Startup finds malware intrusions by keeping an eye on processor radio frequencies

26.01.2015
PFP Cybersecurity, a startup with roots in academia and the military, seeks out malware by analyzing the performance of hardware - not software and not the behavior of devices on the network.

PFP's system compares ongoing radio-frequency output from processors to a baseline that is established when the device is known to be performing legitimate tasks. When it detects anomalies that might represent malicious activity, it triggers alarms. Then it's up to other tools to figure out what exactly is behind the problem.

The system could be used to keep an eye on a large number of similar devices all performing the same task, such as those found in supervisory control and data acquisition (SCADA) networks that support power grids, chemical plants and the like. Savannah River National Laboratory is considering the gear for to protect its smart-grid relays.

The system could also be used to check new devices as they are delivered from the plants where they are made in order to find faulty ones or ones that have been tampered with, the company says.

The technology came out of research done at Virginia Tech from 2006 through 2010 and funded by the Department of Defense, the Defense Advanced Research Projects Agency, and the Department of Homeland Security. They were seeking a way to identify whether software-defined radios have unauthorized software running on them. The technology that was developed had a much more general application, says Dr. Jeffrey Reed, cofounder and president of PFP, so he spent time securing rights to the work and setting up the company with cofounder Steven Chen.

The name PFP comes from power fingerprinting, which is how the founders describe what their gear establishes for each device it protects.

The company says it already has contracts for its products from the NSF, the U.S. Army and Air Force, DARPA, and the Department of Homeland Security. It was named one of the SINET 16, a group of 16 companies deemed noteworthy for their innovative security technology by SINET, an organization supported by the DHS to network players in global security.

PFP's system starts with a probe installed atop the CPU of a network device. The circular probes come in two sizes about a quarter of an inch and about half an inch that are connected via a fine coaxial cable to a digitizer outside the device that converts the analog RF signal into a digital signal. The signal fluctuates as the power consumption of the chip varies.

The probe and digitizer package is called eMonitor. The probe is not connected electrically to the device it monitors, so it can't be detected by hackers, the company says.

PFP analytic engine software, called P2Scan, constantly monitors the signal and compares it to the baseline. When it differs and the difference persists, it triggers an alarm. The software has an API that can link the output to SIEM platforms. It's currently integrated with Splunk's operational intelligence platform, and the company has plans to integrate with HP ArcSight SIEM.

Within two years the company hopes to have the probes embedded in chips to reduce the cost to pennies, Reed says. Current pricing for eMonitor is between $3,000 and $5,000. Pricing for P2Scan software depends on the application.

The company is backed by $1 million in investments from Blu Venture Investors and the CIT GAP Fund.

(www.networkworld.com)

Tim Greene