MADEA: A Malware Detection Architecture for IoT blending Network Monitoring and Device Attestation
Renascence Tarafder Prapty, Rahmadi Trimananda, Sashidhar Jakkamsetti, Gene Tsudik, Athina Markopoulou
TL;DR
MADEA tackles IoT malware detection under tight resource constraints by blending lightweight Traffic Analysis ($\mathcal{T}A$) with on-demand Remote Attestation ($\mathcal{R}A$), enabling real-time infection confirmation. It introduces three core components—Profiler, Monitor, and Attester—and a feedback loop that refines traffic profiles based on attestation outcomes. Empirical results on a realistic smart-home testbed and public datasets show a true positive rate of $100\%$ with low false positives and per-packet decision times around $1.6$ ms, along with substantial energy savings over periodic attestation. This integrated approach offers a practical, scalable malware mitigation path for IoT deployments and complements existing attestation techniques, particularly in resource-constrained environments.
Abstract
Internet-of-Things (IoT) devices are vulnerable to malware and require new mitigation techniques due to their limited resources. To that end, previous research has used periodic Remote Attestation (RA) or Traffic Analysis (TA) to detect malware in IoT devices. However, RA is expensive, and TA only raises suspicion without confirming malware presence. To solve this, we design MADEA, the first system that blends RA and TA to offer a comprehensive approach to malware detection for the IoT ecosystem. TA builds profiles of expected packet traces during benign operations of each device and then uses them to detect malware from network traffic in real-time. RA confirms the presence or absence of malware on the device. MADEA achieves 100% true positive rate. It also outperforms other approaches with 160x faster detection time. Finally, without MADEA, effective periodic RA can consume at least ~14x the amount of energy that a device needs in one hour.