Article

WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices

Authors:

Shane S. Clark,

Benjamin Ransford,

Wenyuan XuAuthors Info & Claims

HealthTech'13: Proceedings of the 2013 USENIX conference on Safety, Security, Privacy and Interoperability of Health Information Technologies

Page 9

Published: 12 August 2013 Publication History

Abstract

Medical devices based on embedded systems are ubiquitous in clinical settings. Increasingly, they connect to networks and run off-the-shelf operating systems vulnerable to malware. But strict validation requirements make it prohibitively difficult or costly to use anti-virus software or automated operating system updates on these systems. Our add-on monitoring system, WattsUpDoc, uses a traditionally undesirable side channel of power consumption to enable run-time malware detection. In our experiments, WattsUpDoc detected previously known malware with at least 94% accuracy and previously unknown malware with at least 85% accuracy on several embedded devices--detection rates similar to those of conventional malware-detection systems on PCs. WattsUpDoc detects malware without requiring hardware or software modifications or network communication.

References

[1]

MAUDE Adverse Event Report. http://www.accessdata. fda.gov/scripts/cdrh/cfdocs/cfmaude/Detail.CFM? MDRFOI__ID=1621627, Loaded Nov. 2012.

[2]

BAXA CORPORATION. Preventing cyber attacks. https://btsp.baxa.com/Sales%20Portal/ExactaMix/Preventing%20Cyber%20Attacks.pdf, Loaded Oct. 2012.

[3]

CÁRDENAS, A. A., AMIN, S., LIN, Z.-S., HUANG, Y.-L., HUANG, C.-Y., AND SASTRY, S. Attacks against process control systems: risk assessment, detection, and response. In ASIACCS (Mar. 2011).

[4]

CÁRDENAS, A. A., AMIN, S., AND SASTRY, S. Research challenges for the security of control systems. In HotSec (July 2008).

[5]

CHANG, C.-C., AND LIN, C.-J. LIBSVM: A library for support vector machines. ACM Transactions on Intelligent Systems and Technology 2, 3 (Apr. 2011).

[6]

CLARK, S. S., RANSFORD, B., AND FU, K. Potentia est scientia: Security and privacy implications of energy-proportional computing. In HotSec (Aug. 2012).

[7]

CLARK, S. S., RANSFORD, B., SORBER, J., XU, W., LEARNED-MILLER, E., AND FU, K. Current Events: Identifying Webpages by Tapping the Electrical Outlet. Tech. Rep. UM-CS-2011-030, Dept. of Computer Science, UMass Amherst, July 2012.

[8]

ENEV, M., GUPTA, S., KOHNO, T., AND PATEL, S. Televisions, video privacy, and powerline electromagnetic interference. In ACM Conference on Computer and Communications Security (Oct. 2011).

[9]

FALLIERE, N., MURCHU, L. O., AND CHIEN, E. W32.Stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf, Feb. 2011.

[10]

FARIS, T. H. Safe and Sound Software: Creating an Efficient and Effective Quality System for Software Medical Device Organizations. ASQ Quality Press, Mar. 2006.

[11]

FREDRIKSON, M., JHA, S., CHRISTODORESCU, M., SAILER, R., AND YAN, X. Synthesizing near-optimal malware specifications from suspicious behaviors. In IEEE Symposium on Security & Privacy (May 2010).

[12]

GUPTA, S., REYNOLDS, M. S., AND PATEL, S. N. ElectriSense: Single-point sensing using EMI for electrical event detection and classification in the home. In UbiComp (Sept. 2010).

[13]

HALL, M., FRANK, E., HOLMES, G., PFAHRINGER, B., REUTEMANN, P., AND WITTEN, I. H. The WEKA data mining software: An update. SIGKDD Explorations 11, 1 (2009).

[14]

HART, G. W. Nonintrusive appliance load monitoring. Proceedings of the IEEE 80, 12 (Dec. 1992).

[15]

JANA, S., AND SHMATIKOV, V. Abusing file processing in malware detectors for fun and profit. In IEEE Symposium on Security & Privacy (May 2012).

[16]

KHAN, M. M. H., ET AL. Diagnostic powertracing for sensor node failure analysis. In IPSN (Apr. 2010).

[17]

KIM, H., SMITH, J., AND SHIN, K. G. Detecting energy-greedy anomalies and mobile malware variants. In MobiSys (June 2008).

[18]

KOCHER, P., JAFFE, J., AND JUN, B. Differential power analysis. In CRYPTO (Aug. 1999).

[19]

KRAMER, D. B., BAKER, M., RANSFORD, B., MOLINAMARKHAM, A., STEWART, Q., FU, K., AND REYNOLDS, M. R. Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS ONE 7, 7 (July 2012), e40200.

[20]

LIU, L., YAN, G., ZHANG, X., AND CHEN, S. Virusmeter: Preventing your cellphone from spies. In RAID (Sept. 2009).

[21]

RAINS, T. Operating system infection rates: The most common malware families on each platform. https://blogs.technet. com/b/security/archive/2013/01/07/operating-system-infection-rates-the-most-common-malware-families-on-each-platform.aspx, Jan. 2013.

[22]

SCHWEITZER ENGINEERING LABORATORIES, I. SEL-3354 Embedded Automation Computing Platform: Instruction Manual, Jan. 2011.

