Swarm-Net: Firmware Attestation in IoT Swarms using Graph Neural Networks and Volatile Memory
Varun Kohli, Bhavya Kohli, Muhammad Naveed Aman, Biplab Sikdar
TL;DR
Swarm-Net addresses firmware integrity in IoT swarms by using SRAM runtime traces as features and Graph Neural Networks to model inter-device relationships. It avoids firmware copies, enables lightweight swarm attestation, and introduces SRAM-based swarm datasets and a secure protocol with resynchronization. The approach achieves near-perfect detection across authentic, anomalous, and propagated firmware behaviors (approximately 99.9% accuracy and high attestation rates) with latency around 1 second and micro-second inference times on standard hardware. This work demonstrates robust, scalable firmware attestation for heterogeneous IoT swarms and provides practical datasets and protocols to advance this security paradigm.
Abstract
The Internet of Things (IoT) is a network of billions of interconnected, primarily low-end embedded devices. Despite large-scale deployment, studies have highlighted critical security concerns in IoT networks, many of which stem from firmware-related issues. Furthermore, IoT swarms have become more prevalent in industries, smart homes, and agricultural applications, among others. Malicious activity on one node in a swarm can propagate to larger network sections. Although several Remote Attestation (RA) techniques have been proposed, they are limited by their latency, availability, complexity, hardware assumptions, and uncertain access to firmware copies under Intellectual Property (IP) rights. We present Swarm-Net, a novel swarm attestation technique that exploits the inherent, interconnected, graph-like structure of IoT networks along with the runtime information stored in the Static Random Access Memory (SRAM) using Graph Neural Networks (GNN) to detect malicious firmware and its downstream effects. We also present the first datasets on SRAM-based swarm attestation encompassing different types of firmware and edge relationships. In addition, a secure swarm attestation protocol is presented. Swarm-Net is not only computationally lightweight but also does not require a copy of the firmware. It achieves a 99.96% attestation rate on authentic firmware, 100% detection rate on anomalous firmware, and 99% detection rate on propagated anomalies, at a communication overhead and inference latency of ~1 second and ~10^{-5} seconds (on a laptop CPU), respectively. In addition to the collected datasets, Swarm-Net's effectiveness is evaluated on simulated trace replay, random trace perturbation, and dropped attestation responses, showing robustness against such threats. Lastly, we compare Swarm-Net with past works and present a security analysis.