CASPER: an efficient approach to detect anomalous code execution from unintended electronic device emissions

Hira Agrawal; Ray Chen; Jeffrey K. Hollingsworth; Christine Hung; Rauf Izmailov; John Koshy; Joe Liberti; Chris Mesterharm; Josh Morman; Thimios Panagos; Marc Pucci; Işil Sebüktekin; Scott Alexander; Simon Tsang

doi:10.1117/12.2500234

15 May 2018 CASPER: an efficient approach to detect anomalous code execution from unintended electronic device emissions

Hira Agrawal, Ray Chen, Jeffrey K. Hollingsworth, Christine Hung, Rauf Izmailov, John Koshy, Joe Liberti, Chris Mesterharm, Josh Morman, Thimios Panagos, Marc Pucci, Işil Sebüktekin, Scott Alexander, Simon Tsang

Author Affiliations +

Proceedings Volume 10630, Cyber Sensing 2018; 106300V (2018) https://doi.org/10.1117/12.2500234
Event: SPIE Defense + Security, 2018, Orlando, FL, United States

Abstract

The CASPER system offers a lightweight, multi-disciplinary approach to detect the execution of anomalous code by monitoring the unintended electronic device emissions. Using commodity hardware and a combination of novel signal processing, machine learning, and program analysis techniques, we have demonstrated the ability to detect unknown code running on a device placed 12” from the CASPER system by analyzing the devices RF emissions. Our innovations for the sensors subsystem include multi-antenna processing algorithms which allow us to extend range and extract signal features in the presence of background noise and interference encountered in realistic training and monitoring environments. In addition, robust feature estimation methods have been developed that allow detection of device operating conditions in the presence of varying clock frequency and other aspects that may change from device to device or from training to monitoring. Furthermore, a band-scan technique has been implemented to automatically identify suitable frequency bands for monitoring based on a set of metrics including received power, expected spectral feature content (based on loop length and clock frequency), kurtosis, and mode clustering. CASPER also includes an auto-labeling feature that is used to discover the signal processing features that provide the greatest information for detection without human intervention. The system additionally includes a framework for anomaly detection engines, currently populated with three engines based on n-grams, statistical frequency, and control flow. As we will describe, the combination of these engines reduces the ways in which an attacker can adapt in an attempt to hide from CASPER. We will describe the CASPER concept, components and technologies used, a summary of results to-date, and plans for further development. CASPER is an ongoing research project funded under the DARPA LADS program.

Citation Download Citation

Hira Agrawal, Ray Chen, Jeffrey K. Hollingsworth, Christine Hung, Rauf Izmailov, John Koshy, Joe Liberti, Chris Mesterharm, Josh Morman, Thimios Panagos, Marc Pucci, Işil Sebüktekin, Scott Alexander, and Simon Tsang "CASPER: an efficient approach to detect anomalous code execution from unintended electronic device emissions", Proc. SPIE 10630, Cyber Sensing 2018, 106300V (15 May 2018); https://doi.org/10.1117/12.2500234

ACCESS THE FULL ARTICLE

INSTITUTIONAL
Select your institution to access the SPIE Digital Library.

SELECT YOUR INSTITUTION

PERSONAL
Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.

PERSONAL SIGN IN

No SPIE Account? Create one

PURCHASE THIS CONTENT

SUBSCRIBE TO DIGITAL LIBRARY

50 downloads per 1-year subscription

Members: $195

Non-members: $335 ADD TO CART

25 downloads per 1 - year subscription

Members: $145

Non-members: $250 ADD TO CART

PURCHASE SINGLE ARTICLE

Includes PDF, HTML & Video, when available