This paper presents a signal processing and machine learning (ML) based methodology to leverage Electromagnetic (EM) emissions from an embedded device to remotely detect a malicious application running on the device and classify the application into a malware family. We develop Fast Fourier Transform (FFT) based feature extraction followed by Support Vector Machine (SVM) and Random Forest (RF) based ML models to detect a malware. We further propose methods to learn characteristic behavior of different malwares from EM traces to reveal similarities to known malware families and improve efficiency of malware analysis. We propose to use Discrete Wavelet Transform (DWT) based feature extraction from spectrograms of EM side-channel traces and perform ML on the extracted features to learn fine-grained patterns of malware families. The experimental demonstration on Open-Q 820 development platform demonstrate 0.99 F1 score in detecting malware and 0.88 F1 score in uniquely classifying malwares among 8 malware family evaluated using Support Vector Machines (SVM) and Random Forest (RF) Machine Learning(ML) models. We also demonstrate capability of proposed framework in identifying new unknown applications with 0.99 recall and unknown malware family with 0.87 recall.

中文翻译：

---

小波域机器学习用于基于电磁发射的恶意软件分析


本文提出了一种基于信号处理和机器学习 (ML) 的方法，利用嵌入式设备的电磁 (EM) 发射来远程检测设备上运行的恶意应用程序，并将该应用程序分类为恶意软件家族。我们开发基于快速傅里叶变换 (FFT) 的特征提取，然后开发基于支持向量机 (SVM) 和随机森林 (RF) 的 ML 模型来检测恶意软件。我们进一步提出了从 EM 跟踪中学习不同恶意软件特征行为的方法，以揭示与已知恶意软件家族的相似性并提高恶意软件分析的效率。我们建议使用基于离散小波变换 (DWT) 的从 EM 侧通道轨迹频谱图中提取特征，并对提取的特征执行 ML，以学习恶意软件家族的细粒度模式。 Open-Q 820 开发平台上的实验演示表明，在使用支持向量机 (SVM) 和随机森林 (RF) 机器学习 (ML) 模型评估的 8 个恶意软件家族中，检测恶意软件的 F1 得分为 0.99 F1，在对恶意软件进行唯一分类时得分为 0.88 F1。我们还展示了所提出的框架以 0.99 召回率识别新的未知应用程序和以 0.87 召回率识别未知恶意软件家族的能力。