Share Email Print
cover

Proceedings Paper

CASPER: an efficient approach to detect anomalous code execution from unintended electronic device emissions
Author(s): Hira Agrawal; Ray Chen; Jeffrey K. Hollingsworth; Christine Hung; Rauf Izmailov; John Koshy; Joe Liberti; Chris Mesterharm; Josh Morman; Thimios Panagos; Marc Pucci; Işil Sebüktekin; Scott Alexander; Simon Tsang
Format Member Price Non-Member Price
PDF $14.40 $18.00
cover GOOD NEWS! Your organization subscribes to the SPIE Digital Library. You may be able to download this paper for free. Check Access

Paper Abstract

The CASPER system offers a lightweight, multi-disciplinary approach to detect the execution of anomalous code by monitoring the unintended electronic device emissions. Using commodity hardware and a combination of novel signal processing, machine learning, and program analysis techniques, we have demonstrated the ability to detect unknown code running on a device placed 12” from the CASPER system by analyzing the devices RF emissions. Our innovations for the sensors subsystem include multi-antenna processing algorithms which allow us to extend range and extract signal features in the presence of background noise and interference encountered in realistic training and monitoring environments. In addition, robust feature estimation methods have been developed that allow detection of device operating conditions in the presence of varying clock frequency and other aspects that may change from device to device or from training to monitoring. Furthermore, a band-scan technique has been implemented to automatically identify suitable frequency bands for monitoring based on a set of metrics including received power, expected spectral feature content (based on loop length and clock frequency), kurtosis, and mode clustering. CASPER also includes an auto-labeling feature that is used to discover the signal processing features that provide the greatest information for detection without human intervention. The system additionally includes a framework for anomaly detection engines, currently populated with three engines based on n-grams, statistical frequency, and control flow. As we will describe, the combination of these engines reduces the ways in which an attacker can adapt in an attempt to hide from CASPER. We will describe the CASPER concept, components and technologies used, a summary of results to-date, and plans for further development. CASPER is an ongoing research project funded under the DARPA LADS program.

Paper Details

Date Published: 15 May 2018
PDF: 20 pages
Proc. SPIE 10630, Cyber Sensing 2018, 106300V (15 May 2018); doi: 10.1117/12.2500234
Show Author Affiliations
Hira Agrawal, Vencore Labs. (United States)
Ray Chen, Univ. of Maryland, College Park (United States)
Jeffrey K. Hollingsworth, Univ. of Maryland, College Park (United States)
Christine Hung, Vencore Labs. (United States)
Rauf Izmailov, Vencore Labs. (United States)
John Koshy, Vencore Labs. (United States)
Joe Liberti, Vencore Labs. (United States)
Chris Mesterharm, Vencore Labs. (United States)
Josh Morman, Vencore Labs. (United States)
Thimios Panagos, Vencore Labs. (United States)
Marc Pucci, Vencore Labs. (United States)
Işil Sebüktekin, Vencore Labs. (United States)
Scott Alexander, Vencore Labs. (United States)
Simon Tsang, Vencore Labs. (United States)


Published in SPIE Proceedings Vol. 10630:
Cyber Sensing 2018
Igor V. Ternovskiy; Peter Chin, Editor(s)

© SPIE. Terms of Use
Back to Top