US startup finds malware intrusions by keeping an eye on processor radio frequencies

PFP Cybersecurity, a startup with roots in academia and the military, seeks out malware by analyzing the performance of hardware - not software and not the behavior of devices on the network.

PFP Cybersecurity, a startup with roots in academia and the military, seeks out malware by analyzing the performance of hardware - not software and not the behavior of devices on the network.

PFP's system compares ongoing radio-frequency output from processors to a baseline that is established when the device is known to be performing legitimate tasks. When it detects anomalies that might represent malicious activity, it triggers alarms. Then it's up to other tools to figure out what exactly is behind the problem.

The system could be used to keep an eye on a large number of similar devices all performing the same task, such as those found in supervisory control and data acquisition (SCADA) networks that support power grids, chemical plants and the like. Savannah River National Laboratory is considering the gear for to protect its smart-grid relays.

The system could also be used to check new devices as they are delivered from the plants where they are made in order to find faulty ones or ones that have been tampered with, the company says.

The technology came out of research done at Virginia Tech from 2006 through 2010 and funded by the Department of Defense, the Defense Advanced Research Projects Agency, and the Department of Homeland Security. They were seeking a way to identify whether software-defined radios have unauthorized software running on them. The technology that was developed had a much more general application, says Dr. Jeffrey Reed, cofounder and president of PFP, so he spent time securing rights to the work and setting up the company with cofounder Steven Chen.

The name PFP comes from power fingerprinting, which is how the founders describe what their gear establishes for each device it protects.

The company says it already has contracts for its products from the NSF, the U.S. Army and Air Force, DARPA, and the Department of Homeland Security. It was named one of the SINET 16, a group of 16 companies deemed noteworthy for their innovative security technology by SINET, an organization supported by the DHS to network players in global security.

PFP's system starts with a probe installed atop the CPU of a network device. The circular probes come in two sizes about a quarter of an inch and about half an inch that are connected via a fine coaxial cable to a digitizer outside the device that converts the analog RF signal into a digital signal. The signal fluctuates as the power consumption of the chip varies.

The probe and digitizer package is called eMonitor. The probe is not connected electrically to the device it monitors, so it can't be detected by hackers, the company says.

PFP analytic engine software, called P2Scan, constantly monitors the signal and compares it to the baseline. When it differs and the difference persists, it triggers an alarm. The software has an API that can link the output to SIEM platforms. It's currently integrated with Splunk's operational intelligence platform, and the company has plans to integrate with HP ArcSight SIEM.

Within two years the company hopes to have the probes embedded in chips to reduce the cost to pennies, Reed says. Current pricing for eMonitor is between US$3,000 and $5,000. Pricing for P2Scan software depends on the application.

The company is backed by $1 million in investments from Blu Venture Investors and the CIT GAP Fund.

Join the CSO newsletter!

Error: Please check your email address.

Tags Anomaly DetectionDepartment of Homeland SecuritysecurityVirginia Tech

More about AdvancedArcSightDefense Advanced Research Projects AgencyHPSplunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place