Professional Documents
Culture Documents
This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 1
IEEE.
Authorized licensed use limited Personal
to: Aristotle use is permitted,
University but republication/redistribution
of Thessaloniki. Downloaded on May 20,2023requires IEEE UTC
at 17:08:05 permission.
from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 2
memory, and physical space [8]. Therefore, one promising a detection accuracy of 95.90%. Another common approach
solution is to extend the malware detection system to the in the malware detection consists in using dynamic analysis
edge paradigm. Edge computing processes IoT perception (e.g., Sandbox) to detect the IoT malware in a virtual isolation
data in real time near the data source side. It reduces the environment. For instance, Pajouh et al. [12] proposed a
response delay and improves the data transmission efficiency. two-layer dimensionality reduction and a two-layer classifi-
The development of edge computing has greatly improved the cation module in order to detect suspicious IoT applications.
intelligent management level of IoT systems [9]. Therefore, However, most of these Sandbox-based detection systems
applying edge computing to the security defense model in require high-performance hardware resources, due to the fact
order to ensure the IoT applications’ reliability becomes a that they apply an execution path and requested privilege
crucial solution. to detect IoT malware. Some malware hide (not run) their
In this article, we propose an IoT malware detection system malicious behaviors in the virtual environment. Therefore, the
[named intelligent trusted and secure edge computing (ITEC) dynamic-based detection methods [13] may not be suitable for
system] to detect malware in the edge network. Specifically, execution on user devices. In this article, we combine static
the ITEC system extends the malware detection system to the and dynamic analysis to implement IoT malware detection on
edge computing paradigm. In this system, all untrusted third- edge computing platform.
party IoT applications are subjected to the preidentification Currently, IoT networks faces serious security threats.
mechanism for fast classification. If the maximum likelihood Existing studies have discussed the cloud-based malware
value of untrusted third-party IoT applications falls into the detection system. Tian et al. [14] proposed a cloud-based
critical probability interval, it is subjected to further analysis dynamic malware detection solution. They first collected the
by the risk detection engine with a malicious threat-level information of runtime utilization and memory objects from
algorithm. Then, we use a risk detection engine to analyze the virtual machine and then used the multiple-convolutional-
the suspicious third-party IoT applications that cannot be neural-network(multi-CNN) model for malware detection.
identified under the preidentification mechanism. Moreover, Brown et al. [15] analyzed the system calls from the kernel in
a specifical designed delay strategy is used to rate-limit the cloud infrastructure as a service. They extracted n-gram call
impact of suspicious third-party IoT applications. The main sequence features, which then fed into a tree-based machine
contributions of this article are summarized as follows: learning model. Vahedi and Afhamisisi [16] proposed the
1) An ITEC system is designed and developed to detect concept of behavioral entropy to analyze malware files and
and identify IoT malware in the edge network. More then sent the behavioral features to the cloud for similarity
precisely, the ITEC system is compatible with Android test against known malware families. However, these cloud-
and Windows series of IoT malware detection schemes. computing-based detection systems have a long network
2) A novel method is proposed to identify the pseudo risk transmission delay. It is easy to lead to the risk of information
signature from IoT malware. Moreover, we propose a leakage.
delay-strategy-based risk detection engine to assess the Moreover, there are some on-device malware detection
threat level. studies, which require to deploy the IoT malware detection
3) The experimental results demonstrate that the ITEC system on the IoT devices. For example, taking into account
system has a reliable detection and evaluation ability. It the limited computing power and memory of mobile devices,
can timely and accurately detect the abnormal situation Feng et al. [17] used a customized deep neural network to per-
of untrusted third-party IoT applications. form malware detection on mobile devices. Moreover, based
The rest of this article is organized as follows. The related on broad learning, Yuan et al. [18] proposed a lightweight on-
work is reviewed in Section II. Section IV presents the ITEC device Android malware detector, which adopted a one-shot
detection system model and definitions. Section V shows computation to achieve full or incremental training directly on
the mathematical theory and algorithm. Section VI details mobile devices. However, in many cases, it is still difficult to
the analysis of the experimental results. Finally, Section VII deploy malware detection systems on IoT devices due to its
concludes this article. limited computing resources. Table I lists some representative
malware detection methods.
