Posted on Leave a comment

SIMBIoTA: Similarity-Based Malware Detection for the Internet of Things

CrySyS Lab researchers developed a new anti-virus solution running on resource constrained embedded IoT devices.

Embedded devices connected to the Internet are threatened by malware, but no anti-virus product is available for them. Anti-virus products developed for traditional IT systems have higher resource needs than that offered by embedded IoT devices. The required amount of free storage space and memory to run these products is often measured in gigabytes, which exceeds the capacity of typical IoT devices, such as WiFi routers, IP cameras, smart house hold appliances, wearable devices, etc. In addition, many existing anti-virus products do not even support the operating systems (typically some embedded Linux or some more exotic OS) used on IoT devices. Therefore, they could not be installed, even if a particular IoT device met their system requirements.

To overcome this problem, network-based malware detection was proposed for protecting IoT devices, which is based on analyzing and filtering network traffic on a gateway that is placed between the IoT device and the Internet. A few of such gateway products are available commercially, including BitDefender Box and Kaspersky IoT Secure Gateway. While this approach certainly reduces the storage and computing burden on IoT devices, it is rather easy for attackers to circumvent. For example, attackers may try to compromise devices via encrypted communication channels, such as TLS. Another potential problem is that gateway based protection can be bypassed by malware carried on mobile devices and USB sticks that are directly connected to the IoT devices behind the gateway.

Hence, there is a need for an anti-virus solution running on the IoT devices themselves, and CrySyS Lab researchers developed the first ever such anti-virus solution called SIMBIoTA. The approach proposed by Csongor Tamás (now with Ukatemi Technologies), Dorottya Papp, and Levente Buttyán relies on similarity-based malware detection, and it has a number of notable advantages: moderate storage requirements on resource constrained IoT devices, a fast and lightweight malware detection process, and a surprisingly good detection performance, even for new, never-before-seen malware. These features make SIMBIoTA a viable anti-virus solution for IoT devices, with competitive detection performance and limited resource requirements.

SIMBIoTA is described in a paper accepted for publication at the 6th International Conference on Internet of Things, Big Data and Security (IoTBDS), and presented on April 23rd, 2021. In the paper, the architecture of SIMBIoTA is introduced and its detection performance is evaluated using 47 937 malware samples (courtesy of Ukatemi Technologies) and 14 119 benign programs. The results show that SIMBIoTA achieves more than 90% true positive detection rate on average, even for previously unseen malware samples. Moreover, in the performed experiments, its false positive detection rate was 0%. In terms of resource needs, SIMBIoTA requires just a few tens of kilobytes of storage space, which is certainly available even on resource constrained embedded IoT devices.

SIMBIoTA was developed in the SETIT (Security Enhancing Technologies for the Internet of Things) project (contract no: 2018-1.2.1-NKP-2018-00004), which has been implemented with the support provided from the National Research, Development and Innovation Fund of Hungary, financed under the 2018-1.2.1-NKP funding scheme. The malware dataset and the support provided by Ukatemi Technologies for the research are also kindly acknowledged.