Malware Detection for IoT Devices using Automatically Generated

White List and Isolation Forest

Masataka Nakahara, Norihiro Okui, Yasuaki Kobayashi and Yutaka Miyake

KDDI Research, Inc., 2–1–15, Ohara, Fujimino-shi, Saitama, Japan

Keywords:

IoT Security, Malware, Anomaly Detection, Machine Learning, White List.

Abstract:

The number of cyber-attacks using IoT devices is increasing with the growth of IoT devices. Since the number

of routes malware infection is increasing, it is necessary not only to prevent infection but also to take measures

the accuracy, we propose a hybrid system using machine learning and the white list automatically generated

using the rule of Manufacturer Usage Description (MUD). The white list eliminates benign packets from the

target of malware traffic detection, and it can decrease the false positive rate. We evaluate the performance of

proposed method and show the effectiveness.

1 INTRODUCTION

The number of IoT devices has been increasing

rapidly, and they are being used in various fields such

as industry, agriculture and the home (Hassija et al.,

2019; Mohanapriya et al., 2020; Fortino et al., 2020;

Zulkipli et al., 2017). Accordingly, the target of cy-

et al., 2019; Kolias et al., 2017; Antonakakis et al.,

2017). In addition, there are other examples of botnets

built by IoT devices with high power consumption to

attack the power grid, and smart grids are more prone

to cyberthreats. (Soltan et al., 2018; Kimani et al.,

2019; Jung et al., 2019; Ahmed et al., 2019).

As the number of devices increases, these

threats become more significant, and countermea-

sures against malware infection become more impor-

tant. Many of these existing security products are spe-

on daily basis, for example, some IoT devices may

tion is also necessary.

It is also difficult to take security measures for

IoT devices by typical methods such as installing anti-

virus software on each device because the processing

performance of the devices is lower and the number

of devices in use is larger than that of conventional

devices. Therefore, other security measures, such

as managing multiple devices in a centralized archi-

tecture, are being considered (Nguyen et al., 2019).

Centralized architecture generally requires high pro-

(C&C) server before carrying out a DDoS attack is

challenging to distinguish from the original commu-

nication of the device by light-weight processes such

as threshold determination of the number of packets.

Based on the above, we have proposed a system

for post-malware infection detection, in which the

38

Nakahara, M., Okui, N., Kobayashi, Y. and Miyake, Y.

Malware Detection for IoT Devices using Automatically Generated White List and Isolation Forest.

DOI: 10.5220/0010394900380047

warded to an analysis server to detect the infection

(Nakahara et al., 2020). Our system has an analysis

server outside the local network in order to analyze

the characteristics of the communication from various

perspectives. To lighten the data transfer to the anal-

ysis server, only the flow information of each device

obtained by the gateway is transferred and used for

analysis. Therefore, we used IP Flow Information Ex-

port (IPFIX), a protocol standardized by the Internet

Engineering Task Force (IETF), as the flow informa-

a white list and machine learning, in which normal

communications are excluded from anomaly detec-

tion, and other communications are examined using

an Isolation Forest. In the case of IoT devices, it is

possible to detect normal communication by using a

white list, since their operation is limited compared

to that of a PC. Furthermore, the number of data to

be subjected to machine learning is reduced, and it

leads to a reduction in processing load and time. In

this paper, we create the white list using the rules

by comparing the accuracy of anomaly detection with

and without the white list. The contributions of this

paper are as follows.

tection system based on standardized technology.

reduce the amount of data used for anomaly detec-

tion.

tion of anomaly detection performance is on Section

5, and the conclusion is on Section 6.

In this section, we describe the technology used as a

basis for this research.

The most common methods for preventing IoT mal-

ware infection are blocking access to malicious sites

and blocking entry to devices. There are many secu-

rity products in the market today to prevent infection.

On the other hand, there are many routes of malware

server before their attack behavior, so detection of

these communications is important from the view-

point of stopping the attack. However, the communi-

cation with the C&C server often does not increase as

much as the attack behavior, and it is hard to distin-

guish it from the original communication of the IoT

device. Therefore, numerous researches have been

conducted on anomaly detection by using various fea-

tures from packets to perform machine learning and

deep learning. For example, researches on the classi-

and the means of conveying the flow information to

the collection points.

