EM Side Channels for Obfuscation-Aware Malware Detection on Intel: Packers and Virtualization

EM Side Channels for Obfuscation-Aware Malware Detection on Intel: Packers and Virtualization | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article EM Side Channels for Obfuscation-Aware Malware Detection on Intel: Packers and Virtualization Sergio López-Flores, Antonio Muñoz This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-8925591/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted 5 You are reading this latest preprint version Abstract Executable packing and code virtualization are widely used to impede malware analysis, weakening both staticinspection and in-host dynamic monitoring. This paper evaluates whether near-field electromagnetic (EM) leakage canexpose these obfuscation layers on commodity Intel desktop hardware without any software instrumentation.We study two binary tasks, packed vs. unpacked and virtualized vs. non-virtualized, using paired variants derived fromthree Linux malware families, with executions interleaved with realistic benign background activity. Two acquisition andrepresentation strategies are compared: a high-fidelity PicoScope-based chain processed through STFT spectrograms withNICV-guided frequency selection, and EM-SENSE, a low-cost Arduino-based prototype that operates at low samplingrates and uses direct time-domain encoding.Across consistent experimental splits and a shared model suite, EM emissions retain discriminative structure for bothpacking and virtualization. High-fidelity measurements reach up to 99% accuracy for packing and 94% for virtualization,while the low-cost prototype remains above 90% on both tasks. Classical LDA-based pipelines consistently outperformdeep architectures, indicating that carefully engineered representations are more effective than end-to-end learning underthe studied acquisition conditions.These results support EM side-channel sensing, including low-cost hardware, as a practical, complementary signal fordetecting modern malware obfuscation. Malware detection Obfuscation Electromagnetic side-channel analysis Intel processors Code virtualization Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted Reviewers agreed at journal 11 May, 2026 Reviewers invited by journal 02 Mar, 2026 Editor assigned by journal 28 Feb, 2026 Submission checks completed at journal 25 Feb, 2026 First submitted to journal 20 Feb, 2026 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-8925591","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":599277374,"identity":"43031c07-f061-4e2f-91a3-a8b456955614","order_by":0,"name":"Sergio López-Flores","email":"","orcid":"","institution":"University of Malaga","correspondingAuthor":false,"prefix":"","firstName":"Sergio","middleName":"","lastName":"López-Flores","suffix":""},{"id":599277375,"identity":"9117a407-e748-41dc-9b6b-0c200068ee4b","order_by":1,"name":"Antonio Muñoz","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAkUlEQVRIiWNgGAWjYLCCDySqZ2ZgnEGyFmYekjTwz+4/+Ni2bZs8A3v7A+K0SNw5zGyc23bbsIHnjAGR1txIZpMGamFskMghUoc8SItl2237BvnnRDrMAKSFse12YoMEA5EOM7yRbGzYc+52chtPDpFa5G4kPnzwo+y2bT/7cSIdBgdsJKofBaNgFIyCUYAPAAAIwShtX1cHnQAAAABJRU5ErkJggg==","orcid":"","institution":"University of Malaga","correspondingAuthor":true,"prefix":"","firstName":"Antonio","middleName":"","lastName":"Muñoz","suffix":""}],"badges":[],"createdAt":"2026-02-20 11:53:45","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-8925591/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-8925591/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":104402337,"identity":"8c619c5e-7e6a-49cb-a8ce-12ba75e6ec5b","added_by":"auto","created_at":"2026-03-11 12:15:05","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":3098421,"visible":true,"origin":"","legend":"","description":"","filename":"EMSideChannelsforObfuscationAwareMalwareINTEL.pdf","url":"https://assets-eu.researchsquare.com/files/rs-8925591/v1_covered_3b525c08-472b-47e0-b0b6-9aaf8c82889f.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"\u003cp\u003eEM Side Channels for Obfuscation-Aware Malware Detection on Intel: Packers and Virtualization\u003c/p\u003e","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"cluster-computing","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Cluster Computing](https://www.springer.com/journal/10586)","snPcode":"10586","submissionUrl":"https://submission.nature.com/new-submission/10586/3","title":"Cluster Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Malware detection, Obfuscation, Electromagnetic side-channel analysis, Intel processors, Code virtualization","lastPublishedDoi":"10.21203/rs.3.rs-8925591/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-8925591/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eExecutable packing and code virtualization are widely used to impede malware analysis, weakening both staticinspection and in-host dynamic monitoring. This paper evaluates whether near-field electromagnetic (EM) leakage canexpose these obfuscation layers on commodity Intel desktop hardware without any software instrumentation.We study two binary tasks, packed vs. unpacked and virtualized vs. non-virtualized, using paired variants derived fromthree Linux malware families, with executions interleaved with realistic benign background activity. Two acquisition andrepresentation strategies are compared: a high-fidelity PicoScope-based chain processed through STFT spectrograms withNICV-guided frequency selection, and EM-SENSE, a low-cost Arduino-based prototype that operates at low samplingrates and uses direct time-domain encoding.Across consistent experimental splits and a shared model suite, EM emissions retain discriminative structure for bothpacking and virtualization. High-fidelity measurements reach up to 99% accuracy for packing and 94% for virtualization,while the low-cost prototype remains above 90% on both tasks. Classical LDA-based pipelines consistently outperformdeep architectures, indicating that carefully engineered representations are more effective than end-to-end learning underthe studied acquisition conditions.These results support EM side-channel sensing, including low-cost hardware, as a practical, complementary signal fordetecting modern malware obfuscation.\u003c/p\u003e","manuscriptTitle":"EM Side Channels for Obfuscation-Aware Malware Detection on Intel: Packers and Virtualization","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-03-05 02:48:40","doi":"10.21203/rs.3.rs-8925591/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"reviewerAgreed","content":"66048102017376272492543967624449922497","date":"2026-05-11T10:36:52+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2026-03-02T06:30:20+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2026-03-01T01:16:11+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2026-02-25T07:26:32+00:00","index":"","fulltext":""},{"type":"submitted","content":"Cluster Computing","date":"2026-02-20T11:40:08+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"cluster-computing","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Cluster Computing](https://www.springer.com/journal/10586)","snPcode":"10586","submissionUrl":"https://submission.nature.com/new-submission/10586/3","title":"Cluster Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"4e327b0a-0957-436a-9a15-a7272a3a4c4e","owner":[],"postedDate":"March 5th, 2026","published":true,"recentEditorialEvents":[{"type":"reviewerAgreed","content":"66048102017376272492543967624449922497","date":"2026-05-11T10:36:52+00:00","index":36,"fulltext":""}],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[],"tags":[],"updatedAt":"2026-03-05T02:48:40+00:00","versionOfRecord":[],"versionCreatedAt":"2026-03-05 02:48:40","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-8925591","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-8925591","identity":"rs-8925591","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}