Malware is evasive, intelligent and sneaky. No sooner than anti-virus software is updated to combat the latest attacks, a computer virus will have already evolved into something harder to detect and potentially more damaging to a computer system.

But malware isn’t without vulnerabilities. Engineers at The University of Texas at Austin and North Carolina State University have found an additional line of defense to detect threats posed by malware that doesn’t rely on the detection and protection provided by existing anti-virus software programs. Their method detects the presence of malware in large-scale embedded computer systems by monitoring power usage and identifying unusual surges as signs of unwelcome security threats.

The UT team from the Cockrell School of Engineering presented their work this week at the annual IEEE International Symposium on Hardware Oriented Security and Trust (HOST) in Washington, D.C.

The study was led by Shijia Wei, a Ph.D. candidate in the Cockrell School’s Department of Electrical and Computer Engineering; his adviser, assistant professor Mohit Tiwari; and colleagues, professor Michael Orshansky and associate professor Andreas Gerstlauer. Aydin Aysu, an assistant professor of electrical and computer engineering at North Carolina State University, also collaborated on the research.

In their presentation, the team outlines how they developed an external device that can be plugged into a system and observe and monitor its power usage. Engineers can identify certain power usage signatures as evidence of the presence of malware as well as determine how much of a threat they are to a compromised system. Because the device is a separate piece of hardware, it is not at risk of being infected in the same way anti-virus software programs already built into computer systems are frequently vulnerable to.

Whole systems — hardware and software — are now at risk from the latest series of cyberattacks. And malware is frequently designed to appear benign so that it can blend in with other applications on a computer system. However, a system’s power usage cannot be manipulated, and the UT engineers realized this offered an opportunity to observe and identify power signatures that differ from known benign behavior, referred to as “power anomalies.”

The new detection tool tracks power fluctuations specifically in embedded systems — from smartphones to industrial remote-control systems in power plants.

“We know what power consumption looks like when embedded systems are operating at normal levels,” Tiwari said. “By looking for power anomalies, we can tell with reasonable accuracy when malware is present in a system.”

But some malware are even designed to conceal their presence by mirroring the power usage of benign programs. UT engineers also studied the extent of damage such evasive malware can do.

“The real technical contribution of this work has been our ability to successfully model malware that conceal themselves by mimicking the power signatures of benign programs,” Tiwari said. “Models of evasive malware can then be used to determine the extent of damage that power detectors can protect against.”

Using power to detect the presence of malware isn’t the only clever part to this technology. The researchers also realized any detection system needed to be designed as an external device that could be plugged into a system. As a separate, unconnected device, it could not be at risk of attack. Current software security programs reside within the same systems that are targeted by malware, making them just as vulnerable to attack as other applications used on any computer. By using an external monitoring system that literally plugs into a network and shows the distribution of power, engineers can detect security breaches.

“While we can’t detect the specific kind of malware attacking a system, we can determine how much of a threat it is and to what extent it could cause problems,” Tiwari said.

The other advantage of measuring power to detect malware is that it is unaffected by the constant adaptation of cyberthreats.

“Malware keeps evolving in order to outsmart anti-virus software, meaning engineers must also continuously retrain their programs,” Wei said. “With our device, we can force the malware to mimic benign programs on embedded systems, and this can greatly reduce the potential damage an attack can cause.”

At this point, the technology is only capable of detecting the presence of unwanted bugs. It cannot eliminate the security threat itself, but that is the team’s next step.

This research project was funded by Lockheed Martin.