In this paper, it is necessary to aggregate pack-

ets of IoT devices at the gateway. This requirement

is consistent with the purpose of the IPFIX proposal,

and the IPFIX flow information enables packet aggre-

gation in a standard and efficient manner.

An example of an IPFIX record is shown in Ta-

ble 1. The flow information in IPFIX format in-

cludes information such as flow start time, end time,

flow information is used for anomaly detection, which

reduces the processing load compared to performing

anomaly detection on a packet-by-packet basis, and

also reduces the volume of data transferred from the

gateway to the analysis server. Therefore, this study

uses IPFIX-based flow-informed records of packets

sent from IoT devices for anomaly detection. On the

other hand, the flow information is less available for

anomaly detection compared to the case where the

whole packets are used, so we need to devise ways to

Network (SDN) (Hamza et al., 2019). Hamza et al.

have published a tool for generating MUD files from

packets (Hamza et al., 2018). In this study, we used

this tool to generate MUD files from packets of IoT

devices to create a white list.

40

malware behavior including communication with the

C&C server even when only the flow information was

used instead of the whole packet.

On the other hand, there is a problem that there are

many false positives that judge the normal communi-

cation of the device as the behavior of the malware.

One of the reasons for this is that normal communica-

tion is not well modeled, especially for devices with

complex behaviors or those with extremely low nor-

mal communication, such as smart speakers and smart

ble to create MUDs according to the specifications. In

this study, we generated MUD rules using ”Mudgee,”

a tool for generating MUD files from packets, which

has been published by Hamza et al. In order to protect

devices from malware threats using MUDs alone, it is

necessary to update the rule files every time the num-

ber of infection routes and types of malware increase,

generated from packets and anomaly detection by ma-

chine learning, we can ensure security even when the

device vendor cannot operate the MUD successfully.

An example of the generated MUD rules is shown

in Table 2.

Mudgee reads the PCAP file and generates the

flow information. For each flow included in the flow

information, the MUD rules are generated by adding

each communication direction and protocol to the ac-

cess control list. Although the access control list

system has a dictionary period to define the normal

behavior of the device separately from the training pe-

riod. For example, the training period is two weeks

and the dictionary period is the first week of that pe-

riod. We keep a dictionary of IP addresses that the

device communicated to during the dictionary period,

and create features for machine learning depending on

whether the destination address of the communication

during the training period is included in the dictionary

or not. By using the dictionary period, the jitters of

device behavior can be learned. In this paper, we gen-

erated MUD rules by inputting packets of dictionary

periods for each device into the Mudgee.

The flow of anomaly detection using MUD and

machine learning is shown in Figure 2.

Figure 2: Flow of anomaly detection.

anomaly detection. The unsupervised learning system

is suitable for this system because there is no need to

use the communication data of a malware infection

and the learning can be performed under the same

conditions as the real environment.

4 EVALUATION OF IPFIX

In this section, we evaluate the performance of IPFIX

and show the effectiveness. As the data for anomaly

detection, PCAP is commonly used. Similar to IP-

FIX, the PCAP without TCP/UDP payload can be

malware infection are required. For normal communi-

cation, we captured packets from the actual operation

of the IoT device for one month. The list of devices

used is shown in Table 3.

Table 3: IoT device list.

Here, IoT gateways are devices that integrate and con-

vert the communication of multiple IoT devices.

In order to compare the performance of IPFIX

and PCAP as data for anomaly detection, we con-

verted these collected packets into the IPFIX format

record and PCAP information. These data include

fields used for anomaly detection such as Timestamp,

source and destination MAC address, IP address, port

number, protocol, and packet length. We compared

data size and number of records for the IPFIX and

size and the number of records. This is because IPFIX

aggregates multiple communications included in one

flow into one record. Thus, the effectiveness of IPFIX

is shown.

42

DETECTION

In this section, we evaluate the accuracy of anomaly

detection by the proposed method.

