HADES-IoT: A practical host-based anomaly detection system for IoT devices (Extended Version)

• https://arxiv.org/abs/1905.01027

Security and privacy, intrusion detection, system call interception, loadable
kernel module, host-based anomaly detection, tamper-proof protection

Internet of Things (IoT) devices have become ubiquitous and are spread across
many application domains including the industry, transportation, healthcare, and
households. However, the proliferation of the IoT devices has raised the concerns
about their security, especially when observing that many manufacturers focus
only on the core functionality of their products due to short time to market and
low-cost pressures, while neglecting security aspects. Moreover, it does not
exist any established or standardized method for measuring and ensuring the
security of IoT devices. Consequently, vulnerabilities are left untreated,
allowing attackers to exploit IoT devices for various purposes, such as
compromising privacy, recruiting devices into a botnet, or misusing devices to
perform cryptocurrency mining. In this paper, we present a practical Host-based
Anomaly DEtection System for IoT (HADES-IoT) that represents the last line of
defense. HADES-IoT has proactive detection capabilities, provides tamper-proof
resistance, and it can be deployed on a wide range of Linux-based IoT devices.
The main advantage of HADES-IoT is its low performance overhead, which makes it
suitable for the IoT domain, where state-of-the-art approaches cannot be applied
due to their high-performance demands. We deployed HADES-IoT on seven IoT devices
to evaluate its effectiveness and performance overhead. Our experiments show that
HADES-IoT achieved 100% effectiveness in the detection of current IoT malware
such as VPNFilter and IoTReaper; while on average, requiring only 5.5% of
available memory and causing only a low CPU load.