump, an industrial Proportional-Integral-Derivative (PID) Controller, and a Robotic Arm, using a popular embedded system, Arduino UNO. The results demonstrate that IDEA can detect different attacks with excellent accuracy (AUC > 99.5%, and 100 percent detection with less than 1 percent false positives) from distances up to 3 m.
KW - Electromagnetic emanations
KW - electromagnetic side-channel
KW - malware detection
KW - security of cyber-physical systems
KW - side-channel signal analysis
UR - http://www.scopus.com/inward/record.url?scp=85070703988&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2019.2932736
DO - 10.1109/TDSC.2019.2932736
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85070703988
SN - 1545-5971
VL - 18
SP - 1150
EP - 1163
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 3
M1 - 8786207
ER -