West Virginia University Lane Department of Computer Science and Electrical Engineering Technical Report MALWARE DETECTION ON GENERAL-PURPOSE COMPUTERS USING POWER CONSUMPTION MONITORING:APROOF OF CONCEPT AND CASE STUDY arXiv:1705.01977v1 [cs.CR] 4 May 2017 May 8, 2017 Malware Detection on General-Purpose Computers Using Power Consumption Monitoring: A Proof of Concept and Case Study Jarilyn M. Hernandez´ Jimenez´ ∗y, Jeffrey A. Nichols∗, Katerina Goseva-Popstojanovay, Stacy Prowell∗, and Robert A. Bridges∗ ∗ Computational Science and Engineering Division, Oak Ridge National Laboratory, Oak Ridge, TN 37831 fhernandezjm1, nicholsja2, prowellsj, [email protected] yLane Department of Computer Science and Electrical Engineering, West Virginia University, WV, Morgantown, 26506 fjhernan7, [email protected] Abstract—Malware detection is challenging when faced with subclass of malware. Rootkits are a type of computer malware automatically generated and polymorphic malware, as well as that were created to hide themselves and elude intrusion with rootkits, which are exceptionally hard to detect. In an detection systems once they gain unauthorized access to a attempt to contribute towards addressing these challenges, we conducted a proof of concept study that explored the use of power computer system [6]. consumption for detection of malware presence in a general- Previous work has also explored the idea of detecting the purpose computer. The results of our experiments indicate that presence of malware by monitoring the power consumption malware indeed leaves a signal on the power consumption of a of mobile devices, embedded systems, and software define general-purpose computer. Specifically, for the case study based radio. However, to the best of our knowledge, no one has on two different rootkits, the data collected at the +12V rails on the motherboard showed the most noticeable increment of the explored if malware can be detected by monitoring the power power consumption after the computer was infected. Our future consumption on general-purpose computers. work includes experimenting with more malware examples and Our goal in this paper is to prove the hypothesis that in order workloads, and developing data analytics approach for automatic to mask themselves, rootkits will require a detectable change malware detection based on power consumption. in the power consumption. Particularly, we are addressing the I. INTRODUCTION following research question: can we detect rootkits on general- purpose computers by analyzing only the power consumption? Polymorphic malware can bypass signature-based detection To this end we built a testbed and designed an experimental methods and simple heuristic detection techniques by slightly setup in which the power consumption was recorded for a se- changing the instructions of an existing malware sample. quence of events running on a Windows operating system. This These new malware instances are called variants. Although work focuses only on rootkits because they are commonly as- these variants appear to be different programs from the sociated with the establishment of advanced persistent threats viewpoint of signature-based anti-virus scanners, they exhibit and pose serious danger to our nation’s computer systems. similar functionality to their predecessor. Consequently, these Preliminary results showed that malware indeed leaves a signal new malware variants can bypass traditional detection methods on the power consumption of a general-purpose computer. until a signature for them can be identified and incorporated Specifically, monitoring the +12V rails on the motherboard into detection software [1]. was the most useful for identifying the increase in the power Authors of malware detection systems have attempted to consumption after the general-purpose computer was infected address this problem by using other methods that are more by malware. powerful than signature matching; for example, byte fre- The paper proceeds with related work in Section II, followed quency [2], general similarity measures [3], and behavioral by the experimental design in Section III, which includes analysis [4] are among the proposed techniques. A common the hardware and software setups used for collecting the weakness of these detection methods is that they are executed power data, the experimental machine’s execution of tasks, on the same machine they are monitoring. Hence, successful and descriptions of the rootkit. Section IV presents the results attackers could disable the monitoring software or modify it of the feasibility study. Finally, conclusion and promising to prevent detection after gaining entry to the system [5]. directions for future research are discussed in Section V. This behavior is evidenced by rootkits, a particularly insidious This manuscript has been authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the U.S. II. RELATED WORK Department of Energy. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The Several works have used power consumption metrics for Department of Energy will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan). malware detection purposes. These methods have been tested on mobile devices [7], [8], embedded systems [9], and soft- Specifically, we are interested in determining if there is a ware defined radio [10], [11], [12]. difference in the power profiles between the normal and The work by Hoffman et al. [7] explored if malware anomalous behavior (i.e., after infection). can be detected on smartphones by analyzing their power consumption. This method failed due to the noise caused by A. Hardware Configuration unpredictable factors, such as user interaction and the mobile’s Our experimental system is a Dell OptiPlex 755 with a clean signal strength. On the other side, the approach presented by installation of 32-bit Windows 7. The instrumentation for our Yang et al. [8] demonstrated that malware can be detected experiments was a Data Acquisition system (DAQ), Model by monitoring the power consumption of smartphones. The Number: USB-1608G Series [15]. The DAQ connects to the difference between these two works is mainly in the type of device’s motherboard power connector, and the voltage and smartphones used in the experiments. First method [7] focused current are collected on each of the DC power channels. The mainly on “old” devices (HTC-Nexus One and Samsung communication between this machine and the experimental Galaxy Nexus), while the second method [8] focused on machine was established through USB port. The DAQ provides modern devices (Samsung Galaxy S5 and LG G2). Although relatively high-resolution power data, is able to sample at a rate PowerTutor [13] was used for the data collection in both of 250KHz, and can monitor up to 16 channels. Besides the works, this tool may have been updated between the time these DAQ, we also used an eight inch ATX power extender cable two experiments were conducted, influencing the precision of that had one male and one female 24-pin connector. The 24- the collected data and skewing the results. pin male connector was attached to the motherboard, and the Another method that monitors the power consumption on 24-pin female connector was attached to the power supply embedded systems with the objective of detecting malware (PSU). was presented by Clark et al. [9]. Supervised machine learning Each group of wires on the PSU were connected to a single techniques, such as 3-Nearest Neighbor, Multilayer Percep- overcurrent protection (OCP) circuit that is called a rail.A tron, and Random Forest, were used to analyze alternating PSU has three voltage rails: +3.3V, +5V, and +12V. Table I current (AC) and to detect discrepancies among the power provides a list of the devices that are typically powered by profiles. Even though the proposed approach share several these voltage rails. The +3.3V rails or the +5V rails are similarities with this work, the main difference is that the typically used by the digital electronic components and circuits work in [9] focused on monitoring the AC outlet, while we are in the system [16]. Some examples of these components monitoring several direct current (DC) channels. The problem are adapter cards and disk drive logic boards. On the other with AC is that the current changes direction periodically, and hand, the disk drive motors and the fans use the +12V because the current changes its direction the voltage reverses rails [16]. Besides disk drive motors and newer CPU voltage making the analog circuits much susceptible to noise. regulators, the +12V supply is used by any cooling fans in the Similarly, power-based malware detection for software de- system [16]. fined radio was explored by Gonzalez´ et al. [10], [14]. This approach relied on extracting distinctive power consumption TABLE I: Voltage rail usage for a general-purpose computer signatures and used pattern recognition techniques to deter- mine if they matched the expected behaviors. This research Rail Devices Powered was expanded, and used by the PFP firm (http://pfpcyber.com), +3.3V chipsets, some DIMMs, PCI/AGP/PCIe cards, miscellaneous chips which developed a commercial product that detect anomalies +5V disk drive logic, low-voltage motors, SIMMs, on a device by analyzing its power consumption. This ap- PCI/AGP/ISA cards, voltage regulators proach can also be applicable to embedded devices [11], [12]. +12V motors, high-output voltage regulators, AGP/PCIe cards The main difference between this approach and our work is +12V CPU CPU that we monitor all the rails attached to the motherboard plus the CPU, while PFP is monitoring the power consumption of Acronyms: the device by placing a sensor on the processor’s board as • SIMM = Single Inline Memory Module • DIMM = Dual Inline Memory Module close to the power pins as possible.