MAD-IoT: Memory Anomaly Detection for the Internet of Things

In the Internet of Things (IoT), applications hosted on resource-limited devices interact with the user and the physical world to provide digital connectivity and automation to daily activities, and frequently provide a point of entry into networks. However, many IoT applications are vulnerable to cyber attacks that can put networks, data, and connected devices at risk. Integrity measurement is an active defense technique used to detect malicious modification of software at runtime. While its usefulness has been well-demonstrated, integrity measurement is application-dependent and requires domain knowledge of the targeted software. Currently, adding integrity measurement to a platform requires substantial human effort, and thus application has been limited to usage on widely-deployed software such as the Linux kernel. Due to the diversity of IoT, vendors are unlikely to devote a substantial amount of effort to add integrity measurement systems to their devices. In this paper we introduce MAD-IoT (Memory Anomaly Detection for the Internet of Things), an integrity measurement framework for IoT. In order to provide low-cost integrity measurement agents and software anomaly detection for IoT platforms, MAD-IoT uses a process called IMAGE: Integrity Measurement Agent GEneration. The IMAGE process uses machine learning to automatically generate integrity measurement agents for arbitrary IoT devices. We demonstrated MAD-IoT and IMAGE on a proof-of-concept testhed and evaluated its performance with supervised and unsupervised machine learning models. Our results indicate that IMAGE is highly effective in recognizing known forms of misbehavior on IoT app operations, and very promising in identifying zero-day attacks. Finally, MAD-IoT introduces minimal overhead, making it feasible to implement on systems with very limited resources.