II. R ELATED W ORK In addition to the above studies, some studies have com-
The IoT network faces network threats, such as denial bined blockchain with the IoT to enable secure authentication
of service, response injection, and command injection at- and collaborative sharing between different IoT platforms.
tacks. Many existing studies have adopted static analysis The combination of blockchain and the IoT has certain
methods. For example, Li et al. [10] created a novel deep- prospects. Huang et al. [22] proposed a credit-based proof-of-
learning-based intrusion detection model to detect various net- work mechanism for IoT devices to protect the confidentiality
work threats against industrial cyber-physical systems (CPSs). of sensitive data. They did not consider the security of deploy-
However, this model does not consider the harm to industrial ing untrusted third-party applications on IoT end devices. Cui
CPSs caused by the deployment of untrusted third-party IoT et al. [23] proposed a decentralized asynchronous Federated
applications. Santos et al. [11] considered the frequency of learning (FL) framework based on blockchain authorization,
specific Opcodes of benign and malicious Windows software which is used for anomaly detection in the IoT network.
as the input of the learning model. Their method reaches However, the framework has high communication and com-
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 3
TABLE I
C OMPARISON BETWEEN MALWARE DETECTION METHODS .
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 4
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 5
A. Preidentification Database between the signature and the critical probability interval of
untrusted third-party IoT applications. The calculation method
In the signatures collected using antimalware detection refers to
technology, some pseudo risk signature will exist in risk
∆xi ∆xi
signature collections. However, in the preidentification mech- ∆X = P xi − < X < xi + (6)
2 2
anism stage, the pseudo risk signature may misjudge the ∆x
Z xi + 2 i
benign IoT applications as the signature of IoT malware. ∆Xi = f (x, θ)dx ≈ f (xi , θ) ∗ ∆xi . (7)
The Pearson correlation coefficient is first used to calculate ∆x
xi − 2 i
the feature similarity between the pseudo risk signature (it
belongs to benign signature) and risk signature. It is necessary The calculationQmethod of the critical probability interval
n
to separate the pseudo risk signature from the risk signature. is given by: L(θ) i=1 ∆xi , which provides convenience for
The calculation method is given by the system administrator to operate the threshold of critical
Inf U (i,j)←k 1 probability interval.After obtaining the calculation method of
S(i,j)←k = + (1)
2 × Relate i←k × Relate j←k 2 the critical probability interval, it is required to continue the
where Inf U (i,j)←k represents the influence of pseudo risk risk detection for suspicious third-party IoT applications in
signature k in risk signature set U (i) and benign signature the U ncertaintyStage. When P V falls into the minimum
set U (j), the Relate i←k represents the degree of association critical probability interval, the ITEC system believes that the
between the pseudo risk signature k and the risk signature untrusted third-party IoT applications may be IoT malware or
set U (i), the Relate j←k represents the degree of association benign IoT applications. Therefore, the ITEC system will start
between the pseudo risk signature k and the benign signature the risk detection engine according to the minimum critical
set U (j), U (i) represents the risk signature set of IoT malware
i, U (j) represents the signature set of benign IoT applications probability interval.
j, k is a pseudo risk signature in the common subset between In order to maintain the consistency of risk detection for
IoT malware i and benign IoT application j. According to the suspicious third-party IoT applications, the critical probability
definition, the S(i,j)←k value range of the similarity between interval is set to at least 10% (experimental results), as the
IoT malware i and benign IoT application j is in the range [0, Switch to start the risk detection engine. In Section V-C
1]. S(i,j)←k denotes the similarity between the IoT malware
and V-D, the theory and method of risk detection engine are
ui and all candidate benign IoT application uj ∈ C (ui ), Si
selects the critical value of neighbor applications for the IoT introduced.
