Improving the robustness of similarity-based IoT malware detection methods against adv. samples

Dr. Buttyán Levente

IoT devices are embedded computers with networking capabilities, and as such, they can be remotely infected by malware. Such malware infected IoT devices can then be used to build large attack infrastructures (e.g., botnets) that endanger the Internet. Moreover, in cyber-physical systems, malware infected embedded devices may cause physical harm to equipment and perhaps to human users as well. Therefore, malware detection on embedded devices is an important problem, where the challenge is to respect the resource limitations of those devices. Recently, a lightweight IoT malware detection approach has been proposed in the literature that is based on comparing scanned files to known malware samples in terms of binary similarity. Specific methods, such as SIMBIoTA and SIMBIoTA-ML, that are based on this approach have a good malware detection performance, but it may be easy to mislead them by carefully crafted malware samples (so called adversarial examples). 

This project is concerned with the analysis of the robustness of SIMBIoTA and SIMBIoTA-ML with respect to adversarial examples, and with suggesting improvements that increase their robustness if they turn out to be vulnerable to such adversarial attacks. For the first part, the student is expected to propose meaningful strategies to create adversarial samples and to measure the accuracy of their detection by SIMBIoTA and SIMBIoTA-ML. For the second part, the student is expected to propose improvements to SIMBIoTA and/or SIMBIoTA-ML, or perhaps to replace them completely with a new method that can detect adversarial samples with higher accuracy while still having moderate resource consumption. The performance of the proposed improvement and/or new detection method should be analyzed in terms of detection accuracy, as well as resource consumption (e.g., memory, running time) using real malware samples and multiple adversarial strategies.