HoleMal: A lightweight IoT malware detection framework based on efficient host-level traffic processing

Abstract

With the popularization of Internet of Things (IoT) devices, IoT security issues are becoming increasingly prominent. A significant number of devices remain highly vulnerable to malware attacks due to inadequate security management. As a solution, machine learning-based network traffic behavior analysis has proven to be effective and is widely deployed across various scenarios. However, the efficiency of network feature extraction and online detection is significantly constrained by the insufficient computing resources available on the IoT devices. To address the challenge, we propose HoleMal, a novel host-level framework to detect malicious network behavior in resource-constrained environment. HoleMal provides a comprehensive suite of host-level traffic monitoring, processing, and detection solutions, aiming to achieve optimal network protection with minimal resource cost. During the detection process, HoleMal constructs host-level traffic features from the device’s perspective. It describes a device’s behavior in 3 dimensions, including connection behavior, network activity and accessed service, corresponding to a total of 36 host-level features. As these features are unrelated to payloads, they are not affected by traffic encryption. Furthermore, HoleMal provides a cost-sensitive feature selector which is able to quantify the feature computational cost and involve the cost into the feature selection process. It identifies the host-level feature subset with superior detection capability and minimal computational cost, thereby providing theoretical basis for detection model construction, further enhancing the efficiency advantages of HoleMal. We evaluate HolaMal by multiple datasets on Raspberry Pi. The experimental results demonstrate that HoleMal exhibits robust detection performance across all datasets, and it achieves significant efficiency improvements compared to fine-grained approaches.