MARS: The first line of defense for IoT incident response

Abstract

The proliferation of Internet of Things (IoT) devices across homes, businesses, and industrial landscapes has significantly increased our capability to gather data and automate tasks. Despite their ubiquity, these devices are notably resource-constrained and frequently lack robust security defenses, presenting a substantial risk of intrusion and cyber threats. To address these concerns, we propose a novel anomaly-based host intrusion detection system specifically designed for IoT devices, titled MARS (Memory Anomaly Recognition System). MARS is designed to function as a crucial component in the incident response framework, acting as an early detection system for potential security breaches within an organization’s network or systems. The fundamental architecture of MARS leverages the device’s memory as a key indicator for monitoring system-level events. To enhance its security and integrity, MARS is embedded within a Trusted Execution Environment—a secure, hardware-isolated region of a microcontroller protected from untrusted software. This design choice not only makes MARS tamper-proof but also ensures reliable monitoring of the device’s memory. Deviations from established memory baselines, indicative of a security compromise, are detected through an anomaly detection algorithm hosted on a remote server. Our evaluation of the MARS prototype on STM32L562QEI6QU showed our proposed architecture can achieve decent scalability while maintaining trust, accuracy, and robustness of memory changes.