Machine Learning based Malware Traffic Detection on IoT Devices using Summarized Packet Data

As the number of IoT (Internet of Things) devices increases, the countermeasures against cyberattacks caused by IoT devices become more important. Although mechanisms to prevent malware infection to IoT devices are important, such prevention becomes hard due to sophisticated infection steps and lack of computational resource for security software in IoT devices. Therefore, detecting malware infection of devices is also important to suppress malware spread. As the types of IoT devices and malwares are increasing, advanced anomaly detection technology like machine learning is required to find malware infected devices. Because IoT devices cannot analyze own behavior by using machine learning due to limited computing resources, such analysis should be executed at gateway devices to the Internet. This paper proposes an architecture for detecting malware traffic using summarized statistical data of packets instead of whole packet information. As this proposal only uses information of amount of traffic and destination addresses for each IoT device, it can reduce the storage space taken up by data and can analyze number of IoT devices with low computational resources. We performed the malware traffic detection on proposed architecture by using machine learning algorithms of Isolation Forest and K-means clustering, and show that high accuracy can be achieved with the summarized statistical data. In the evaluation, we collected the statistical data from 26 IoT devices (9 categories), and obtained the result that the data size required for analysis is reduced over 90% with keeping high accuracy.