{"title":"HoleMal: A lightweight IoT malware detection framework based on efficient host-level traffic processing","authors":"Ziqian Chen, Wei Xia, Zhen Li, Gang Xiong, Gaopeng Gou, Heng Zhang, Haikuo Li, Junchao Xiao","doi":"10.1016/j.cose.2025.104360","DOIUrl":null,"url":null,"abstract":"<div><div>With the popularization of Internet of Things (IoT) devices, IoT security issues are becoming increasingly prominent. A significant number of devices remain highly vulnerable to malware attacks due to inadequate security management. As a solution, machine learning-based network traffic behavior analysis has proven to be effective and is widely deployed across various scenarios. However, the efficiency of network feature extraction and online detection is significantly constrained by the insufficient computing resources available on the IoT devices. To address the challenge, we propose HoleMal, a novel host-level framework to detect malicious network behavior in resource-constrained environment. HoleMal provides a comprehensive suite of host-level traffic monitoring, processing, and detection solutions, aiming to achieve optimal network protection with minimal resource cost. During the detection process, HoleMal constructs host-level traffic features from the device’s perspective. It describes a device’s behavior in 3 dimensions, including connection behavior, network activity and accessed service, corresponding to a total of 36 host-level features. As these features are unrelated to payloads, they are not affected by traffic encryption. Furthermore, HoleMal provides a cost-sensitive feature selector which is able to quantify the feature computational cost and involve the cost into the feature selection process. It identifies the host-level feature subset with superior detection capability and minimal computational cost, thereby providing theoretical basis for detection model construction, further enhancing the efficiency advantages of HoleMal. We evaluate HolaMal by multiple datasets on Raspberry Pi. The experimental results demonstrate that HoleMal exhibits robust detection performance across all datasets, and it achieves significant efficiency improvements compared to fine-grained approaches.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104360"},"PeriodicalIF":4.8000,"publicationDate":"2025-02-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000495","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
With the popularization of Internet of Things (IoT) devices, IoT security issues are becoming increasingly prominent. A significant number of devices remain highly vulnerable to malware attacks due to inadequate security management. As a solution, machine learning-based network traffic behavior analysis has proven to be effective and is widely deployed across various scenarios. However, the efficiency of network feature extraction and online detection is significantly constrained by the insufficient computing resources available on the IoT devices. To address the challenge, we propose HoleMal, a novel host-level framework to detect malicious network behavior in resource-constrained environment. HoleMal provides a comprehensive suite of host-level traffic monitoring, processing, and detection solutions, aiming to achieve optimal network protection with minimal resource cost. During the detection process, HoleMal constructs host-level traffic features from the device’s perspective. It describes a device’s behavior in 3 dimensions, including connection behavior, network activity and accessed service, corresponding to a total of 36 host-level features. As these features are unrelated to payloads, they are not affected by traffic encryption. Furthermore, HoleMal provides a cost-sensitive feature selector which is able to quantify the feature computational cost and involve the cost into the feature selection process. It identifies the host-level feature subset with superior detection capability and minimal computational cost, thereby providing theoretical basis for detection model construction, further enhancing the efficiency advantages of HoleMal. We evaluate HolaMal by multiple datasets on Raspberry Pi. The experimental results demonstrate that HoleMal exhibits robust detection performance across all datasets, and it achieves significant efficiency improvements compared to fine-grained approaches.
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
