SWMAT: Mel-frequency cepstral coefficients-based memory fingerprinting for IoT devices

Abstract

The increasing sophistication in computing capability and sensing technologies have continued to drive the design, development, and growth of the smart technologies commonly known as the IoTs. Nonetheless, the rise and spread of malware in this ecosystem is a pressing societal concern that requires immediate attention. In this paper, we propose a novel technique called Sound Wave Memory Analysis Technique (SWMAT), for fingerprinting IoT devices by converting their dynamic memory traces into sound wave signals using a lossless transformation function from which a unique set of determinable features called Mel Frequency Cepstral Coefficients (MFCCs) are extracted. The overarching objective of this research is to explore offline the effectiveness of using features from memory-encoded sound wave signals for fingerprinting and detecting abnormal changes in IoT devices, which potentially can provide an excellent technique for an on-device Host-Based Intrusion Detection System. Our SWMAT scores the similarity between two sequences of MFCCs using a Dynamic Time Warping distance measure. To evaluate our approach, we developed multiple IoT testbeds and generated 125 MFCC sequences from 20 benign and 5 infected IoT applications. Our results showed that the MFCC features, when leveraged as fingerprints for both Intra and Inter-app similarity, can uniquely distinguish an IoT process and can detect when an IoT process has been hijacked and/or is modified by another malicious code. Furthermore, this empirical result shows our technique’s similarity detection accuracy to be ≈95%.