Tiny Changes in Energy Use Could Mean Your Computer Is Under Attack

Detecting computer viruses or other malware is traditionally a matter of scanning a computer for signatures of known threats—leading to a perennial game of catch-up that includes an initial period when a new attack goes undetected (see “The Antivirus Era is Over”). Deeper threats—such as hardware that has been modified to add back doors for spying—can’t be detected at all by antivirus products.

Now a Virginia Tech startup, Power Fingerprinting, based in Blacksburg, Virginia, says it has an entirely new method: detecting malicious activity by first taking a detailed fingerprint of a processor’s power consumption and monitoring for changes that indirectly reveal malicious activity, regardless of the source or novelty of that nefarious code.

“We are taking the biometrics of the system you are running. If someone manages to put a virus or a Trojan, or even modify the hardware, all of those intrusions will show up in the power consumption, and that gives us a chance to detect that a system has been compromised,” says Carlos Aguayo Gonzalez, the company’s cofounder and chief technology officer.

One government lab is studying the approach: the Savannah River National Laboratory, a U.S. Department of Energy lab that does basic energy research and helps maintain the nation’s nuclear weapons stockpiles.

The lab is on high alert for the possibility of cyberattack. “From what I’ve reviewed of what they’ve accomplished, it’s a very novel approach to detecting vulnerabilities or viruses, and it’s a totally independent method that can be combined with traditional scanning and patching,” says Joe Cordaro, an advisory engineer at the lab, who is an expert in nuclear instrumentation and process control.

Earlier this year, U.S. Defense Secretary Leon Panetta warned that attacks have been made on computer control systems of American electricity and water plants—and that such tactics could someday cause train crashes or blackouts. The warning came in the context of wider threats to computer security generally (see “Moore’s Outlaws”).

The threat to control systems was well illustrated in 2010 with the discovery of Stuxnet, a program believed to have been developed by Israel and U.S. agents to target Iranian industrial control systems used in the enrichment of uranium. The malware caused enrichment centrifuges to spin out of control, damaging them and delaying the country’s nuclear efforts. Aspects of Stuxnet are now starting to show up in other mainstream malware, some researchers say (see “New Malware Brings Cyberwar One Step Closer”).

One piece of hardware common to many industrial systems is a programmable logic controller—a circuit that can, for example, turn on a pump, valve, or motor. In theory, such devices can be thrown off by malware—or even come from the factory having been sabotaged with the capacity to issue false instructions. No antivirus could detect that, but comparing power-usage patterns to that of a device known to be free of any infection or tampering could do so, Cordaro says.

“If you are using these [devices] and are worried that there have been counterfeits put in that have a back door, this technology has the potential to detect that,” Cordaro says. “This is the first technology we’ve looked at that has a different approach in looking at the power signature instead of scanning for viruses.”

The company is running pilot tests at other government agencies and expects to release its first product in late 2013—one that will provide protection for industrial control systems.

The technology does not monitor the power consumption of the motors themselves, but of the processors controlling them: “How many bits have flipped from one state to another,” Gonzalez says.  “We could do it on the pumps and everything else, but we are not concentrating on that yet.”

The company, which builds on six years of university research and was in stealth mode until early 2012, has not published its latest results. Gonzalez says the power fingerprinting method has demonstrated, in one context, a 93 percent accuracy rate at detecting a single malicious instruction change and 99.9 percent accuracy when multiple instruction changes were made.

The technology has also demonstrated its ability to detect malware on the Android operating system by detecting power changes resulting from an attack called “RageAgainstTheCage,” an infection that takes over root privileges, giving full control over the device. “In theory, any malware, any intrusion in your system, we can detect it if the system has been pre-characterized,” Gonzalez says.

The company has gotten several grants from the National Science Foundation, Army and Air Force funding agencies, and Virginia’s Center for Innovative Technology.