Submitted Successfully!
To reward your contribution, here is a gift for you: A free trial for our video production service.
Thank you for your contribution! You can also upload a video entry or images related to this topic.
Version Summary Created by Modification Content Size Created at Operation
1 + 2433 word(s) 2433 2021-11-04 04:54:25 |
2 format correct Meta information modification 2433 2021-11-10 05:12:17 |

Video Upload Options

Do you have a full video?


Are you sure to Delete?
If you have any further questions, please contact Encyclopedia Editorial Office.
Alrubayyi, H. Security Challenges and Malware Attacks in the IoT. Encyclopedia. Available online: (accessed on 25 June 2024).
Alrubayyi H. Security Challenges and Malware Attacks in the IoT. Encyclopedia. Available at: Accessed June 25, 2024.
Alrubayyi, Hadeel. "Security Challenges and Malware Attacks in the IoT" Encyclopedia, (accessed June 25, 2024).
Alrubayyi, H. (2021, November 05). Security Challenges and Malware Attacks in the IoT. In Encyclopedia.
Alrubayyi, Hadeel. "Security Challenges and Malware Attacks in the IoT." Encyclopedia. Web. 05 November, 2021.
Security Challenges and Malware Attacks in the IoT

Malware is a major security threat to the IoT, and detecting unknown malware is one of the key challenges for two reasons. First, the limitations of IoT devices, such as their low power retention capability and low computational processing capability, represent a significant challenge when aiming to apply security solutions. Second, introducing new ways to connect networks, such as cloud services, opens the door to many security attacks, such as malware attacks. Furthermore, connecting new devices that were not part of traditional networks via these new connection methods, such as smart sensors, makes applying security measures more complex. For these reasons, traditional malware detection mechanisms are not suitable for the IoT environment.

Internet of Things (IoT)

