Embedded devices connected to the Internet are threatened by malware, but no anti-virus product is available for them. To address this problem, we developed SIMBIoTA and SIMBIoTA-ML, which are lightweight anti-virus solutions, designed for resource constrained IoT devices, with surprisingly good malware detection performance. Both SIMBIoTA and SIMBIoTA-ML rely on binary similarity for malware detection and use the TLSH localitiy sensitive hash function to compute similarity metrics.
SIMBIoTA directly measures similarity of a scanned binary to previously seen malware samples, while SIMBIoTA-ML uses the TLSH values of known malware and benign samples as feature vectors to train a machine learning-based detector. We showed via measurements on a large malware dataset of real IoT malware and benign files that SIMBIoTA-ML consistently achieves a higher true positive detection rate than SIMBIoTA does, while, at the same time, it also has a higher, but still acceptable, false positive detection rate. In terms of storage requirements, SIMBIoTA is extremely efficient, while SIMBIoTA-ML uses more storage, but it can still be hosted by mid-range and high-end embedded devices with megabytes of memory. Finally, we also showed that the run time delay SIMBIoTA introduces into the operation of an embedded IoT device is not constant, making it hard to design for. In contrast, SIMBIoTA-ML introduces a near-constant, although somewhat increased, delay into the operation of the embedded IoT device, which is advantageous when the device has to satisfy real-time constraints.
Levente Buttyán received the Ph.D. degree from the Swiss Federal Institute of Technology - Lausanne (EPFL) in 2002. In 2003, he joined the Department of Networked Systems and Services at BME, where he currently holds a position as a full Professor and leads the Laboratory of Cryptography and Systems Security (CrySyS Lab). He received habilitation at BME in 2013 and the title of Doctor of Science form the Hungarian Academy of Sciences in 2021. He has done research on the design and analysis of secure protocols and privacy enhancing mechanisms for wireless networked embedded systems (including wireless sensor networks, mesh networks, vehicular communications, and RFID systems). A few years ago, he was involved in the analysis of some high profile targeted malware, such as Duqu, Flame, MiniDuke, and TeamSpy. Currently, his research interest is in security of cyber-physical systems (including industrial automation and conrtrol systems, modern vehicles, cooperative intelligent transport systems, and the Internet of Things in general). He is also the co-founder of multiple successful IT security start-ups, including Tresorit, Avatao, and Ukatemi Technologies.