ML-based IoT Malware Detection Under Adversarial Settings: A Systematic Evaluation

TL;DR

This paper systematically evaluates the robustness of ML-based IoT malware detectors against adversarial malware mutations, revealing significant vulnerabilities and instability in current detection methods.

Contribution

It provides a comprehensive analysis of the effectiveness and limitations of state-of-the-art ML-based IoT malware detection approaches under adversarial conditions.

Findings

Malware mutations with functionality-preserving operations reduce detection accuracy

Industry-standard detectors are also vulnerable to malware evolution

ML detectors show instability in distinguishing benign from malicious software

Abstract

The rapid growth of the Internet of Things (IoT) devices is paralleled by them being on the front-line of malicious attacks. This has led to an explosion in the number of IoT malware, with continued mutations, evolution, and sophistication. These malicious software are detected using machine learning (ML) algorithms alongside the traditional signature-based methods. Although ML-based detectors improve the detection performance, they are susceptible to malware evolution and sophistication, making them limited to the patterns that they have been trained upon. This continuous trend motivates the large body of literature on malware analysis and detection research, with many systems emerging constantly, and outperforming their predecessors. In this work, we systematically examine the state-of-the-art malware detection approaches, that utilize various representation and learning techniques, under a range of adversarial settings. Our analyses highlight the instability of the proposed detectors in learning patterns that distinguish the benign from the malicious software. The results exhibit that software mutations with functionality-preserving operations, such as stripping and padding, significantly deteriorate the accuracy of such detectors. Additionally, our analysis of the industry-standard malware detectors shows their instability to the malware mutations.