1. IoT Characteristics and Challenges on Security

The IoT is a system of interconnected machines with unique identifier numbers. The devices can communicate and share data within a network without human interaction. The IoT system consists of devices (often referred to as IoT devices) with unique identifiers that integrate seamlessly into the information network by using intelligent interfaces [1]. IoT systems often include connected, lightweight IoT devices and are employed in various applications, such as healthcare, environmental, smart cities, commercial, and industrial applications [2]. IoT devices employed in healthcare are referred to as IoMT devices. These include wearable monitoring medical devices, implantable medical treatment devices, and in-hospital connected medical devices and play a critical role in remote health monitoring and intervention [3]. As such, securing IoMT devices and systems is crucial and demands rigorous malware detection mechanisms. In environmental and agricultural applications, IoT devices such as temperature and humidity sensors are often battery operated and deployed in remote locations [4], thus requiring a malware detection mechanism that is computationally and energy efficient to extend the battery life. Smart cities leverage IoT systems using various types of devices, such as security cameras that capture sensitive data [5], and thus require strict security measures to prevent unlawful access. Industrial IoT (IIoT) applications refer to IoT systems in manufacturing and supply chains where humans work in the vicinity of machines operated by IoT devices [6]. In these cases, securing the IoT system against malware is pivotal for workers’ safety and key to sustaining efficient IIoT operation. These IoT devices may be physical entities but also virtual things that interact, thus forming the IoT system with essential features as presented below (see Figure 1).
Figure 1. IoT characteristics.
  • Interconnectivity refers to the connection of the device to the cloud and/or other devices. Connectivity is needed to enable the control of the device remotely, but mostly to access the data collected by the IoT device’s sensors. For example, an IoMT device for heart disease prediction is remotely controlled to monitor the patient’s heart rate [7]. The health parameters are collected in real-time and transmitted to a data center in the cloud. Therefore, securing this connection is vital to protect critical information.
  • The IoT devices are heterogeneous as they may be built on different platforms and have different specifications. The hardware, such as a simple sensor to monitor the heart rate in [7], and virtual things, such as a data center built on the cloud, could be supplied by different vendors. These integrated IoT devices could use different security measures, leading to a lack of standardization in the network. Each connected device could use different security protocols, with their security bugs and limitations, exposing the system to different kinds of hacking.
  • In the IoT environment, physical and virtual devices are capable of exchanging services within the constraints of the devices. Since the communication between different IoT devices is not controlled by a central processor/human, this could form a serious threat. If a malicious device is disguised as an accepted IoT device, it could start to disturb other devices by installing malicious files.
  • The number of IoT devices is increasing exponentially and is generating an unprecedented amount of data. The expected number of IoT devices by 2025 is between 25 billion and 50 billion [8]. The scale is simply enormous, and data privacy and integrity are critical challenges in massive-scale networks. For instance, IoMT-based COVID-19 applications are creating massive amounts of real-time data that are stored in the cloud. However, as the amount of generated data continues to increase, the network pressure increases, which might lead to occurrences of erroneous interpretations [9].
The IoT involves smart devices and sensors, some of which use non-chargeable batteries. This makes battery life one of the predominant challenges in IoT security. Running security rules will drain the battery resources. Applying minimum security requirement measures is not recommended and is risky when devices have access to (or collect) sensitive data. Increasing battery size and capacity is not always possible, because these devices are designed to be lightweight and low-cost. In addition to device limitation and object identification, device authentication and authorization are examples of the IoT network-layer security challenges. Issuing certificates to each object in the IoT is extremely challenging due to the number of connected objects and lack of a global root certificate authority. The Domain Name System (DNS), which is used to identify objects and their attributes, is another IoT network-layer security challenge. Data integrity is problematic here due to the possibility of being hacked by a man in the middle or a DNS cash poisoning attack. This attack is the act of placing false information to redirect Internet traffic to malicious websites.
The threat of malware attacks arises in IoT due to these security challenges. Antivirus software is the main line of defense to detect known malware in real-time. However, the traditional security solutions have not been efficient and do not provide decentralized and strong security solutions in the IoT [10]. Due to the IoT device limitation and computing power, shifting similar solutions from traditional platforms to IoT might not be affordable [11]. Battery size and expected durability are challenges that make the implementation of security measures more limited, as a device has to be energy efficient as well as secure. Moreover, in IoT systems, network resources are integrated into devices that were never previously anticipated to be part of computer networks [12]. Integrating IoT devices into traditional networks introduces a new paradigm of security. The integrated systems inherit the traditional network security issues besides those targeting IoT devices [10]. Consequently, using traditional security measures is not enough to give IoT systems malware detection capabilities.

2. Malware Analysis and Detection

Malware is defined as malicious software that is executed within the system without the user’s permission. Black hats, hackers, and crackers are all names for malware writers and developers. Writers have different intentions when creating this malicious executable software; e.g., internal threats, governance purposes, and spying on competitors. “Traditional” malware was often written using simple techniques and was designed with predictable intentions [13]. “Next-generation” malware, on the other hand, is designed with multiple malicious intents and leverages advances in technology for a more sophisticated design. The marriage of fast-spreading IoT systems and the inherent vulnerability and increased sophistication of malware attacks renders malware analysis and detection more critical but also more challenging.

2.1. Malware Analysis

Malware analysis techniques are essential to developing effective malware detection methods. These techniques involve the analysis of the process and functionality of the malware to build a suitable defense method. Three main malware analysis techniques achieve the same goal of determining how the malware works and how the attack will affect the network (see Figure 2).
Figure 2. Malware analysis and detection.
  • Static analysis, also called code analysis: In this technique, the infected file is inspected and analyzed without executing it. Low-level information is extracted such as the control flow graph (CFG), data flow graph, and system calls. Static analysis is fast at analyzing data and safe to use; also, it has a low level of false-positives, which means a higher detection rate. Moreover, the static analysis tracks all possible paths, which gives it a global view; however, it fails in detecting unknown malware using code obfuscation.
  • Dynamic analysis, also called behavioral analysis: In dynamic analysis, the infected file is inspected during execution, which is usually conducted on an invisible virtual machine, so the malware file does not change its behaviors. Dynamic analysis is time-consuming and vulnerable, and it can only detect a few paths based on triggered files. Furthermore, it is neither safe nor fast, and it suffers from a high level of false positives. However, dynamic analysis is known for its good performance in detecting new and unknown malware.
  • Hybrid analysis: this technique was designed to overcome the challenges and limitations of the previous two techniques. First, it analyzes the signature descriptions of any malware code and then combines that with other dynamic parameters to improve the analysis of malware.
The connection in IoT networks is currently enabled via cloud services. Static, dynamic, and hybrid malware analyses are mostly applied in the cloud to protect IoT devices.