As the data for accuracy evaluation, normal commu-

ning, and DoS attacks, and converted them into IP-

FIX. For the preparation of the simulated packets, we

prepared a total of 15 patterns based on the captured

packets of DoS attacks, host scans, and C&C server

communication, in which malware samples were col-

lected using honeypots and operated in a secure en-

vironment, and modified parameters such as commu-

nication interval and number of destinations. The pa-

rameters for each malware behavior are shown in Ta-

ble 5.

First, we selected the device to be evaluated. Then,

we generated features from the normal communica-

tion of the device and the malware communication.

The features were generated as 20-dimensional vec-

tors by One hot encoding using the dictionary period

For example, whether or not the destination IP ad-

dress is one that appeared in the dictionary period,

and whether or not the number of packets is less

than the threshold. The threshold has five variations:

average, average+standard deviationσ, average+2σ,

average+3σ, and more than average+3σ of the num-

ber in the dictionary period.

Then, the normal communication is divided into

train data and test data. The data used in this study

includes one month communication data for each de-

based on the training data. The test data are first

checked against the white list generated by the MUD.

The records that match the white list are judged as

normal, and the records that do not match are input

to the classifier to determine whether they are normal

or anomalous. The above operations are repeated for

each device, and the detection results are acquired.

The detection results are obtained by combining the

results of the white list and Isolation Forest. In this

section, we denote the anomaly communication to be

and Isolation Forest for one device can be expressed

T PR =

T P

+ FN

(1)

FPR =

FP

+ T N

(2)

44

show that the false positive detection rate could be re-

duced by about 3.5% without reducing the positive

detection rate.

Figure 5 shows the results of calculating the FPR

for each device for the proposed and conventional

methods.

This figure shows that the FPR has been reduced in

almost all devices. In particular, we have been able to

significantly reduce the FPR in smart speakers, where

the device’s intrinsic behavior is complex, and in

In addition, in some environmental sensors, some fea-

tures, such as the presence or absence of communica-

communication, and many false positives were gener-

ated.

These results indicate that the combination of

white list and machine learning can improve the false

positive detection rate without reducing the positive

detection rate compared to machine learning.

5.3.4 Result of Customized White List

Finally, in order to increase the number of normal

Table 10: Results of customized white list method.

We can see that FP

average TPR and FPR of all devices are calculated as

T PR = 0.999, FPR = 0.032. This is because more

the granularity of the white list.

Table 11 shows the results of comparison be-

tween conventional method and two types of pro-

posed method.

This result shows that the white list contributes to

the decrease of the false positive rate and trade-off

between TPR and FPR can be controlled by changing

the granularity of the white list.

machine learning alone from anomaly detection, and

thus reduce false positives. We evaluated the accuracy

of anomaly detection using a dataset of normal and

malware communications, and confirmed that the pro-

posed method reduced the false detection rate. More-

over, the performance varied by changing the rule of

the white list. Future work includes investigating how

to create more effective white lists, applying them

to other machine learning algorithms, and evaluating

them using more practical datasets.

pervised machine learning-based detection of covert

data integrity assault in smart grid networks utilizing

isolation forest. IEEE Transactions on Information

Forensics and Security, 14(10):2765–2777.

Alam, M. S. and Vuong, S. T. (2013). Random forest

classification for detecting android malware. In 2013

IEEE International Conference on Green Computing

and Communications and IEEE Internet of Things and

IEEE Cyber, Physical and Social Computing, pages

663–669. IEEE.

Matt, C., and the CERT Network Situational Aware-

ness Group Engineering Team (2018). Yaf documen-

tation. https://tools.netsa.cert.org/yaf/yaf.html. Ac-

cessed: 2020-11-17.

Ding, Z. and Fei, M. (2013). An anomaly detection ap-

Hamza, A., Gharakheili, H. H., Benson, T. A., and Sivara-

Hamza, A., Ranathunga, D., Gharakheili, H. H., Roughan,

Hassija, V., Chamola, V., Saxena, V., Jain, D., Goyal, P., and

Jung, O., Smith, P., Magin, J., and Reuter, L. (2019).

Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J.

Lear, E., Droms, R., and Romascanu, D. (2019). Manufac-

Liu, F. T., Ting, K. M., and Zhou, Z.-H. (2008). Isolation

Madeira, R. and Nunes, L. (2016). A machine learning ap-

46