As one of the fundamental approaches for code optimization and performance analysis, profiling software activities can provide information on the existence of malware, code execution problems, etc. In this paper, we propose a methodology to profile a system with no overhead. The approach leverages electromagnetic (EM) emanations while executing a program, and exploits its flow diagram by constructing a Markov model. The states of the model are considered as the heavily executed blocks (called hot paths) of the program, and the transition between any two states is possible only if there exists a branching operation which enables execution of corresponding states without any intermediate state. To identify the state of the program, we utilize a supervised learning method. To do so, we first collect signals for each state, extract features, and generate a dictionary. The features are considered as the activated frequencies when the program is executed. The assumption here is that there exists at least one unique frequency component that is only active for one unique state. Moreover, to degrade the e↵ect of interruptions and other signals emanated from other parts of the device, and to obtain signals with high Signal-to-Noise Ratio (SNR), we average the output of Short-Time Fourier Transform (STFT). After extracting features, we apply Principle Component Analysis (PCA) for dimension reduction which helps monitoring systems in real time. Finally, we describe experimental setup and show results to demonstrate that the proposed methodology can detect malware activity with high accuracy.
|