HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices

Internet of Things (IoT) devices have become ubiquitous and spread across many application domains including the industry, transportation, healthcare, and households. However, the proliferation of the IoT devices has raised the concerns about their security -- many manufacturers focus only on the core functionality of their products due to short time to market and low cost pressures, while neglecting security aspects. Moreover, there is no established or standardized method for measuring and ensuring the security of IoT devices. Consequently, vulnerabilities are left untreated, allowing attackers to exploit IoT devices for various purposes, such as compromising privacy, recruiting devices into a botnet, or misusing devices to perform cryptocurrency mining. In this paper, we present a practical Host-based Anomaly DEtection System for IoT (HADES-IoT) as a novel last line of defense. HADES-IoT has proactive detection capabilities, provides tamper-proof resistance, and can be deployed on a wide range of Linux-based IoT devices. The main advantage of HADES-IoT is its low performance overhead, which makes it suitable for the IoT domain, where state-of-the-art approaches cannot be applied due to their high-performance demands. We deployed HADES-IoT on seven IoT devices and demonstrated 100% effectiveness in the detection of current IoT malware such as VPNFilter and IoTReaper; while on average, requiring only 5.5% of available memory and causing only a low CPU load.

[1]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[2]  Kouichi Sakurai,et al.  Lightweight Classification of IoT Malware Based on Image Recognition , 2018, 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC).

[3]  Karthik Pattabiraman,et al.  A Model-Based Intrusion Detection System for Smart Meters , 2014, 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering.

[4]  Patrick Th. Eugster,et al.  Detecting Abnormalities in IoT Program Executions through Control-Flow-Based Features: Poster Abstract , 2017, IoTDI.

[5]  Martín Ochoa,et al.  Improving Network Intrusion Detection Classifiers by Non-payload-Based Exploit-Independent Obfuscations: An Adversarial Approach , 2018, EAI Endorsed Trans. Security Safety.

[6]  Lui Sha,et al.  Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System , 2017, 2017 IEEE/ACM Second International Conference on Internet-of-Things Design and Implementation (IoTDI).

[7]  Tsutomu Matsumoto,et al.  IoTPOT: A Novel Honeypot for Revealing Current IoT Threats , 2016, J. Inf. Process..

[8]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[9]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[10]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[11]  Michalis Faloutsos,et al.  Behavioral anomaly detection of malware on home routers , 2017, 2017 12th International Conference on Malicious and Unwanted Software (MALWARE).

[12]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[13]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[14]  Artemios G. Voyiatzis,et al.  Security challenges in embedded systems , 2013, ACM Trans. Embed. Comput. Syst..