Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Evasion of IoT Malware Detection via Dummy Code Injection

Sahar Zargarzadeh, Mohammad Islam

TL;DR

This work demonstrates that power side-channel based IoT malware detection can be evaded by adversaries injecting structured dummy code into Mirai's scanning phase, perturbing power signatures without breaking functionality. The authors present a gray-box attack framework guided by SHAP explanations, generating a cross-architecture dataset from smartphone power traces and evaluating six detection architectures. They show an average ASR of around 75% and detail trade-offs between stealth, runtime overhead, and disruption, alongside defenses such as adversarial training and noise injection. The findings highlight the need for robust, multimodal intrusion detection that accounts for temporal perturbations and adversarial resilience in resource-constrained IoT environments.

Abstract

The Internet of Things (IoT) has revolutionized connectivity by linking billions of devices worldwide. However, this rapid expansion has also introduced severe security vulnerabilities, making IoT devices attractive targets for malware such as the Mirai botnet. Power side-channel analysis has recently emerged as a promising technique for detecting malware activity based on device power consumption patterns. However, the resilience of such detection systems under adversarial manipulation remains underexplored. This work presents a novel adversarial strategy against power side-channel-based malware detection. By injecting structured dummy code into the scanning phase of the Mirai botnet, we dynamically perturb power signatures to evade AI/ML-based anomaly detection without disrupting core functionality. Our approach systematically analyzes the trade-offs between stealthiness, execution overhead, and evasion effectiveness across multiple state-of-the-art models for side-channel analysis, using a custom dataset collected from smartphones of diverse manufacturers. Experimental results show that our adversarial modifications achieve an average attack success rate of 75.2\%, revealing practical vulnerabilities in power-based intrusion detection frameworks.

Evasion of IoT Malware Detection via Dummy Code Injection

TL;DR

This work demonstrates that power side-channel based IoT malware detection can be evaded by adversaries injecting structured dummy code into Mirai's scanning phase, perturbing power signatures without breaking functionality. The authors present a gray-box attack framework guided by SHAP explanations, generating a cross-architecture dataset from smartphone power traces and evaluating six detection architectures. They show an average ASR of around 75% and detail trade-offs between stealth, runtime overhead, and disruption, alongside defenses such as adversarial training and noise injection. The findings highlight the need for robust, multimodal intrusion detection that accounts for temporal perturbations and adversarial resilience in resource-constrained IoT environments.

Abstract

The Internet of Things (IoT) has revolutionized connectivity by linking billions of devices worldwide. However, this rapid expansion has also introduced severe security vulnerabilities, making IoT devices attractive targets for malware such as the Mirai botnet. Power side-channel analysis has recently emerged as a promising technique for detecting malware activity based on device power consumption patterns. However, the resilience of such detection systems under adversarial manipulation remains underexplored. This work presents a novel adversarial strategy against power side-channel-based malware detection. By injecting structured dummy code into the scanning phase of the Mirai botnet, we dynamically perturb power signatures to evade AI/ML-based anomaly detection without disrupting core functionality. Our approach systematically analyzes the trade-offs between stealthiness, execution overhead, and evasion effectiveness across multiple state-of-the-art models for side-channel analysis, using a custom dataset collected from smartphones of diverse manufacturers. Experimental results show that our adversarial modifications achieve an average attack success rate of 75.2\%, revealing practical vulnerabilities in power-based intrusion detection frameworks.
Paper Structure (29 sections, 11 figures, 5 tables)

This paper contains 29 sections, 11 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Adversarial Machine Learning
  4. Power Side-Channel
  5. Mirai Botnet
  6. Attack Framework
  7. Threat Model
  8. Proposed Attack Strategy
  9. Feature Importance Analysis
  10. Generation of Dummy Code Dataset
  11. Dummy Code Injection Methodology
  12. Power Analysis and Detection Metrics
  13. Impact on Power Patterns
  14. Performance Evaluation
  15. Experimental Setup
  16. ...and 14 more sections

Figures (11)

  • Figure 1: (a) Global enterprise IoT market growth from 2022 to 2026 (projected) IoTMarket2023. (b) Average weekly IoT cyberattacks by sector in Jan–Feb 2023 IoTCyberAttacks2023.
  • Figure 2: System architecture overview showing IoT devices, edge nodes, and cloud-based anomaly detection pipeline.
  • Figure 3: Attack framework illustrating dummy code injection at the client side and anomaly detection at the server side.
  • Figure 4: (A) SHAP feature importance values across classes: Idle, IoT Service, and Mirai. (B) Power signal alignment with SHAP-critical data points.
  • Figure 5: Experimental setup: IoT device running Mirai variant, server hosting the detection model, and local router for isolated communication.
  • ...and 6 more figures