Towards Non-intrusive Malware Detection for Industrial Control Systems
Prashant Hari Narayan Rajput1 and Michail Maniatakos2
1Computer Science and Engineering NYU Tandon School of Engineering
prashanthrajput@nyu.edu
2Electrical and Computer Engineering New York University Abu Dhabi
mihalis.maniatakos@nyu.edu
ABSTRACT
The convergence of the Operational Technology (OT) sector with the Internet of Things (IoT) devices has increased cyberattacks on prominent OT devices such as Programmable Logic Controllers (PLCs). These devices have limited computational capabilities, no antivirus support, strict real-time requirements, and often older, unpatched operating systems. The use of traditional malware detection approaches can impact the real-time performance of such devices. Due to these constraints, we propose Amaya, an external malware detection mechanism based on a combination of signature detection and machine learning. This technique employs remote analysis of malware binaries collected from the main memory of the PLC by a non-intrusive method using the Joint Test Action Group (JTAG) port. We evaluate Amaya against in-the-wild malware for ARM and x86 architecture, achieving an accuracy of ≈98% and ≈94.7%, respectively. Furthermore, we analyze concept drift, spatial experimental bias, and the effects of downsampling the feature vector to understand the behavior of the model in a real-world setting.
Keywords: Malware Detection, JTAG, Entropy, SVM.