[23]

SYMANTEC CORPORATION. Malicious code trends. https://www.symantec.com/threatreport/topic. jsp?id=malicious_code_trends&aid=top_malicious_ code_families, Loaded July 2012.

[24]

TALBOT, D. Computer viruses are "rampant" on medical devices in hospitals. http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/, Oct. 2012.

[25]

U.S. DEPARTMENT OF HOMELAND SECURITY. ICS-ALERT- 12-046-01A--Increasing threat to industrial control systems, Oct. 2012.

[26]

U.S. FOOD AND DRUG ADMINISTRATION. Reminder from FDA: Cybersecurity for networked medical devices is a shared responsibility. http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm, Nov. 2009.

[27]

U.S. FOOD AND DRUG ADMINISTRATION. Cybersecurity for medical devices and hospital networks: FDA safety communication. http://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm357090.htm, June 2013.

[28]

VALDES, A., AND CHEUNG, S. Communication pattern anomaly detection in process control systems. In IEEE Conference on Technologies for Homeland Security (May 2009).

Cited By

Sehatbakhsh NNazari AKhan HZajic APrvulovic M(2019)EMMAProceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3352460.3358261(983-995)Online publication date: 12-Oct-2019
https://dl.acm.org/doi/10.1145/3352460.3358261
Or-Meir ONissim NElovici YRokach L(2019)Dynamic Malware Analysis in the Modern Era—A State of the Art SurveyACM Computing Surveys10.1145/332978652:5(1-48)Online publication date: 13-Sep-2019
https://dl.acm.org/doi/10.1145/3329786
Shi YLi FSong WLi XYe J(2019)Energy audition based cyber-physical attack detection system in IoTProceedings of the ACM Turing Celebration Conference - China10.1145/3321408.3321588(1-5)Online publication date: 17-May-2019
https://dl.acm.org/doi/10.1145/3321408.3321588
Show More Cited By

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

HealthTech'13: Proceedings of the 2013 USENIX conference on Safety, Security, Privacy and Interoperability of Health Information Technologies

August 2013

9 pages

Program Chairs:
Kevin Fu
University of Michigan
,
Darren Lacey
Johns Hopkins University
,
Zachary Peterson
Naval Postgraduate School

Sponsors

SHARPS: SHARPS
CODENOMICON: CODENOMICON
AAMI: Association for the Advancement of Medical Instrumentation
Microsoft Research: Microsoft Research

Publisher

USENIX Association

United States

Publication History

Published: 12 August 2013

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sehatbakhsh NNazari AKhan HZajic APrvulovic M(2019)EMMAProceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3352460.3358261(983-995)Online publication date: 12-Oct-2019
https://dl.acm.org/doi/10.1145/3352460.3358261
Or-Meir ONissim NElovici YRokach L(2019)Dynamic Malware Analysis in the Modern Era—A State of the Art SurveyACM Computing Surveys10.1145/332978652:5(1-48)Online publication date: 13-Sep-2019
https://dl.acm.org/doi/10.1145/3329786
Shi YLi FSong WLi XYe J(2019)Energy audition based cyber-physical attack detection system in IoTProceedings of the ACM Turing Celebration Conference - China10.1145/3321408.3321588(1-5)Online publication date: 17-May-2019
https://dl.acm.org/doi/10.1145/3321408.3321588
Gautier AAndel TBenton RMcDonald JBardin SStakhanova N(2018)On-Device Detection via Anomalous Environmental FactorsProceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop10.1145/3289239.3289246(1-8)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3289239.3289246
Brown DWalker ORakvic RIves RNgo HShey JBlanco JJacob B(2018)Towards detection of modified firmware on solid state drives via side channel analysisProceedings of the International Symposium on Memory Systems10.1145/3240302.3285860(315-320)Online publication date: 1-Oct-2018
https://dl.acm.org/doi/10.1145/3240302.3285860
Dey MNazari AZajic APrvulovic MOskin MInoue K(2018)TEMProfProceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture10.1109/MICRO.2018.00076(881-893)Online publication date: 20-Oct-2018
https://dl.acm.org/doi/10.1109/MICRO.2018.00076
Moreno CFischmeister S(2018)Non-intrusive runtime monitoring through power consumption to enforce safety and security properties in embedded systemsFormal Methods in System Design10.1007/s10703-017-0298-353:1(113-137)Online publication date: 1-Aug-2018
https://dl.acm.org/doi/10.1007/s10703-017-0298-3
Nazari ASehatbakhsh NAlam MZajic APrvulovic M(2017)EDDIEACM SIGARCH Computer Architecture News10.1145/3140659.308022345:2(333-346)Online publication date: 24-Jun-2017
https://dl.acm.org/doi/10.1145/3140659.3080223
Nazari ASehatbakhsh NAlam MZajic APrvulovic M(2017)EDDIEProceedings of the 44th Annual International Symposium on Computer Architecture10.1145/3079856.3080223(333-346)Online publication date: 24-Jun-2017
https://dl.acm.org/doi/10.1145/3079856.3080223
Genkin DShamir ATromer E(2017)Acoustic CryptanalysisJournal of Cryptology10.1007/s00145-015-9224-230:2(392-443)Online publication date: 1-Apr-2017
https://dl.acm.org/doi/10.1007/s00145-015-9224-2
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents