Detection of x86 malware in AMI data payloads

Malware can spread uncontrollably if left unchecked and can cause significant damage to the Advanced Metering Infrastructure (AMI) and ultimately to the underlying power grid. Application layer protocols used in the AMI are capable of carrying large payloads which could be potentially used to hide malware. Fortunately, application layer traffic in the AMI is not expected to contain executable content and hence the problem of malware detection in data payloads simply changes to the problem of executable content detection. In this paper, we propose a policy engine implementation which sits between the network and application layers and performs comprehensive syntactic and semantic rule checks on each received packet and for the presence of encryption, ARM or x86 executable content. The policy engine is integrated with the C12.22 protocol library and is primarily targeted for deployment in head end systems.