malware ui . C (ui ) represents other IoT malwares that share
the same risk signature as IoT malwares i. When S(i,j)←k , the C. Malicious Threats Calculation Method
similarity between the benign IoT application uj and the IoT
malware ui is less than the critical value( S(i,j)←k < Si ), this Assuming that in N files of suspicious third-party IoT ap-
indicates that uj is not an IoT malware, nor does it belong plications, after n−th times of dynamic detection, n−k files
to the set C (ui ) of IoT malwares. The calculation method is are detected to be malicious. The probability of n(N ) = n−k
given by: satisfies a binomial distribution. The probability of detecting
P malicious threat is expressed as q, q ∈ [0, 1]. The probability
uk ∈ C (ui ) S(i,j) − k distribution of suspicious third-party IoT applications files
Si = (2) with malicious threats is expressed as
|C (ui )|
U (j) = uk | S(i,j)←k < Si , uk ∈
/ C (ui ) . (3) N
P (n(N ) = n − k | q) = q n−k (1 − q)N −n−k . (8)
n−k
After optimizing the preidentification database, the P V
based on the critical probability interval is introduced in Let Vi denote that the i-th file has a malicious threat. It
Section V-B to detect untrusted third-party IoT applications. is required to use the bayesian reasoning method to estimate
the probability that the i + 1 file also has a malicious
threat P (Vi+1 = 1 | n(N ) = n − k). We define Vi+1 = 1
B. Critical Probability Interval to indicate that the file has a malicious threat, and Vi+1 = 0
to indicate that the file is benign and secure. According to
The P V between the signature observed by the untrusted Bayes theorem, the probability distribution of the i+th file is
third-party IoT applications in the system monitor driver and expressed as
the signature in the preidentification database should be calcu-
lated. Let X1 , X2 , . . . , Xn be the independent and identically DisP (Vi+1 =1,n−k)
distributed signatures, and x1 , x2 , . . . , xn be the observed P (Vi+1 = 1 | n(N ) = n − k) = . (9)
DisP (n−k)
signature values. When the observations x1 , x2 , . . . , xn are
determined, we have θ1 , θ2 , . . . , θn . We use f (xi , θ) to where P (Vi+1 = 1 | n(N ) = n − k) is the probability dis-
represent the distribution column P {X = xi } = f (xi , θ) of tribution of the malicious threat of the (i + 1)th file, and
signature X P (n(N ) = n − k) is the probability distribution of n − k
n files with malicious threats for n times of independent de-
tection. According to the definition of boundary probability
Y
L (θ1 , θ2 , . . . , θn ) = f (xi , θ1 , θ2 , . . . , θn ) (4)
i=1 distribution, the distribution function equation is given by
L(θ̂) = MaxL(θ). (5)
Z 1
DisP (Vi+1 =1,n−k) = P (n(N ) = n − k | q)f (q)q · dq. (10)
The P V of L(θ) is obtained by deriving Equation (5) or 0
considering boundary points. Finally, the value of θ̂ (P V of where P (n(N ) = n − k | q)f (q) represents the probability
parameter θ) is obtained. The pre-identification mechanism density function of malicious threats of n − k files in n
introduces a configurable critical probability interval [Lower, independent detection, P (n(N ) = n − k | q)f (q)q represents
Upper]. It is required to determine the location relationship the probability density function of i + 1 files with malicious
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 6
Algorithm 1 : Malicious Threat Classification Algorithm. average of the three categories. It is deduced that, when the
Input: AV , AC, RP , U I, WC , WI , WA , E, RL, RC, malicious threat score is between 7 and 10, which is classified
ImpactConfM odif ied , ImpactIntegM odif ied and
ImpactAvailM odif ied . as High risk level IoT malware, it can completely invade
Output: Threat Level(T L) = { Low, Medium, High } based on BS, T S and control the operating system, including the operation and
and ES. management of the system, and obtain the Root authority.
1: for each i package in N do
2: ESC = (8.22)∗ AV ∗ AC ∗ P R∗ U I; When the malicious threat score is between 4 and 6.9, it is
3: ISCBase = 1 − [(1 − WC )∗ (1 − WI )∗ (1 − WA )]; classified as M edium risk level IoT malware. It refers to the
4: if ISCBase <= 0 or ISCBase > 1 then common operation beyond the scope of authority, including
5: BS=0;
6: end if but not limited to avoiding the modification of peripheral
7: if ScopeModifed == Unchanged then data, performing illegal operations, as well as the logic design
8: ISC = 6.42 ∗ ISCBase ; defects and process defects of the application itself. The
9: BS = Roundup (Min((ESC + ISC), 10), 1);
10: else malicious threat score of Lower risk level IoT malware is
11: ISC = 7.52∗ [ISCBase − 0.029] − 3.25 ∗ [ISCBase − 0.02]15 ; between 0 and 3.9. It usually has the risk of interfering with
12: min = Min(1.08 ∗ (ESC + ISC), 10); the normal operation of IoT devices.
