Malware is a major security threat to the IoT, and detecting unknown malware is one of the key challenges for two reasons. First, the limitations of IoT devices, such as their low power retention capability and low computational processing capability, represent a significant challenge when aiming to apply security solutions. Second, introducing new ways to connect networks, such as cloud services, opens the door to many security attacks, such as malware attacks. Furthermore, connecting new devices that were not part of traditional networks via these new connection methods, such as smart sensors, makes applying security measures more complex. For these reasons, traditional malware detection mechanisms are not suitable for the IoT environment.
1. IoT Characteristics and Challenges on Security
The IoT is a system of interconnected machines with unique identifier numbers. The devices can communicate and share data within a network without human interaction. The IoT system consists of devices (often referred to as IoT devices) with unique identifiers that integrate seamlessly into the information network by using intelligent interfaces
[1][10]. IoT systems often include connected, lightweight IoT devices and are employed in various applications, such as healthcare, environmental, smart cities, commercial, and industrial applications
[2][11]. IoT devices employed in healthcare are referred to as IoMT devices. These include wearable monitoring medical devices, implantable medical treatment devices, and in-hospital connected medical devices and play a critical role in remote health monitoring and intervention
[3][12]. As such, securing IoMT devices and systems is crucial and demands rigorous malware detection mechanisms. In environmental and agricultural applications, IoT devices such as temperature and humidity sensors are often battery operated and deployed in remote locations
[4][13], thus requiring a malware detection mechanism that is computationally and energy efficient to extend the battery life. Smart cities leverage IoT systems using various types of devices, such as security cameras that capture sensitive data
[5][14], and thus require strict security measures to prevent unlawful access. Industrial IoT (IIoT) applications refer to IoT systems in manufacturing and supply chains where humans work in the vicinity of machines operated by IoT devices
[6][15]. In these cases, securing the IoT system against malware is pivotal for workers’ safety and key to sustaining efficient IIoT operation. These IoT devices may be physical entities but also virtual things that interact, thus forming the IoT system with essential features as presented below (see
Figure 12).
Figure 12. IoT characteristics.
3).
Figure 23. Malware analysis and detection.
In the signature-based technique, files are analyzed and compared to an existing list, and if they are listed in the list, they are classified as malware. This method is not effective for recognizing all malware that enters the network because some malware is encrypted, and thus extracting the signature takes time and a large amount of processing energy. Furthermore, it is not effective for new or unknown malware.
-
-
The behavioral-based method monitors the program’s behavior rather than reading its signature. This technique follows three steps: the first step collects information about the program, the second step interprets the data through conversion to intermediate representations, and the last step matches the intermediate representation with known behavior signatures. There are two approaches to this technique, the first of which is simulating the behavior of legitimate programs and comparing any new program to that model. This approach works for the detection of most malware, even new kinds. However, it is expensive to implement because of the different behaviors of each program in the network; for example, a video reader will use different services than a mail or a web client. The second approach is simulating the behavior of known malware and comparing it to new programs, which means new (unknown) malware cannot be identified.
-
The specification-based method was introduced to overcome the disadvantages and limitations of the first two techniques. This technique uses different features for malware detection, including the following:
- (a)
-
API calls: Hofmeyr et al. were among the first to propose using application interface and system call sequences for malware detection
[14][22].
- (b)
-
OpCode: Executable files are made of series of assembly codes, and in this method, researchers use this operational code to detect malware
[15][23].
- (c)
-
N-Grams: this method uses executable programs’ binary codes for malware detection
[16][24].
- (d)
-
CFG: This is a graph that illustrates the control flow of programs, and it has been used to analyze malware behavior
[17][25].
- (e)
-
Hybrid feature: in this machine learning method, researchers combine different techniques for malware detection to get better results. For example, Eskandari et al. in
[18][26] used CFG and API calls for metamorphic malware detection.
- (f)
-
Game theoretic-based anomaly detection algorithms: Zhu, Quanyan, and T. Başar presented different solutions to malware detection using behavioral analysis, such as the data exfiltration detection and prevention and consensus algorithm, with censored data for distributed detection
Interconnectivity refers to the connection of the device to the cloud and/or other devices. Connectivity is needed to enable the control of the device remotely, but mostly to access the data collected by the IoT device’s sensors. For example, an IoMT device for heart disease prediction is remotely controlled to monitor the patient’s heart rate
[7][16]. The health parameters are collected in real-time and transmitted to a data center in the cloud. Therefore, securing this connection is vital to protect critical information.
