research-article

Public Access

DeepPower: Non-intrusive and Deep Learning-based Detection of IoT Malware Using Power Side Channels

Authors:

Rong GeAuthors Info & Claims

ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Pages 33 - 46

https://doi.org/10.1145/3320269.3384727

Published: 05 October 2020 Publication History

Abstract

The vulnerability of Internet of Things (IoT) devices to malware attacks poses huge challenges to current Internet security. The IoT malware attacks are usually composed of three stages: intrusion, infection and monetization. Existing approaches for IoT malware detection cannot effectively identify the executed malicious activities at intrusion and infection stages, and thus cannot help stop potential attacks timely. In this paper, we present DeepPower, a non-intrusive approach to infer malicious activities of IoT malware via analyzing power side-channel signals using deep learning. DeepPower first filters raw power signals of IoT devices to obtain suspicious signals, and then performs a fine-grained analysis on these signals to infer corresponding executed activities inside the devices. DeepPower determines whether there exists an ongoing malware infection by conducting a correlation analysis on these identified activities. We implement a prototype of DeepPower leveraging low-cost sensors and devices and evaluate the effectiveness of DeepPower against real-world IoT malware using commodity IoT devices. Our experimental results demonstrate that DeepPower is able to detect infection activities of different IoT malware with a high accuracy without any changes to the monitored devices.

References

[1]

IoT Malware Droppers (Mirai and Hajime). https://0x00sec.org/t/iot-malware-droppers-mirai-and-hajime/1966, 2017.

[2]

Muhamed Fauzi Bin Abbas and Thambipillai Srikanthan. Low-complexity signature-based malware detection for iot devices. In International Conference on Applications and Techniques in Information Security, pages 181--189, Singapore, 2017. Springer Singapore.

[3]

Kishore Angrishi. Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. arXiv preprint arXiv:1702.03681, 2017.

[4]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093--1110, 2017.

Digital Library

[5]

Wemo Insight Smart Plug. https://www.belkin.com/us/p/P-F7C029/, 2019.

[6]

William Chan, Navdeep Jaitly, Quoc Le, and Oriol Vinyals. Listen, attend and spell: A neural network for large vocabulary conversational speech recognition. In 2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 4960--4964, 2016.

Digital Library

[7]

Huawei Home Routers in Botnet Recruitment. https://research.checkpoint.com/good-zero-day-skiddie/, 2017.

[8]

IoTroop Botnet: The Full Investigation. https://research.checkpoint.com/iotroop-botnet-full-investigation/, 2017.

[9]

Shane S Clark, Benjamin Ransford, Amir Rahmati, Shane Guineau, Jacob Sorber, Wenyuan Xu, Kevin Fu, A Rahmati, M Salajegheh, D Holcomb, et al. Wattsupdoc: Power side channels to nonintrusively discover untargeted malware on embedded medical devices. In HealthTech, 2013.

[10]

Emanuele Cozzi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti. Understanding linux malware. In 2018 IEEE Symposium on Security and Privacy (SP), pages 161--175. IEEE, 2018.

[11]

CVE-2012--1823. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012--1823, 2012.

[12]

CVE-2014--6271. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--6271, 2014.

[13]

CVE-2014--9583. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--9583, 2014.

[14]

Hacking the D-Link DSP-W215 Smart Plug. http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/, 2014.

[15]

Hey Zollard, leave my Internet of Things alone! http://www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html, 2013.

[16]

Fei Ding. Iot malware. https://github.com/ifding/iot-malware, 2017.

[17]

Rohan Doshi, Noah Apthorpe, and Nick Feamster. Machine learning ddos detection for consumer internet of things devices. arXiv preprint arXiv:1804.04159, 2018.

[18]

Xiaomi-Dafang-Hacks. https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks, 2019.

[19]

Guofei Gu, Phillip A Porras, Vinod Yegneswaran, Martin W Fong, and Wenke Lee. Bothunter: Detecting malware infection through ids-driven dialog correlation. In USENIX Security Symposium, volume 7, pages 1--16, 2007.

[20]

Michael Haag. Kaiten - Linux Backdoor. http://blog.michaelhaag.org/2013/12/kaiten-linux-backdoor.html, 2013.