2.2. Malware Detection Techniques

Based on the analysis results described in the previous section, we present detection techniques that are designed to detect malware attacks effectively. Three main methods are used in malware detection: the signature-based detection technique, behavior-based detection technique, and specification-based detection technique (see Figure 3).
  • In the signature-based technique, files are analyzed and compared to an existing list, and if they are listed in the list, they are classified as malware. This method is not effective for recognizing all malware that enters the network because some malware is encrypted, and thus extracting the signature takes time and a large amount of processing energy. Furthermore, it is not effective for new or unknown malware.
  • The behavioral-based method monitors the program’s behavior rather than reading its signature. This technique follows three steps: the first step collects information about the program, the second step interprets the data through conversion to intermediate representations, and the last step matches the intermediate representation with known behavior signatures. There are two approaches to this technique, the first of which is simulating the behavior of legitimate programs and comparing any new program to that model. This approach works for the detection of most malware, even new kinds. However, it is expensive to implement because of the different behaviors of each program in the network; for example, a video reader will use different services than a mail or a web client. The second approach is simulating the behavior of known malware and comparing it to new programs, which means new (unknown) malware cannot be identified.
  • The specification-based method was introduced to overcome the disadvantages and limitations of the first two techniques. This technique uses different features for malware detection, including the following:
    API calls: Hofmeyr et al. were among the first to propose using application interface and system call sequences for malware detection [14].
    OpCode: Executable files are made of series of assembly codes, and in this method, researchers use this operational code to detect malware [15].
    N-Grams: this method uses executable programs’ binary codes for malware detection [16].
    CFG: This is a graph that illustrates the control flow of programs, and it has been used to analyze malware behavior [17].
    Hybrid feature: in this machine learning method, researchers combine different techniques for malware detection to get better results. For example, Eskandari et al. in [18] used CFG and API calls for metamorphic malware detection.
    Game theoretic-based anomaly detection algorithms: Zhu, Quanyan, and T. Başar presented different solutions to malware detection using behavioral analysis, such as the data exfiltration detection and prevention and consensus algorithm, with censored data for distributed detection [19].
    Prospect theoretic approaches: These approaches are based on measuring the trustworthiness of the aggregated data in the system. In [20], the authors present a hardware trojan detection game based on prospective theory approaches. Furthermore, in [21], the authors introduce a prospect theory-based framework to ensure risk awareness and protect network operations.
The main limitation of the specification-based method is the difficulty to specify the whole set of legitimate behaviors that a system should exhibit accurately [22].

