In this paper, we present a technique to label and record consistent device modes using an isolated system that can sense the side-channel electromagnetic emanations (EM) of the device. This allows us to characterize the device's normal behavior and detect anomalous behavior that is a result of a security breach of the device. Our technique does not require any prior knowledge of the device or its behavior and is based on a new density-based clustering technique. Our clustering technique uses the training data to create a density map over the instance space by approximating the density of any point by counting the number of points in a fixed radius ball centered at that point. The radius is computed to ensure that a majority of the training data has a low relative error density estimate. This density map is used to incrementally build the clusters in order of the density of the training data. Our approach is similar to DBSCAN but our modifications allow us to remove difficult to set parameters and allow the algorithm to discover clusters of greatly different densities. Given that accurate density estimates are difficult in high-dimensional spaces, we perform experiments after applying PCA to reduce the number of dimensions while retaining much of the clustering structure. We have applied this technique to various devices and confirmed the discovery of device behavior by running code with a known looping behavior that is mirrored in our mode predictions. This has allowed us to detect deviations in device behavior that correspond to unauthorized code running on the device.
The DARPA LADS program uses unintended emissions, including RF emissions, to try to determine the internal state of a digital device. The CASPER project uses a combination of digital signal processing and machine learning in order to discover changes of state that may indicate unwanted activity on the device. In this paper, we will discuss our recent experiences fielding the CASPER system as part of the DARPA RADICS exercise. The RADICS program is building the tools necessary to recover from a catastrophic attack on the cyber assets of the electrical grid. CASPER provides a complementary technology for discovering which assets are performing anomalously to help speed remediation efforts. The RADICS exercise lasted 7 days and is conducted on a live electrical grid in a remote area. The design of the exercise is to provide a high degree of realism including no Internet access and limited access to supplies not already on site.
The CASPER system offers a lightweight, multi-disciplinary approach to detect the execution of anomalous code by monitoring the unintended electronic device emissions. Using commodity hardware and a combination of novel signal processing, machine learning, and program analysis techniques, we have demonstrated the ability to detect unknown code running on a device placed 12” from the CASPER system by analyzing the devices RF emissions. Our innovations for the sensors subsystem include multi-antenna processing algorithms which allow us to extend range and extract signal features in the presence of background noise and interference encountered in realistic training and monitoring environments. In addition, robust feature estimation methods have been developed that allow detection of device operating conditions in the presence of varying clock frequency and other aspects that may change from device to device or from training to monitoring. Furthermore, a band-scan technique has been implemented to automatically identify suitable frequency bands for monitoring based on a set of metrics including received power, expected spectral feature content (based on loop length and clock frequency), kurtosis, and mode clustering. CASPER also includes an auto-labeling feature that is used to discover the signal processing features that provide the greatest information for detection without human intervention. The system additionally includes a framework for anomaly detection engines, currently populated with three engines based on n-grams, statistical frequency, and control flow. As we will describe, the combination of these engines reduces the ways in which an attacker can adapt in an attempt to hide from CASPER. We will describe the CASPER concept, components and technologies used, a summary of results to-date, and plans for further development. CASPER is an ongoing research project funded under the DARPA LADS program.