Cyber-physical systems (CPS) are controlling many critical and sensitive aspects of our physical world while being continuously exposed to potential cyber-attacks. These systems typically have limited performance, memory, and energy reserves, which limits their ability to run existing advanced malware protection, and that, in turn, makes securing them very challenging. To tackle these problems, this paper proposes, Remote, a new robust framework to detect malware by externally observing Electromagnetic (EM) signals emitted by an electronic computing device (e.g., a microprocessor) while running a known application, in real-time and with a low detection latency, and without any a priori knowledge of the malware. Remote does not require any resources or infrastructure on, or any modifications to, the monitored system itself, which makes Remote especially suitable for malware detection on resource-constrained devices such as embedded devices, CPSs, and Internet of Things (IoT) devices where hardware and energy resources may be limited. To demonstrate the usability of Remote in real-world scenarios, we port two real-world programs (an embedded medical device and an industrial PID controller), each with a meaningful attack (a code-reuse and a code-injection attack), to four different hardware platforms. We also port shellcode-based DDoS and Ransomware attacks to five different standard applications on an embedded system. To further demonstrate the applicability of Remote to commercial CPS, we use Remote to monitor a Robotic Arm. Our results on all these different hardware platforms show that, for all attacks on each of the platforms, Remote successfully detects each instance of an attack and has $<$<0.1 percent false positives. We also systematically evaluate the robustness of Remote to interrupts and other system activity, to signal variation among different physical instances of the same device design, to changes over time, and to plastic enclosures and nearby electronic devices. This evaluation includes hundreds of measurements and shows that Remote achieves excellent accuracy ($<$<0.1 percent false positive and $>$>99.9 percent true positive rates) under all these conditions. We also compare Remote to prior work EDDIE [1] and SYNDROME [2], and demonstrate that these prior work are unable to achieve high accuracy under these variations.

中文翻译：

---

远程：使用电磁信号的强大外部恶意软件检测框架

网络物理系统 (CPS) 控制着我们物理世界的许多关键和敏感方面，同时不断暴露在潜在的网络攻击中。这些系统通常具有有限的性能、内存和能量储备，这限制了它们运行现有高级恶意软件保护的能力，进而使保护它们变得非常具有挑战性。为了解决这些问题，本文提出，偏僻的，一种新的强大框架，通过在运行已知应用程序的同时，实时且具有低检测延迟，并且没有任何先验性，通过外部观察电子计算设备（例如，微处理器）发出的电磁 (EM) 信号来检测恶意软件恶意软件的知识。 偏僻的 不需要任何资源或基础设施，也不需要对受监控系统本身进行任何修改，这使得 偏僻的特别适用于硬件和能源资源可能有限的嵌入式设备、CPS 和物联网 (IoT) 设备等资源受限设备上的恶意软件检测。为了证明可用性偏僻的 在实际场景中，我们移植 二 真实世界的程序（嵌入式医疗设备和工业 PID 控制器），每个程序都具有有意义的攻击（代码重用和代码注入攻击），以 四不同的硬件平台。我们还将基于 shellcode 的 DDoS 和勒索软件攻击移植到五嵌入式系统上的不同标准应用程序。为了进一步证明适用性偏僻的 对于商业 CPS，我们使用 偏僻的 监控一个 机械臂. 我们在所有这些不同硬件平台上的结果表明，对于每个平台上的所有攻击，偏僻的 成功检测到攻击的每个实例并具有 $<$<0.1% 的误报。我们还系统地评估了偏僻的中断和其他系统活动、同一设备设计的不同物理实例之间的变化、随时间的变化以及塑料外壳和附近的电子设备。该评估包括数百次测量，并表明偏僻的 达到了极好的精度（$<$<0.1% 误报和 $>$>99.9% 的真阳性率）在所有这些条件下。我们也比较偏僻的 之前的工作 埃迪 [1] 和 综合症 [2]，并证明这些先前的工作无法在这些变化下实现高精度。