3. Malware in the IoT

The malware detection techniques presented in the previous section have been followed to implement malware detection methods in the IoT; for instance, SVELTE, which is a signature and anomaly-based intrusion detection method, has been used to protect the IoT from routing attacks based on the IPv6 routing protocol [23]. On one hand, applying a signature-based technique for malware detection in the IoT is not the best approach because it is not designed to detect unknown/newly developed malware files; on the other hand, designing a behavioral-based or specification-based method to secure the IoT is computationally expensive due to the long simulation process it requires.
Major AI solutions to securing the IoT fall under either behavior or specification-based techniques, which are complex to implement in IoT systems. For instance, the authors in [24] evaluate the recent advances in AI/ML techniques in securing the IoT. They use 80% of the dataset only to train the module, which is computationally expensive, and state that, despite the advances in AI techniques in the IoT, the security method is still vulnerable when implemented in a real IoT system. Furthermore, the authors in [25] published a survey about AI solutions enhancing IoT security by presenting the challenges and limitations of algorithms. Besides the weak probability and instability of AI algorithms, they are computationally complex, with high resource consumption. Therefore, in this work, we analyze the AIS solutions to secure the IoT that are less complex for implementation with high detection probabilities.
As businesses and consumers continue to connect devices to the Internet without proper security measures, IoT devices are increasingly leveraged by cybercriminals to dispense malware payloads [26]. In the first half of 2019, SonicWall observed a 55% increase in IoT attacks—a number that outpaces the first two quarters of the previous year. A security vendor has detected over 100 million attacks on IoT devices in the first half of 2019, which highlights the continued threat to unsecured IoT devices [27]. Kaspersky, the Russian Anti-Virus vendor, has claimed to detect 106 million attacks coming from 267,000 unique IP addresses in the first half of 2019 [27]. This number of attacks was almost nine times more than what was reported for the first quarter of 2018, when only 12 million were detected, originating from 69,000 IP addresses. According to the authors in [27], a major reason driving this surge is consumers’ increased propensity to buy smart home solutions without due diligence in terms of security measures. Due to all the reasons listed above, malware attacks are major security threats in the IoT and thus require an IoT-specific security solution.
The best way to secure the IoT based on its characteristics and architecture is to implement a distributed, dynamic, adaptive, and self-monitoring method. This leads us to investigate the AIS solutions and how these can be applied to secure the IoT against malware attacks.


  1. Othman, M.; El-Mousa, A. Internet of Things Cloud Computing Internet of Things as a Service Approach. In Proceedings of the 2020 11th International Conference on Information and Communication Systems (ICICS), Irbid, Jordan, 7–9 April 2020; pp. 318–323.
  2. Asghari, P.; Rahmani, A.M.; Javadi, H.H.S. Internet of Things applications: A systematic review. Comput. Netw. 2019, 148, 241–261.
  3. Koutras, D.; Stergiopoulos, G.; Dasaklis, T.; Kotzanikolaou, P.; Glynos, D.; Douligeris, C. Security in IoMT Communications: A Survey. Sensors 2020, 20, 4828.
  4. Marathe, S.; Nambi, A.; Swaminathan, M.; Sutaria, R. CurrentSense: A novel approach for fault and drift detection in environmental IoT sensors. In Proceedings of the International Conference on Internet-of-Things Design and Implementation, Charlottesvle, VA, USA, 18–21 May 2021; pp. 93–105.
  5. Lv, Z.; Qiao, L.; Kumar Singh, A.; Wang, Q. AI-Empowered IoT Security for Smart Cities. ACM Trans. Internet Technol. 2021, 21.
  6. Xenofontos, C.; Zografopoulos, I.; Konstantinou, C.; Jolfaei, A.; Khan, M.K.; Choo, K.K.R. Consumer, Commercial and Industrial IoT (In)Security: Attack Taxonomy and Case Studies. IEEE Internet Things J. 2021.
  7. Khan, M.; Algarni, F. A Healthcare Monitoring System for the Diagnosis of Heart Disease in the IoMT Cloud Environment Using MSSO-ANFIS. IEEE Access 2020, 8, 122259–122269.
  8. Zhang, J.; Li, G.; Marshall, A.; Hu, A.; Hanzo, L. A New Frontier for IoT Security Emerging From Three Decades of Key Generation Relying on Wireless Channels. IEEE Access 2020, 8, 138406–138446.
  9. Lin, H.; Garg, S.; Hu, J.; Wang, X.; Piran, M.J.; Hossain, M.S. Privacy-enhanced Data Fusion for COVID-19 Applications in Intelligent Internet of Medical Things. IEEE Internet Things J. 2020.
  10. Aldhaheri, S.; Alghazzawi, D.; Cheng, L.; Barnawi, A.; Alzahrani, B. Artificial Immune Systems approaches to secure the internet of things: A systematic review of the literature and recommendations for future research. J. Netw. Comput. Appl. 2020, 157, 102537.
  11. Jeon, J.; Park, J.; Jeong, Y. Dynamic Analysis for IoT Malware Detection With Convolution Neural Network Model. IEEE Access 2020, 8, 96899–96911.
  12. Greensmith, J. Securing the Internet of Things with Responsive Artificial Immune Systems. In Proceedings of the 2015 Annual Conference on Genetic and Evolutionary Computation (GECCO ’15); Association for Computing Machinery, Madrid, Spain, 18–21 May 2021; pp. 113–120.
  13. Aslan, Ö.; Samet, R. A comprehensive review on malware detection approaches. IEEE Access 2020, 8, 6249–6271.
  14. Hofmeyr, S.; Forrest, S.; Somayaji, A. Intrusion Detection Using Sequences of System Calls. J. Comput. Secur. 1998, 6, 151–180.
  15. Bilar, D. Opcodes as Predictor for Malware. Int. J. Electron. Secur. Digit. Forensic 2007, 1, 156–168.
  16. Schultz, M.; Eskin, E.; Zadok, F.; Stolfo, S. Data mining methods for detection of new malicious executables. In Proceedings of the 2001 IEEE Symposium on Security and Privacy. S & P 2001, Oakland, CA, USA, 14–16 May 2001; pp. 38–49.
  17. Jalote, P. An Integrated Approach to Software Engineering; Springer Science & Business Media: Berlin/Heidelberg, Germany, 2012.
  18. Eskandari, M.; Hashemi, S. Metamorphic malware detection using control flow graph mining. Int. J. Comput. Sci. Netw. Secur 2011, 11, 1–6.
  19. Buttyán, L.; Baras, J.S. Decision and Game Theory for Security; Springer: Berlin/Heidelberg, Germany, 2010.
  20. Saad, W.; Sanjab, A.; Wang, Y.; Kamhoua, C.A.; Kwiat, K.A. Hardware Trojan Detection Game: A Prospect-Theoretic Approach. IEEE Trans. Veh. Technol. 2017, 66, 7697–7710.
  21. Vamvakas, P.; Tsiropoulou, E.E.; Papavassiliou, S. Exploiting prospect theory and risk-awareness to protect UAV-assisted network operation. EURASIP J. Wirel. Commun. Netw. 2019, 2019, 1–20.
  22. Pandey, S.K.; Mehtre, B. A lifecycle based approach for malware analysis. In Proceedings of the 2014 Fourth International Conference on Communication Systems and Network Technologies, Bhopal, India, 7–9 April 2014; pp. 767–771.
  23. Raza, S.; Wallgren, L.; Voigt, T. SVELTE: Real-time intrusion detection in the Internet of Things. Ad hoc Netw. 2013, 11, 2661–2674.
  24. Abusnaina, A.; Anwar, A.; Alshamrani, S.; Alabduljabbar, A.; Jang, R.; Nyang, D.; Mohaisen, D. Systemically Evaluating the Robustness of ML-based IoT Malware Detectors. In Proceedings of the 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S), Taipei, Taiwan, 21–24 June 2021; pp. 3–4.
  25. Wu, H.; Han, H.; Wang, X.; Sun, S. Research on Artificial Intelligence Enhancing Internet of Things Security: A Survey. IEEE Access 2020, 8, 153826–153848.
  26. SonicWall 2019 Report: 55 Rise in IoT Malware Attacks. 2019. Available online: (accessed on 1 October 2021).
  27. Muncaster, P. Over 100 Million IoT Attacks Detected in 1H 2019. 2019. Available online: (accessed on 1 October 2021).
Contributor MDPI registered users' name will be linked to their SciProfiles pages. To register with us, please refer to :
View Times: 1.2K
Revisions: 2 times (View History)
Update Date: 10 Nov 2021
Video Production Service