Edge2Guard: Botnet attacks detecting offline models for resource-constrained IoT devices

Abstract

In today's IoT smart environments, dozens of MCU-based connected device types exist such as HVAC controllers, smart meters, smoke detectors, etc. The security conditions for these essential IoT devices remain unsatisfactory since: (i) many of them are built with cost as the driving design tenet, resulting in poor configurations and open design; (ii) their memory and computational resource constraints make it highly challenging to implement practical attack protection mechanisms; and (iii) currently, manufacturers use simplified light protocol versions to save memory for extra features (to boost sales). When such issues and vulnerabilities are exploited, devices can be compromised and converted into bots whereby severe DDoS attacks can be launched by a botmaster. Such tiny devices are safe only when connected to networks with defense mechanisms installed in their networking devices like routers and switches, which might not be present everywhere, e.g. on public/free Wi-Fi networks. To safeguard tiny IoT devices from cyberattacks, we provide resource-friendly standalone attack detection models termed Edge2Guard (E2G) that enable MCU-based IoT devices to instantly detect IoT attacks without depending on networks or any external protection mechanisms. During evaluation, our top-performing E2G models detected and classified ten types of Mirai and Bashlite malware with close to 100% detection rates.