Towards the detection of malware in the internet of things at run-time

The Internet of Things (IoT) allows Linux-based devices, such as home heating controls and door bells, to become highly functional, both for the end user and the hacker. However, the evolution of this global network of internet-connected consumer devices, previously the preserve of computers, has rapidly outpaced security considerations. Indeed, hackers dream of bountiful security-lax, perennially powered-on and pervasively-connected victim devices. Dynamic opcode analysis has proven to be a powerful technique for detecting obfuscated malicious code, which traditional PC-based Anti-Virus solutions can fail to detect. To the best of our knowledge, this is the first dynamic opcode analysis of IoT malware. We present a fast, lightweight model, with generalisability to new unseen samples and detection accuracies up to 99.67%. This model shows superior performance to past static deep learning and decision tree models, including when compared on the same data. We further investigate the use of System Calls as detection features. While this approach showed lower overall accuracy, it detected misclassified instances from the opcode approach. Combining both feature sets in the first such multi-view approach improved accuracy for one dataset to 99.64%, improving on the current state-of-the-art. We propose this as a novel direction for future work.