SBIR Phase I: Anomaly and malware detection using side channel analysis

The broader impact/commercial potential of this Small Business Innovation Research (SBIR) Phase I project is the improvement of trustworthy software execution. The proposed system, composed of a hardware monitoring device and a cloud-based security analytics engine, will detect process anomalies and malware in equipment where traditional anti-virus products cannot be installed. This solution externally observes system activity by analyzing side-channel phenomena such as power consumption. Unlike traditional anti-virus products that may interfere with normal operations and require constant updates, these side-channel measurements are independent of the software running on commercial equipment such as medical devices or point-of-sale terminals. The proposed method processes those measurements with a continuous cloud-based machine-learning engine and integrates multiple data sources to provide IT professionals with a reliable source of timely, actionable results. If successful, this project will help technicians quickly catch anomalous behavior, including malware, before it spreads to other devices. This Small Business Innovation Research (SBIR) Phase I project explores the independent, nonintrusive detection of anomalous behavior, including malware, on high-assurance computing devices. Many commercial appliances, such as medical devices, run commodity operating systems but cannot support traditional anti-virus programs that consume precious resources and require frequent database updates. This incompatibility has resulted in widespread malware infections on equipment at hospitals, retailers and critical facilities. The proposed research will involve continuously monitoring the power consumption side-channel without disrupting normal operations. The intellectual merit of the project lies in cloud-based, high-frequency measurements and correlation of equipment behavior in order to quickly and accurately identify anomalous operations at scale. The goal of the proposed research is to correlate side-channel outputs with system activity across geographically diverse sets of equipment in order to improve anomaly, breach, and malware detection in real-world deployments.