We present results showing that software programs which are not part of the training set can be characterized into broad classes using involuntary RF side channels. This extends previous work on program identification through analog side channels focused on identifying the specific program out of the training set or flagging previously-unseen programs as "anomalous." This new approach enables an intrusion detection system to be robust to benign changes such as software updates and eliminates the need for an exhaustive training set which covers all possible device functions and states. We have applied our approach to a variety of devices under test, ranging from microcontrollers to laptop computers, and identify program classes such as processor-bound, signal processing, database access, etc. This approach is particularly applicable for defending devices which lack the computational resources to run traditional cybersecurity solutions, including industrial control systems (ICS) and internet of things (IoT) devices.
|