Utilizing electromagnetic emanations for out-of-band detection of unknown attack code in a programmable logic controller

We propose using out-of-band emanations from embedded devices in order to detect malicious code execution. We passively monitor involuntary electromagnetic (EM) emissions from embedded devices to find and detect new signals. We demonstrate the efficacy and feasibility of an EM emanation based anomaly detection system using commercial off-the-shelf (COTS) software defined radio (SDR) hardware to detect code execution on an industrial control system (the Allen-Bradley 1756-EWEB module). We have developed a fully automated training and testing framework for this anomaly detection system. In this paper, we describe the system architecture, the cliff-detection algorithm used to process the received emanations, the testing setup and procedures, and our results. When trained on one set of EWEB modules and tested on a separate set, we present an experimental prototype capable of detecting unknown (attack) code execution with 98% accuracy at 100% detection rate. We present data supporting the robustness of these results across 16 physical device instances and with training recordings taken months apart from testing recordings.

[1]  Markus G. Kuhn,et al.  Ecient Template Attacks , 2014 .

[2]  Milos Prvulovic,et al.  Path loss prediction for electromagnetic side-channel signals , 2017, 2017 11th European Conference on Antennas and Propagation (EUCAP).

[3]  Milos Prvulovic,et al.  Spectral profiling: Observer-effect-free profiling by monitoring EM emanations , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[4]  Milos Prvulovic,et al.  EDDIE: EM-based detection of deviations in program execution , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[5]  Milos Prvulovic,et al.  Experimental Demonstration of Electromagnetic Information Leakage From Modern Processor-Memory Systems , 2014, IEEE Transactions on Electromagnetic Compatibility.

[6]  Milos Prvulovic,et al.  A Method for Finding Frequency-Modulated and Amplitude-Modulated Electromagnetic Emanations in Computer Systems , 2017, IEEE Transactions on Electromagnetic Compatibility.