A novel algorithm for detecting GSMem attacks

Abstract

GSMem is a malware which is against air-gapped computers. Up to now, no method can detect it. To this end, this paper puts forward an algorithm for detecting GSMem. At first, the new algorithm detects whether or not there exists a thread in memory, which periodically calls the MOVNTDQ instruction. If such a thread occurs, a binary character string which is generated from the periodical call, will be matched with another binary character string which expresses some confidential information. And the new algorithm determines whether a GSMem attack occurs or not according to the result of the match. The simulation results show that the new algorithm can detect a GSMem in air-gapped networks in principle. The complexity analysis demonstrates that the new algorithm can complete its task within polynomial time.