-
The IoT devices are heterogeneous as they may be built on different platforms and have different specifications. The hardware, such as a simple sensor to monitor the heart rate in
[7][16], and virtual things, such as a data center built on the cloud, could be supplied by different vendors. These integrated IoT devices could use different security measures, leading to a lack of standardization in the network. Each connected device could use different security protocols, with their security bugs and limitations, exposing the system to different kinds of hacking.
-
In the IoT environment, physical and virtual devices are capable of exchanging services within the constraints of the devices. Since the communication between different IoT devices is not controlled by a central processor/human, this could form a serious threat. If a malicious device is disguised as an accepted IoT device, it could start to disturb other devices by installing malicious files.
-
The number of IoT devices is increasing exponentially and is generating an unprecedented amount of data. The expected number of IoT devices by 2025 is between 25 billion and 50 billion
[8][17]. The scale is simply enormous, and data privacy and integrity are critical challenges in massive-scale networks. For instance, IoMT-based COVID-19 applications are creating massive amounts of real-time data that are stored in the cloud. However, as the amount of generated data continues to increase, the network pressure increases, which might lead to occurrences of erroneous interpretations
[9][18].
The IoT involves smart devices and sensors, some of which use non-chargeable batteries. This makes battery life one of the predominant challenges in IoT security. Running security rules will drain the battery resources. Applying minimum security requirement measures is not recommended and is risky when devices have access to (or collect) sensitive data. Increasing battery size and capacity is not always possible, because these devices are designed to be lightweight and low-cost. In addition to device limitation and object identification, device authentication and authorization are examples of the IoT network-layer security challenges. Issuing certificates to each object in the IoT is extremely challenging due to the number of connected objects and lack of a global root certificate authority. The Domain Name System (DNS), which is used to identify objects and their attributes, is another IoT network-layer security challenge. Data integrity is problematic here due to the possibility of being hacked by a man in the middle or a DNS cash poisoning attack. This attack is the act of placing false information to redirect Internet traffic to malicious websites.
The threat of malware attacks arises in IoT due to these security challenges. Antivirus software is the main line of defense to detect known malware in real-time. However, the traditional security solutions have not been efficient and do not provide decentralized and strong security solutions in the IoT
[10][9]. Due to the IoT device limitation and computing power, shifting similar solutions from traditional platforms to IoT might not be affordable
[11][19]. Battery size and expected durability are challenges that make the implementation of security measures more limited, as a device has to be energy efficient as well as secure. Moreover, in IoT systems, network resources are integrated into devices that were never previously anticipated to be part of computer networks
[12][20]. Integrating IoT devices into traditional networks introduces a new paradigm of security. The integrated systems inherit the traditional network security issues besides those targeting IoT devices
[10][9]. Consequently, using traditional security measures is not enough to give IoT systems malware detection capabilities.
2. Malware Analysis and Detection
Malware is defined as malicious software that is executed within the system without the user’s permission. Black hats, hackers, and crackers are all names for malware writers and developers. Writers have different intentions when creating this malicious executable software; e.g., internal threats, governance purposes, and spying on competitors. “Traditional” malware was often written using simple techniques and was designed with predictable intentions
[13][21]. “Next-generation” malware, on the other hand, is designed with multiple malicious intents and leverages advances in technology for a more sophisticated design. The marriage of fast-spreading IoT systems and the inherent vulnerability and increased sophistication of malware attacks renders malware analysis and detection more critical but also more challenging.
2.1. Malware Analysis
Malware analysis techniques are essential to developing effective malware detection methods. These techniques involve the analysis of the process and functionality of the malware to build a suitable defense method. Three main malware analysis techniques achieve the same goal of determining how the malware works and how the attack will affect the network (see Figure 2
]
.
-
- (g)
-
Prospect theoretic approaches: These approaches are based on measuring the trustworthiness of the aggregated data in the system. In
[
]
[
]
, the authors present a hardware trojan detection game based on prospective theory approaches. Furthermore, in
[21][29], the authors introduce a prospect theory-based framework to ensure risk awareness and protect network operations.
