Internet Of Things Malware Research Articles

IHBOT: An Intelligent and Hybrid Model for Investigation and Classification of IoT Botnet

The Internet of Things (IoT) is revolutionizing the technological market with exponential growth year wise. This revolution of IoT applications has also brought hackers and malware to gain remote access to IoT devices. The security of IoT systems has become more critical for consumers and businesses because of their inherent heterogenous design and open interfaces. Since the release of Mirai in 2016, IoT malware has gained an exponential growth rate. As IoT system and their infrastructure have become critical resources that triggers IoT malware injected by various shareholders in different settings. The enormous applications cause flooding of insecure packets and commands that fueled threats for IoT applications. IoT botnet is one of the most critical malwares that keeps evolving with the network traffic and may harm the privacy of IoT devices. In this work, we presented several sets of malware analysis mechanisms to understand the behavior of IoT malware. We devise an intelligent and hybrid model (IHBOT) that integrates the malware analysis and distinct machine learning algorithms for the identification and classification of the different IoT malware family based on network traffic. The clustering mechanism is also integrated with the proposed model for the identification of malware families based on similarity index. We have also applied YARA rules for the mitigation of IoT botnet traffic.

Optimizing Cyber Threat Detection in IoT: A Study of Artificial Bee Colony (ABC)-Based Hyperparameter Tuning for Machine Learning

In the rapidly evolving landscape of the Internet of Things (IoT), cybersecurity remains a critical challenge due to the diverse and complex nature of network traffic and the increasing sophistication of cyber threats. This study investigates the application of the Artificial Bee Colony (ABC) algorithm for hyperparameter optimization (HPO) in machine learning classifiers, specifically focusing on Decision Trees, Support Vector Machines (SVM), and K-Nearest Neighbors (KNN) for IoT network traffic analysis and malware detection. Initially, the basic machine learning models demonstrated accuracies ranging from 69.68% to 99.07%, reflecting their limitations in fully adapting to the varied IoT environments. Through the employment of the ABC algorithm for HPO, significant improvements were achieved, with optimized classifiers reaching up to 100% accuracy, precision, recall, and F1-scores in both training and testing stages. These results highlight the profound impact of HPO in refining model decision boundaries, reducing overfitting, and enhancing generalization capabilities, thereby contributing to the development of more robust and adaptive security frameworks for IoT environments. This study further demonstrates the ABC algorithm’s generalizability across different IoT networks and threats, positioning it as a valuable tool for advancing cybersecurity in increasingly complex IoT ecosystems.

Improving Robustness in IoT Malware Detection through Execution Order Analysis

The rapid expansion of the Internet of Things (IoT) has significantly increased the prevalence of malware targeting IoT devices. Although machine learning models offer promising solutions for automatic malware detection, they are increasingly vulnerable to adversarial attacks. These attacks exploit the model’s feedback loop to iteratively refine malware, producing adversarial samples that evade detection. As such, enhancing the robustness of these models is of paramount importance. Our research introduces a novel approach to bolster malware detection by retaining additional semantic information within the execution order analysis of malware programs. The method significantly improves the resilience of detection models against adversarial samples and implements two adversarial attack methods to rigorously test our model’s robustness by generating authentic adversarial examples for validation. We highlight the critical impact of preserving semantic integrity in malware detection and present a solution to counteract the growing threat of adversarial attacks in IoT environments.

A Generalized Lightweight Intrusion Detection Model With Unified Feature Selection for Internet of Things Networks

ABSTRACTThe applicability of the Internet of Things (IoT) cutting across different domains has resulted in newer “things” acquiring IP connectivity. These things, technically known as IoT devices, are vulnerable to diverse security threats. Consequently, there has been an exponential increase in IoT malware over the past 5 years, and securing IoT devices from such attacks is a pressing concern in the current era. However, the traditional peripheral security measures do not comply with the lightweight security requirements of the IoT ecosystem. Considering this, we propose a lightweight intrusion detection model for IoT networks (LIDM‐IoT) that demonstrates similar efficiency in exposing malicious activities compared with the existing computationally expensive methods. The crux of the proposed model is that it provides efficient attack detection with lower computational requirements in IoT networks. LIDM‐IoT achieves the feat through a novel unified feature selection strategy that unifies filter‐based and embedded feature selection methods. The proposed feature selection strategy reduces the feature space by 94%. Also, we use only the records of a single attack type to build the model using the XGBoost algorithm. We have tested LIDM‐IoT with unseen attack types to ensure its generalized behavior. The results indicate that the proposed model exhibits efficient attack detection, with a reduced feature set, in IoT networks compared with the state‐of‐the‐art models.

A Novel Static Analysis Approach Using System Calls for Linux IoT Malware Detection

The proliferation of Internet of Things (IoT) devices on Linux platforms has heightened concerns regarding vulnerability to malware attacks. This paper introduces a novel approach to investigating the behavior of Linux IoT malware by examining syscalls and library syscall wrappers extracted through static analysis of binaries, as opposed to the conventional method of using dynamic analysis for syscall extraction. We rank and categorize Linux system calls based on their security significance, focusing on understanding malware intent without execution. Feature analysis of the assigned syscall categories and risk ranking is conducted with statistical tests to validate their effectiveness and reliability in differentiating between malware and benign binaries. Our findings demonstrate that potential threats can be reliably identified with an F1 score of 96.86%, solely by analyzing syscalls and library syscall wrappers. This method can augment traditional static analysis, providing an effective preemptive measure to enhance Linux malware analysis. This research highlights the importance of static analysis in strengthening IoT systems against emerging malware threats.

Malware Detection for Internet of Things Using One-Class Classification.

The increasing usage of interconnected devices within the Internet of Things (IoT) and Industrial IoT (IIoT) has significantly enhanced efficiency and utility in both personal and industrial settings but also heightened cybersecurity vulnerabilities, particularly through IoT malware. This paper explores the use of one-class classification, a method of unsupervised learning, which is especially suitable for unlabeled data, dynamic environments, and malware detection, which is a form of anomaly detection. We introduce the TF-IDF method for transforming nominal features into numerical formats that avoid information loss and manage dimensionality effectively, which is crucial for enhancing pattern recognition when combined with n-grams. Furthermore, we compare the performance of multi-class vs. one-class classification models, including Isolation Forest and deep autoencoder, that are trained with both benign and malicious NetFlow samples vs. trained exclusively on benign NetFlow samples. We achieve 100% recall with precision rates above 80% and 90% across various test datasets using one-class classification. These models show the adaptability of unsupervised learning, especially one-class classification, to the evolving malware threats in the IoT domain, offering insights into enhancing IoT security frameworks and suggesting directions for future research in this critical area.

Classification of malware for security improvement in IoT using heuristic aided adaptive multi-scale and dilated ResneXt with gated recurrent unit

The rise of malware in the Internet of Things (IoT) realm exploits sensitive IoT devices that lead to extensive malicious attacks that pose a significant danger to the integrity of the Internet ecosystem. Addressing this threat effectively requires a robust system for classifying and attributing IoT malware, serving as vital initial steps toward implementing countermeasures for attack prevention and mitigation. So, in this work, a new malware classification technique using deep learning is developed for solving different kinds of malware in IoT. The required images for the malware classification process are gathered from online databases and given to the developed Adaptive Multi-scale and Dilated ResneXt with Gated Recurrent Unit (AMDR-GRU)-based malware classification process. Here, the last layer of the ResneXt is modified with GRU, and several parameters are optimized in the suggested AMDR-GRU model with the support of the designed Intensified Random Parameter-based Chameleon Swarm Algorithm (IRPCSA) to enhance the classification performance. Finally, the developed AMDR-GRU model offered the classified outcome and the obtained classification results are compared with different existing malware classification models to prove the effectiveness of the developed model over others. The developed model offered 99.59 % of precision. The result proved that the developed model is used to classify different malware without reverse engineering, binary code analysis, and feature engineering. Moreover, by effectively classifying malware, this technique can contribute to enhancing the security of IoT devices, protecting them from potential threats and vulnerabilities. This has significant implications for ensuring the privacy, integrity, and overall safety of IoT systems.

An efficient cloud-integrated distributed deep neural network framework for IoT malware classification

The proliferation of interconnected devices in the Internet of Things (IoT) landscape has introduced significant security concerns. With the integration of android devices, the potential for attackers to exploit vulnerabilities becomes a crucial issue. Timely detection of malware attacks has emerged as a critical challenge, especially in industrial IoT (IIoT), to prevent permanent damage. The slow inference speed of the current algorithms causes limited performance and a significant delay in the detection and mitigation of malware, especially in large-scale environments such as IIoT. High resource utilization can limit the size of the model (number of parameters), which could be implemented in embedded devices, which causes lower accuracy of the model. Hence, we proposed a HierarchicalCloudDNN, a distributed malware detection framework that used modified state-of-the-art deep learning algorithms in a boosting ensemble architecture. The proposed method could scale efficiently from IIoT devices up to the edge and cloud to speed up malware detection, simultaneously reduce resource utilization, and maintain a controllable level of accuracy compared to rival methods in malware detection. The objective is to minimize both run-time and resource consumption while maintaining performance characteristics. The performance analysis of the HierarchicalCloudDNN method was evaluated using standard performance measures on the frequently used BIG 2015 dataset. Based on evaluations, the proposed approach has demonstrated an impressive accuracy rate of 98.90%, outperforming many state-of-the-art models in performance, response time, and resource utilization. These findings suggest a notable decrease in both false positives and false negatives while maintaining accuracy. The proposed distributed malware analysis framework is scalable, robust, and helpful for the timely detection of malicious activity, especially in geographically distributed environments such as the IIoT.

Enhanced slime mould optimization with convolutional BLSTM autoencoder based malware classification in intelligent systems

AbstractAutonomous intelligent systems are artificial intelligence (AI) tools that act autonomously without direct human supervision. Cloud computing (CC) and Internet of Things (IoT) technologies find it challenging to deploy sufficient security defences because of the different structures, storage, and limited computing capabilities that make them more vulnerable to attacks. Security threats against IoT structures, devices, and applications are increasing with the demand for IoT technology. The training data available to AI models may be limited, which could impact their performance and generalizability. Adopting AI solutions in real‐world situations may be impeded by compatibility concerns and the requirement for flawless integration. Malware classification errors can occur due to a lack of contextual knowledge, particularly in cases where benign files behave identically to malicious. Various studies were carried out on detecting IoT malware to evade the menaces posed by malicious code. However, prevailing techniques of IoT malware classification supported particular platforms or demanded complicated methods for attaining higher accuracy. This study introduces an enhanced slime mould optimization with a convolutional BLSTM autoencoder‐based malware classification (ESMO‐CBLSTMAE) system in the IoT cloud platform. The projected ESMO‐CBLSTMAE system focuses on detecting and classifying malware in the IoT cloud platform. To achieve that, the ESMO‐CBLSTMAE algorithm employs a min–max normalization technique for scaling the input dataset. The ESMO‐CBLSTMAE method uses a convolutional bidirectional long short‐term memory autoencoder (CBLSTM‐AE) model for the malware detection process. Lastly, the ESMO method is executed for the optimum hyperparameter tuning of the CBLSTM‐AE technique, which boosts the malware classification results. The experimental analysis of the ESMO‐CBLSTMAE method is tested against a benchmark database, and the outcomes portray the greater efficacy of the ESMO‐CBLSTMAE approach over other existing techniques. The proposed malware classification model achieved an accuracy of 98.57 and F Score of 80.77 and outperformed the existing models.

A Trusted Edge Computing System Based on Intelligent Risk Detection for Smart IoT

The Internet of Things (IoT) mainly consists of a large number of Internet-connected devices. The proliferation of untrusted third-party IoT applications has led to an increase in IoT-based malware attacks. In addition, it is infeasible for the IoT devices to support the sophisticated detection systems due to the restricted resources. Edge computing is considered to be promising. It provides solutions to the data security and privacy leakage brought by untrusted third-party IoT applications. In this article, an intelligent trusted and secure edge computing (ITEC) system is proposed for IoT malware detection. In this system, a signature-based preidentification mechanism is built for matching and identifying the malicious behaviors of untrusted third-party IoT applications. A delay strategy is then embedded into the risk detection engine in order to “buy time” for threat analysis and rate-limit the impact of suspicious third-party IoT applications in the system. We conduct extensive experiments to verify the effectiveness of the ITEC system and show that we can achieve accuracies of up to 98.52%.

Performance Evaluation of Deep Learning Techniques in The Detection of IOT Malware

Internet of Things (IoT) equipment is rapidly being used in a variety of businesses and for a variety of reasons (for example, sensing and collecting data from the environment in both public and military settings). Because of their expanding involvement in a wide range of applications and their rising computational and processing capabilities, they are a viable attack target for malware tailored to infect specific IoT devices. This study investigates the potential of detecting IoT malware using different deep learning techniques: the classic feedforward neural network (FNN), convolutional neural networks (CNN), long short-term memory (LSTM), and recurrent neural networks (RNN). The proposed method analyses the execution operation codes of IOT app sequences using modern NLP (natural language processing) methods. The current work utilized an IoT application dataset with 500 malware (collected from the IOTPOT dataset) and 500 goodware samples to train the proposed algorithms. The trained model is tested against 2971 fresh IoT malware and goodware samples. The samples were input into deep learning models, and performance metrics were obtained. The results demonstrate that the RNN model had the best accuracy (99.19%) in detecting fresh malware samples. On the other hand, the results were compared by the time required for training; the CNN model shows that it could achieve high accuracy (98.05%) with less training time. A comparison with various deep learning classifiers demonstrates that the RNN and CNN techniques produce the best results.

Enhancing Smart IoT Malware Detection: A GhostNet-based Hybrid Approach

The Internet of Things (IoT) constitutes the foundation of a deeply interconnected society in which objects communicate through the Internet. This innovation, coupled with 5G and artificial intelligence (AI), finds application in diverse sectors like smart cities and advanced manufacturing. With increasing IoT adoption comes heightened vulnerabilities, prompting research into identifying IoT malware. While existing models excel at spotting known malicious code, detecting new and modified malware presents challenges. This paper presents a novel six-step framework. It begins with eight malware attack datasets as input, followed by insights from Exploratory Data Analysis (EDA). Feature engineering includes scaling, One-Hot Encoding, target variable analysis, feature importance using MDI and XGBoost, and clustering with K-Means and PCA. Our GhostNet ensemble, combined with the Gated Recurrent Unit Ensembler (GNGRUE), is trained on these datasets and fine-tuned using the Jaya Algorithm (JA) to identify and categorize malware. The tuned GNGRUE-JA is tested on malware datasets. A comprehensive comparison with existing models encompasses performance, evaluation criteria, time complexity, and statistical analysis. Our proposed model demonstrates superior performance through extensive simulations, outperforming existing methods by around 15% across metrics like AUC, accuracy, recall, and hamming loss, with a 10% reduction in time complexity. These results emphasize the significance of our study’s outcomes, particularly in achieving cost-effective solutions for detecting eight malware strains.

IoT malware detection using a novel 3-Sigma Auto-Funnel Transformer approach

The proliferation of Internet of Things (IoT) devices has ushered in a new era of connected technologies, but it has also brought significant security challenges, particularly in the area of malware detection. This research paper presents a novel approach, the “3 Sigma Auto Funnel Transformer,” that designed to address the specific complexities of malware detection in IoT devices. By leveraging advanced deep learning techniques and a multi-layered architecture, the proposed framework provides an innovative solution to detect and mitigate malware threats in IoT ecosystems. By combining the precision of the ”3 Sigma” approach with the efficiency of an ”Auto Funnel Transformer,” this architecture achieves superior detection accuracy and performance. Through comprehensive evaluations, this paper demonstrates the effectiveness of the proposed system in bolstering the security of IoT devices, thereby contributing to the ongoing efforts to protect these essential components of our interconnected world.

Federated malware detection based on many‐objective optimization in cross‐architectural IoT

SummaryWith the rising adoption of the Internet of Things (IoT) across a variety of industries, malware is increasingly targeting the large number of IoT devices that lack adequate protection. Malware hunting is challenging in the IoT due to the variety of instruction set architectures of devices, as shown by the differences in the relevant characteristics of malware on different platforms. There are also serious concerns about resource utilization and privacy leaks in the development of conventional detection models. This study suggests a novel federated malware detection framework based on many‐objective optimization (FMDMO) for the IoT to overcome the problems. First, the framework provides a cross‐platform compatible basis with the federated mechanism as the backbone, while avoiding raw data sharing to improve privacy protection. Second, an intelligent optimization‐based client selection method is designed for four objectives: learning performance, architectural selection deviation, time consumption, and training stability, which leads malware detection to retain a high degree of cross‐architectural generalization while enhancing training efficiency. Based on a large IoT malware dataset we constructed, containing 62,515 malware samples across seven typical architectures, the FMDMO is evaluated comprehensively in three scenarios. The experimental results demonstrate the FMDMO substantially enhances the model's cross‐platform detection performance while preserving effective training and flexibility.

IoTSecSim: A framework for modelling and simulation of security in Internet of things

The proliferation of the Internet of Things (IoT) devices has provided attackers with tremendous opportunities to launch various cyber-attacks. It has been challenging to analyse the impact of cyber-attacks and evaluate the effectiveness of defences in real IoT environments due to the scale and heterogeneity of IoT networks. In this work, we propose a novel simulation framework and a software tool, IoT Security Simulator (IoTSecSim). IoTSecSim is operated based on a framework we propose for modelling and simulating cyber-attacks and various defences in IoT networks. IoTSecSim is not only able to support the creation of an IoT network with flexible settings of IoT devices and topology information but also models the attack behaviours, node-level, and network-level defences. Moreover, a systematic security evaluation can be performed by comparing the results based on the calculation of security metrics. We perform simulations with case studies on Mirai malware and its variants to model cyber-attack behaviours on IoT networks and evaluate the impact of these attacks and the effectiveness of defence techniques via IoTSecSim. Then, we carry out a sensitivity analysis to justify that the simulation results produced by IoTSecSim are accurate and feasible when compared with related works. We also perform a comparative performance analysis with four combinations of cyber-attack behaviours and show that these behaviours can influence IoT malware propagation in different situations. We consider multiple attacker models and deploy conventional defence techniques (including firewall, intrusion detection, and vulnerability patching) to investigate the effectiveness of defence techniques. IoTSecSim provides a generalised and extensible simulation framework that enables users to model emerging cyber-attacks against IoT networks and evaluate the effectiveness of defences against these attacks. This helps users focus on the design and performance evaluation of new defences before the actual implementation and deployment of the defences are required.

AdaTrans: An adaptive transformer for IoT Malware detection based on sensitive API call graph and inter-component communication analysis

With the development of the Internet of Things (IoT), mobile devices are playing an increasingly important role in our daily lives. There are various malware threats present in these mobile devices, which can steal users’ personal information. Some malware exploits Inter-Component Communication (ICC) to execute malicious activities for unauthorized data access and system control, enabling communication between different components within an app and between different apps. In this paper, we propose an Adaptive Transformer-based malware framework (named AdaTrans) that combines sensitive Application Programming Interface (API)- and ICC-related features. The framework first extracts sensitive function call subgraphs (SFCS) to reflect the caller-callee relationships, and then utilizes ICC interactions to reveal hidden communication patterns in malicious activities. Moreover, we propose a novel adaptive Transformer model to detect malicious behaviors. We evaluate our framework on real-world datasets and demonstrate that AdaTrans consistently outperforms other existing state-of-the-art systems.

A new deep boosted CNN and ensemble learning based IoT malware detection

Security issues are threatened in various types of networks, especially in the Internet of Things (IoT) environment that requires early detection. IoT is the network of real-time devices like home automation systems and can be controlled by open-source android devices, which can be an open ground for attackers. Attackers can access the network credentials, initiate a different kind of security breach, and compromises network control. Therefore, timely detecting the increasing number of sophisticated malware attacks is the challenge to ensure the credibility of network protection. In this regard, we have developed a new malware detection framework, Deep Squeezed-Boosted and Ensemble Learning (DSBEL), comprised of novel Squeezed-Boosted Boundary-Region Split-Transform-Merge (SB-BR-STM) CNN and ensemble learning. The proposed STM block employs multi-path dilated convolutional, Boundary, and regional operations to capture the homogenous and heterogeneous global malicious patterns. Moreover, diverse feature maps are achieved using transfer learning and multi-path-based squeezing and boosting at initial and final levels to learn minute pattern variations. Finally, the boosted discriminative features are extracted from the developed deep SB-BR-STM CNN and provided to the ensemble classifiers (SVM, MLP, and AdabooSTM1) to improve the hybrid learning generalization. The performance analysis of the proposed DSBEL framework and SB-BR-STM CNN against the existing techniques have been evaluated by the IOT_Malware dataset on standard performance measures. Evaluation results show progressive performance as 98.50% accuracy, 97.12% F1-Score, 91.91% MCC, 95.97 % Recall, and 98.42 % Precision. The proposed malware analysis framework is robust and helpful for the timely detection of malicious activity and suggests future strategies.

Effective Multitask Deep Learning for IoT Malware Detection and Identification Using Behavioral Traffic Analysis

Despite the benefits of the Internet of Things (IoT), the growing influx of IoT-specific malware coordinating large-scale cyberattacks via infected IoT devices has created a substantial threat to the internet ecosystem. Assessing IoT systems’ security and developing mitigation measures to prevent the spread of IoT malware is therefore critical. Furthermore, for training and testing the fidelity of cyber security-based Machine Learning (ML) and Deep Learning (DL) approaches, the collection and exploration of information from multiple sources from the IoT are crucial. In this regard, we propose a multitask DL model for detecting IoT malware. Our proposed Long Short-Term Memory (LSTM) based model efficiently performs two tasks: 1) determination of whether the provided traffic is benign or malicious, and 2) determination of the malware type for identifying malicious network traffic. We used large-scale traffic data of 145.pcap files of benign and malicious traffic collected from 18 different IoT devices. We performed a time-series analysis on the packets of traffic flows, which were then used to train the proposed model. The features extracted from the dataset were categorized into three modalities: flow-related, traffic flag-related, and packet payload-related features. A feature selection approach was employed at the feature and modality levels, and the best modalities and features were utilized for performance enhancement. For tasks 1 and 2 and multitask classification, the flow-related and flag-related modalities showed the best testing accuracies of 92.63%, 88.45%, and 95.83%, respectively.

Artificial intelligence-driven malware detection framework for internet of things environment.

The Internet of Things (IoT) environment demands a malware detection (MD) framework for protecting sensitive data from unauthorized access. The study intends to develop an image-based MD framework. The authors apply image conversion and enhancement techniques to convert malware binaries into RGB images. You only look once (Yolo V7) is employed for extracting the key features from the malware images. Harris Hawks optimization is used to optimize the DenseNet161 model to classify images into malware and benign. IoT malware and Virusshare datasets are utilized to evaluate the proposed framework's performance. The outcome reveals that the proposed framework outperforms the current MD framework. The framework generates the outcome at an accuracy and F1-score of 98.65 and 98.5 and 97.3 and 96.63 for IoT malware and Virusshare datasets, respectively. In addition, it achieves an area under the receiver operating characteristics and the precision-recall curve of 0.98 and 0.85 and 0.97 and 0.84 for IoT malware and Virusshare datasets, accordingly. The study's outcome reveals that the proposed framework can be deployed in the IoT environment to protect the resources.

IoT malware: An attribute-based taxonomy, detection mechanisms and challenges.

During the past decade, the Internet of Things (IoT) has paved the way for the ongoing digitization of society in unique ways. Its penetration into enterprise and day-to-day lives improved the supply chain in numerous ways. Unfortunately, the profuse diversity of IoT devices has become an attractive target for malware authors who take advantage of its vulnerabilities. Accordingly, enhancing the security of IoT devices has become the primary objective of industrialists and researchers. However, most present studies lack a deep understanding of IoT malware and its various aspects. As understanding IoT malware is the preliminary base of research, in this work, we present an IoT malware taxonomy with 100 attributes based on the IoT malware categories, attack types, attack surfaces, malware distribution architecture, victim devices, victim device architecture, IoT malware characteristics, access mechanisms, programming languages, and protocols. In addition, we have mapped these categories into 77 IoT Malwares identified between 2008 and 2022. Furthermore, To provide insight into the challenges in IoT malware research for future researchers, our study also reviews the existing IoT malware detection works.