MADEA: A Malware Detection Architecture for IoT blending Network Monitoring and Device Attestation

TL;DR

MADEA is a novel IoT malware detection system that combines network traffic analysis and device attestation, achieving rapid and accurate detection while conserving device energy.

Contribution

It introduces the first integrated approach blending remote attestation and traffic analysis for IoT malware detection, improving speed and accuracy.

Findings

100% true positive rate in malware detection

160x faster detection time than existing methods

Significant energy savings compared to traditional RA

Abstract

Internet-of-Things (IoT) devices are vulnerable to malware and require new mitigation techniques due to their limited resources. To that end, previous research has used periodic Remote Attestation (RA) or Traffic Analysis (TA) to detect malware in IoT devices. However, RA is expensive, and TA only raises suspicion without confirming malware presence. To solve this, we design MADEA, the first system that blends RA and TA to offer a comprehensive approach to malware detection for the IoT ecosystem. TA builds profiles of expected packet traces during benign operations of each device and then uses them to detect malware from network traffic in real-time. RA confirms the presence or absence of malware on the device. MADEA achieves 100% true positive rate. It also outperforms other approaches with 160x faster detection time. Finally, without MADEA, effective periodic RA can consume at least ~14x the amount of energy that a device needs in one hour.