Static analysis, also called code analysis: In this technique, the infected file is inspected and analyzed without executing it. Low-level information is extracted such as the control flow graph (CFG), data flow graph, and system calls. Static analysis is fast at analyzing data and safe to use; also, it has a low level of false-positives, which means a higher detection rate. Moreover, the static analysis tracks all possible paths, which gives it a global view; however, it fails in detecting unknown malware using code obfuscation.
-
-
Dynamic analysis, also called behavioral analysis: In dynamic analysis, the infected file is inspected during execution, which is usually conducted on an invisible virtual machine, so the malware file does not change its behaviors. Dynamic analysis is time-consuming and vulnerable, and it can only detect a few paths based on triggered files. Furthermore, it is neither safe nor fast, and it suffers from a high level of false positives. However, dynamic analysis is known for its good performance in detecting new and unknown malware.
-
Hybrid analysis: this technique was designed to overcome the challenges and limitations of the previous two techniques. First, it analyzes the signature descriptions of any malware code and then combines that with other dynamic parameters to improve the analysis of malware.
The connection in IoT networks is currently enabled via cloud services. Static, dynamic, and hybrid malware analyses are mostly applied in the cloud to protect IoT devices.
2.2. Malware Detection Techniques
Based on the analysis results described in the previous section, we present detection techniques that are designed to detect malware attacks effectively. Three main methods are used in malware detection: the signature-based detection technique, behavior-based detection technique, and specification-based detection technique (see Figure 3).
The main limitation of the specification-based method is the difficulty to specify the whole set of legitimate behaviors that a system should exhibit accurately
[22][30].
3. Malware in the IoT
The malware detection techniques presented in the previous section have been followed to implement malware detection methods in the IoT; for instance, SVELTE, which is a signature and anomaly-based intrusion detection method, has been used to protect the IoT from routing attacks based on the IPv6 routing protocol
[23][31]. On one hand, applying a signature-based technique for malware detection in the IoT is not the best approach because it is not designed to detect unknown/newly developed malware files; on the other hand, designing a behavioral-based or specification-based method to secure the IoT is computationally expensive due to the long simulation process it requires.
Major AI solutions to securing the IoT fall under either behavior or specification-based techniques, which are complex to implement in IoT systems. For instance, the authors in
[24][32] evaluate the recent advances in AI/ML techniques in securing the IoT. They use 80% of the dataset only to train the module, which is computationally expensive, and state that, despite the advances in AI techniques in the IoT, the security method is still vulnerable when implemented in a real IoT system. Furthermore, the authors in
[25][33] published a survey about AI solutions enhancing IoT security by presenting the challenges and limitations of algorithms. Besides the weak probability and instability of AI algorithms, they are computationally complex, with high resource consumption. Therefore, in this work, we analyze the AIS solutions to secure the IoT that are less complex for implementation with high detection probabilities.
As businesses and consumers continue to connect devices to the Internet without proper security measures, IoT devices are increasingly leveraged by cybercriminals to dispense malware payloads
[26][34]. In the first half of 2019, SonicWall observed a 55% increase in IoT attacks—a number that outpaces the first two quarters of the previous year. A security vendor has detected over 100 million attacks on IoT devices in the first half of 2019, which highlights the continued threat to unsecured IoT devices
[27][35]. Kaspersky, the Russian Anti-Virus vendor, has claimed to detect 106 million attacks coming from 267,000 unique IP addresses in the first half of 2019
[27][35]. This number of attacks was almost nine times more than what was reported for the first quarter of 2018, when only 12 million were detected, originating from 69,000 IP addresses. According to the authors in
[27][35], a major reason driving this surge is consumers’ increased propensity to buy smart home solutions without due diligence in terms of security measures. Due to all the reasons listed above, malware attacks are major security threats in the IoT and thus require an IoT-specific security solution.
The best way to secure the IoT based on its characteristics and architecture is to implement a distributed, dynamic, adaptive, and self-monitoring method. This leads us to investigate the AIS solutions and how these can be applied to secure the IoT against malware attacks.