TY - GEN
T1 - Towards Non-intrusive Malware Detection for Industrial Control Systems
AU - Narayan Rajput, Prashant Hari
AU - Maniatakos, Michail
N1 - Publisher Copyright:
© 2021 EDAA.
PY - 2021/2/1
Y1 - 2021/2/1
N2 - The convergence of the Operational Technology (OT) sector with the Internet of Things (IoT) devices has increased cyberattacks on prominent OT devices such as Programmable Logic Controllers (PLCs). These devices have limited computational capabilities, no antivirus support, strict real-time requirements, and often older, unpatched operating systems. The use of traditional malware detection approaches can impact the real-time performance of such devices. Due to these constraints, we propose Amaya, an external malware detection mechanism based on a combination of signature detection and machine learning. This technique employs remote analysis of malware binaries collected from the main memory of the PLC by a non-intrusive method using the Joint Test Action Group (JTAG) port. We evaluate Amaya against in-the-wild malware for ARM and x86 architecture, achieving an accuracy of 98 % and 94.7%, respectively. Furthermore, we analyze concept drift, spatial experimental bias, and the effects of downsampling the feature vector to understand the behavior of the model in a real-world setting.
AB - The convergence of the Operational Technology (OT) sector with the Internet of Things (IoT) devices has increased cyberattacks on prominent OT devices such as Programmable Logic Controllers (PLCs). These devices have limited computational capabilities, no antivirus support, strict real-time requirements, and often older, unpatched operating systems. The use of traditional malware detection approaches can impact the real-time performance of such devices. Due to these constraints, we propose Amaya, an external malware detection mechanism based on a combination of signature detection and machine learning. This technique employs remote analysis of malware binaries collected from the main memory of the PLC by a non-intrusive method using the Joint Test Action Group (JTAG) port. We evaluate Amaya against in-the-wild malware for ARM and x86 architecture, achieving an accuracy of 98 % and 94.7%, respectively. Furthermore, we analyze concept drift, spatial experimental bias, and the effects of downsampling the feature vector to understand the behavior of the model in a real-world setting.
KW - JTAG
KW - SVM
KW - entropy
KW - malware detection
UR - http://www.scopus.com/inward/record.url?scp=85111037757&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85111037757&partnerID=8YFLogxK
U2 - 10.23919/DATE51398.2021.9474121
DO - 10.23919/DATE51398.2021.9474121
M3 - Conference contribution
AN - SCOPUS:85111037757
T3 - Proceedings -Design, Automation and Test in Europe, DATE
SP - 1703
EP - 1706
BT - Proceedings of the 2021 Design, Automation and Test in Europe, DATE 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2021 Design, Automation and Test in Europe Conference and Exhibition, DATE 2021
Y2 - 1 February 2021 through 5 February 2021
ER -