[21]

Yi Han, Sriharsha Etigowni, Hua Liu, Saman Zonouz, and Athina Petropulu. Watch me, but don't touch me! contactless control flow monitoring via electromagnetic emanations. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1095--1108. ACM, 2017.

Digital Library

[22]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770--778, 2016.

[23]

Ben Herzberg, Dima Bekerman, and Igal Zeifman. Breaking Down Mirai: An IoT DDoS Botnet Analysis. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html, 2016.

[24]

Sepp Hochreiter and Jürgen Schmidhuber. Long short-term memory. Neural computation, 9(8):1735--1780, 1997.

Digital Library

[25]

Ionut Indre and Camelia Lemnaru. Detection and prevention system against cyber attacks and botnet malware for information systems and internet of things. In 2016 IEEE 12th International Conference on Intelligent Computer Communication and Processing (ICCP), pages 175--182. IEEE, 2016.

[26]

Rhena Inocencio. BASHLITE Affects Devices Running on BusyBox. http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/, 2014.

[27]

Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server. https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html, 2017.

[28]

Marta Janus. Heads of the Hydra. Malware for Network Devices. https://securelist.com/heads-of-the-hydra-malware-for-network-devices/36396/, 2011.

[29]

James A Jerkins. Motivating a market or regulatory solution to iot insecurity with the mirai botnet code. In Computing and Communication Workshop and Conference (CCWC), 2017 IEEE 7th Annual, pages 1--5. IEEE, 2017.

[30]

Swati Khandelwal. BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox. https://thehackernews.com/2014/11/bashlite-malware-leverages-shellshock.html, 2014.

[31]

Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. Deep learning. nature, 521(7553):436, 2015.

[32]

Bing Liu. TheMoon - A P2P botnet targeting Home Routers. https://blog.fortinet.com/2016/10/20/themoon-a-p2p-botnet-targeting-home-routers, 2016.

[33]

Yannan Liu, Lingxiao Wei, Zhe Zhou, Kehuan Zhang, Wenyuan Xu, and Qiang Xu. On code execution tracking via power side-channel. In Proceedings of the ACM SIGSAC conference on computer and communications security, pages 1019--1031, 2016.

Digital Library

[34]

Minh-Thang Luong, Hieu Pham, and Christopher D Manning. Effective approaches to attention-based neural machine translation. arXiv preprint arXiv:1508.04025, 2015.

[35]

Michal Malik and Marc-Etienne M.Léveillé. Meet Remaiten - a Linux bot on steroids targeting routers and potentially other IoT devices. https://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/, 2016.

[36]

MMD-0037--2015 - A bad Shellshock & Linux/XOR.DDoS CNC "under the hood". http://blog.malwaremustdie.org/2015/07/mmd-0037--2015-bad-shellshock.html, 2015.

[37]

MMD-0052--2016 - Overview of "SkidDDoS" ELF+IRC Botnet. http://blog.malwaremustdie.org/2016/02/mmd-0052--2016-skidddos-elf-distribution.html, 2016.

[38]

MMD-0059--2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 ready. http://blog.malwaremustdie.org/2016/10/mmd-0059--2016-linuxirctelnet-new-ddos.html, 2016.

[39]

MMD-0058--2016 - Linux/NyaDrop - a linux MIPS IoT bad news. http://blog.malwaremustdie.org/2016/10/mmd-0058--2016-elf-linuxnyadrop.html, 2017.

[40]

Alessio Merlo, Mauro Migliardi, and Paolo Fontanelli. On energy-based profiling of malware in android. In High Performance Computing & Simulation (HPCS), 2014 International Conference on, pages 535--542. IEEE, 2014.

[41]

Leaked mirai source code for research/ioc development purposes. https://github.com/jgamblin/Mirai-Source-Code, 2016.

[42]

Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. Kitsune: An ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:1802.09089, 2018.

[43]

Alireza Nazari, Nader Sehatbakhsh, Monjur Alam, Alenka Zajic, and Milos Prvulovic. Eddie: Em-based detection of deviations in program execution. In Proceedings of the 44th Annual International Symposium on Computer Architecture, pages 333--346. ACM, 2017.

Digital Library

[44]

Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, Minh Hoang Dang, N Asokan, and Ahmad-Reza Sadeghi. Dï ot: A federated self-learning anomaly detection system for iot. IEEE International Conference on Distributed Computing Systems (ICDCS), 2019.

[45]

Upgrading OpenWrt firmware via CLI. https://openwrt.org/docs/guide-user/installation/sysupgrade.cli, 2019.

[46]

Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. Iotpot: analysing the rise of iot compromises. In 9th USENIX Workshop on Offensive Technologies (WOOT 15), 2015.

[47]

“brickerbot” results in pdos attack.

[48]

Why the World is Under the Spell of IoT_Reaper. https://blog.radware.com/security/2017/10/iot_reaper-botnet/, 2017.

[49]

Samuel Stone and Michael Temple. Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure. International Journal of Critical Infrastructure Protection, 5(2):66--73, 2012.

[50]

Jiawei Su, Danilo Vasconcellos Vargas, Sanjiva Prasad, Daniele Sgandurra, Yaokai Feng, and Kouichi Sakurai. Lightweight classification of iot malware based on image recognition. arXiv preprint arXiv:1802.03714, 2018.

[51]

Hao Sun, Xiaofeng Wang, Rajkumar Buyya, and Jinshu Su. Cloudeyes: Cloud-based malware detection with reversible sketch for resource-constrained internet of things (iot) devices. Software: Practice and Experience, 47(3):421--441, 2017.

Digital Library

[52]

New Linux Malware Exploits CGI Vulnerability. http://blog.trendmicro.com/trendlabs-security-intelligence/new-linux-malware-exploits-cgi-vulnerability/, 2017.

[53]

Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras. http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/, 2017.

[54]

The Reigning King of IP Camera Botnets and its Challengers. http://blog.trendmicro.com/trendlabs-security-intelligence/reigning-king-ip-camera-botnets-challengers/, 2017.

[55]

Jornt van der Wiel, Vicente Diaz, Yury Namestnikov, and Konstantin Zykov. https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/, 2017.

[56]

VirusShare.com - Because Sharing is Caring. https://virusshare.com/, 2019.

[57]

Zack Whittaker. Hacker explains how he put “backdoor” in hundreds of Linux Mint downloads. https://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/, 2016.

[58]

Linux.Wifatch source repository. https://gitlab.com/rav7teif/linux.wifatch, 2015.

[59]

Claud Xiao and Cong Zheng. New IoT/Linux Malware Targets DVRs, Forms Botnet. https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/, 2017.

[60]

Yu-jun Xiao, Wen-yuan Xu, Zhen-hua Jia, Zhuo-ran Ma, and Dong-lian Qi. Nipad: a non-invasive power-based anomaly detection scheme for programmable logic controllers. Frontiers of Information Technology & Electronic Engineering, 18(4):519--534, 2017.

[61]

Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks, HotNets-XIV, pages 5:1--5:7, New York, NY, USA, 2015. ACM.

Digital Library

[62]

Chong Zhou and Randy C Paffenroth. Anomaly detection with robust deep autoencoders. In Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pages 665--674. ACM, 2017.

Digital Library

Cited By

Oz HTuncay GAris AAcar ABabun LUluagac S(2024)Ransomware Over Modern Web Browsers: A Novel Strain and a New Defense MechanismACM Transactions on the Web10.1145/370851419:1(1-28)Online publication date: 17-Dec-2024
https://dl.acm.org/doi/10.1145/3708514
Gehrer SGuajardo JChang CRührmair USzefer JBatina LRegazzoni F(2024)PHIDIAS: Power Signature Host-based Intrusion Detection in Automotive MicrocontrollersProceedings of the 2024 Workshop on Attacks and Solutions in Hardware Security10.1145/3689939.3695780(36-47)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689939.3695780
Li ZZhao D(2024)ZeroD-fender: A Resource-aware IoT Malware Detection Engine via Fine-grained Side-channel AnalysisACM Transactions on Design Automation of Electronic Systems10.1145/368748229:6(1-25)Online publication date: 24-Aug-2024
https://dl.acm.org/doi/10.1145/3687482
Show More Cited By

Index Terms

DeepPower: Non-intrusive and Deep Learning-based Detection of IoT Malware Using Power Side Channels

Recommendations

Visualization and deep-learning-based malware variant detection using OpCode-level features
Abstract
Malicious software (malware) is a major threat to the systems and networks’ security. Although anti-malware products are used to protect systems and networks against malware attacks, obfuscated malware that is capable of evading ...
Highlights
- Detecting newly obfuscated malware remained a major challenge.
- Semisupervised ...
A comprehensive survey on deep learning based malware detection techniques
Abstract
Recent theoretical and practical studies have revealed that malware is one of the most harmful threats to the digital world. Malware mitigation techniques have evolved over the years to ensure security. Earlier, several classical ...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISec

A popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

October 2020

957 pages

ISBN:9781450367509

DOI:10.1145/3320269

General Chairs:
Hung-Min Sun
National Tsing Hua University, Taiwan
,
Shiuhpyng Shieh
National Chiao Tung University, Taiwan
,
Program Chairs:
Guofei Gu
Texas A&M University, USA
,
Giuseppe Ateniese
Stevens Institute of Technology, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

U. S. National Institute of Food and Agriculture
National Science Foundation

Conference

ASIA CCS '20

Sponsor:

SIGSAC

ASIA CCS '20: The 15th ACM Asia Conference on Computer and Communications Security

October 5 - 9, 2020

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
1,559
Total Downloads

Downloads (Last 12 months)445
Downloads (Last 6 weeks)52

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Oz HTuncay GAris AAcar ABabun LUluagac S(2024)Ransomware Over Modern Web Browsers: A Novel Strain and a New Defense MechanismACM Transactions on the Web10.1145/370851419:1(1-28)Online publication date: 17-Dec-2024
https://dl.acm.org/doi/10.1145/3708514
Gehrer SGuajardo JChang CRührmair USzefer JBatina LRegazzoni F(2024)PHIDIAS: Power Signature Host-based Intrusion Detection in Automotive MicrocontrollersProceedings of the 2024 Workshop on Attacks and Solutions in Hardware Security10.1145/3689939.3695780(36-47)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689939.3695780
Li ZZhao D(2024)ZeroD-fender: A Resource-aware IoT Malware Detection Engine via Fine-grained Side-channel AnalysisACM Transactions on Design Automation of Electronic Systems10.1145/368748229:6(1-25)Online publication date: 24-Aug-2024
https://dl.acm.org/doi/10.1145/3687482
Zhang TTehranipoor MFarahmandi F(2024)TrustGuard: Standalone FPGA-Based Security Monitoring Through Power Side-ChannelIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2023.333587632:2(319-332)Online publication date: Feb-2024
https://doi.org/10.1109/TVLSI.2023.3335876
Zhang TRahman MKamali HAzar KFarahmandi F(2024)SiPGuard: Run-Time System-in-Package Security Monitoring via Power Noise VariationIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2023.332238432:2(305-318)Online publication date: Feb-2024
https://doi.org/10.1109/TVLSI.2023.3322384
Li SChen YChen XLi ZFang DLiu KLv SSun L(2024)PowerGuard: Using Power Side-Channel Signals to Secure Motion Controllers in ICSIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345136219(8275-8290)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3451362
Khan SLi ZJung WFeng YZhao DXin CZhou G(2024)DeepShield: Lightweight Privacy-Preserving Inference for Real-Time IoT Botnet Detection2024 IEEE 37th International System-on-Chip Conference (SOCC)10.1109/SOCC62300.2024.10737827(1-6)Online publication date: 16-Sep-2024
https://doi.org/10.1109/SOCC62300.2024.10737827
Pintong KSummerville D(2024)Towards reducing costs of side channel analysis for real time algorithm detection2024 IEEE Physical Assurance and Inspection of Electronics (PAINE)10.1109/PAINE62042.2024.10792812(1-7)Online publication date: 12-Nov-2024
https://doi.org/10.1109/PAINE62042.2024.10792812
Li ZZhao D(2024)DeepIncept: Diversify Performance Counters with Deep Learning to Detect Malware2024 29th Asia and South Pacific Design Automation Conference (ASP-DAC)10.1109/ASP-DAC58780.2024.10473871(362-367)Online publication date: 22-Jan-2024
https://doi.org/10.1109/ASP-DAC58780.2024.10473871
Takemura TYamamoto RSuzaki K(2024)TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCBIEEE Access10.1109/ACCESS.2024.336634412(26536-26549)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3366344
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten