Visible to the public Lightweight Node-level Malware Detection and Network-level Malware Confinement in IoT Networks

TitleLightweight Node-level Malware Detection and Network-level Malware Confinement in IoT Networks
Publication TypeConference Paper
Year of Publication2019
AuthorsPudukotai Dinakarrao, Sai Manoj, Sayadi, Hossein, Makrani, Hosein Mohammadi, Nowzari, Cameron, Rafatirad, Setareh, Homayoun, Houman
Conference Name2019 Design, Automation Test in Europe Conference Exhibition (DATE)
Keywordsaverage network throughput, composability, computer network security, confinement, Correlation, Cyber-physical systems, Detectors, feature extraction, Internet of Things, invasive software, IoT networks, lightweight node-level malware detection, Malware, Malware confinement, malware detection, Malware propagation, Malware propogation, network functionality, Network security, network-level malware confinement, performance evaluation, predictive control, privacy, pubcrawl, real-time malware control strategies, Resiliency, Runtime, runtime malware detection, security
AbstractThe sheer size of IoT networks being deployed today presents an "attack surface" and poses significant security risks at a scale never before encountered. In other words, a single device/node in a network that becomes infected with malware has the potential to spread malware across the network, eventually ceasing the network functionality. Simply detecting and quarantining the malware in IoT networks does not guarantee to prevent malware propagation. On the other hand, use of traditional control theory for malware confinement is not effective, as most of the existing works do not consider real-time malware control strategies that can be implemented using uncertain infection information of the nodes in the network or have the containment problem decoupled from network performance. In this work, we propose a two-pronged approach, where a runtime malware detector (HaRM) that employs Hardware Performance Counter (HPC) values to detect the malware and benign applications is devised. This information is fed during runtime to a stochastic model predictive controller to confine the malware propagation without hampering the network performance. With the proposed solution, a runtime malware detection accuracy of 92.21% with a runtime of 10ns is achieved, which is an order of magnitude faster than existing malware detection solutions. Synthesizing this output with the model predictive containment strategy lead to achieving an average network throughput of nearly 200% of that of IoT networks without any embedded defense.
DOI10.23919/DATE.2019.8715057
Citation Keypudukotai_dinakarrao_lightweight_2019