13: BS = Roundup (min, 1);
14: T S = Roundup (BS∗ E∗ RL∗ RC); The pseudocode of the malicious threat-level method is
15: end if presented in Algorithm 1. We first obtain the exploitabil-
16: end for ity subscore (ESC) and the basic impact subfactor score
17: ESCModified = 8.22 ∗ AVModified ∗ ACModified ∗ P RModified ∗ U IModified ;
18: Impact CR = 1 -ImpactConf Modiffed ∗ CR; ISCBase . (see Algorithm 1, lines 1-3). In Algorithm 1 (Line
19: Impact IR = 1 -ImpactInteg Modified ∗ IR; 7-15), we use Scope as the mark of the infection range of IoT
20: Impact AR = 1 -ImpactAvail Modiffed ∗ AR; malware to calculate the base score (BS) and the temporal
21: Min− 2 = 1 -(Impact CR )∗ (ImpactIR )∗ (ImpactAR );
22: ISCM odif ied = Min (Min− 2, 0.915); score (T S) (see Algorithm 1, lines 7-15). Specifically, Scope
23: if ScopeModified == U nchanged then indicates whether the scope of influence of IoT malware will
24: ISCBaseModified = 7.52 × (ISCModified − 0.029) − 3.25 × be extended to other components or the ability to obtain
(ISCModified − 0.02)15 ;
25: if ISCBaseModified <= 0 then
permissions. In Algorithm 1 (Line 17-22), we use modified
26: ES = 0; impact subfactor score ISCM odif ied to evaluate the influence
27: else of IoT malware. Finally, based on ISCM odif ied , we can
28: ES = Roundup(Roundup− 1∗ ESC ∗ RL∗ RC);
29: end if
obtain the environmentalscore (ES) to determine whether
30: else the impact of the threat spans different security areas (see
31: ISCBaseModified = 6.42 × ISCModified ; Algorithm 1, lines 23-37). Note that Algorithm 1 has a time
32: if ISCBaseModified <= 0 then
33: ES = 0;
complexity of O(n).
34: else
35: ES = Roundup(Roundup− 2∗ ESC ∗ RL∗ RC); VI. P ERFORMANCE ANALYSIS AND EVALUATION
36: end if
37: end if A computer with an eight-core CPU and 16-GB RAM
38: return BS, T S and ES. is used as the public edge computing hosting host, which
provides basic hardware resources for software deployments,
such as task computing, network communication, primary se-
threats in n times independent detections. By synthesizing lection, identification and inventory storage. The edge server
Equations (9) and (10), the calculation method of malicious system is also deployed on the hosting host system platform
threat of suspicious third-party IoT applications is obtained
as with the corresponding function libraries and modules, such
as the routing subsystem and the open subsystem. In our ex-
n−k+1
P (Vi+1 = 1 | n(N ) = n − k) = . (11) periment, 1200 real-world Windows and Android applications
N +2
are collected from the Virusshare [26] in order to build an IoT
It can be deduced from Equation (11) that the total number malware dataset. A benign dataset with 980 popular benign
of files N of suspicious third-party IoT applications and the applications collected from the official Windows Store and
number of packages n−k with malicious behavior in n times IoT application stores, such as Pi Store [27], is then created.
of detection should be known. The threat impact value of IoT All the benign IoT applications are scanned by antivirus
malware is calculated in the process of dynamic detection, engines to ensure their normal attributes. In this article, some
and a malicious threat level algorithm is proposed to evaluate important experimental parameters of ITEC system are as
the threat level of IoT malware. The related introduction is follows: The optimal critical probability interval is set as
shown in Section V-D. [40%, 60%], transmission power is 12 W, power dissipation
is set to 0.1 nm, the transmission bandwidth is 50 MHz, and
D. Malicious Threat-Level Algorithm the specific parameters are described in Table II.
The CVSS [25] vulnerability scoring rules are improved,
and a malicious threat classification algorithm is proposed. A. Preidentification Database
The malicious threat score is divided into three categories: After optimizing the Pearson’s correlation coefficient, a
basic score, lif ecycle score and environment score. Fi- preidentification database is developed (see Table III). The
nally, the malicious threat score is obtained by a weighted risk signatures extracted by the preidentification mechanism
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
TABLE IV
D IFFERENT ALGORITHMS COMPARISON :N UMERICAL RESULTS
Detection Methods Samples size [Lower, Upper] Accuracy F1 Recall Avg.time (per sample)
Santos et al. [11] 17,000 N/A 95.91% 81.75% 77.70% 149.31ms
Hashemi et al. [28] 11,100 N/A 96.87% 86.05% 81.55% N/A
E.M et al. [29] 22,000 N/A 98.17% 99.3% 98.73% 1.36s
Abbas et al. [30] 70 N/A 87.91% 87.37% 86.93% 2.65s
Hamed et al. [31] 552 N/A 97.43% N/A 99.27% 36ms
Hani Alshahrani et al. [32] 3,100 N/A 92.31% 94.12% N/A% 17s
3,180 [10%, 90%] 94.58% 94.50% 94.55% 50ms
3,180 [30%, 70%] 97.06% 97.03% 96.21% 46ms
Risk Detection Engine
3,180 [40%, 60%] 98.06% 98.04% 97.27% 42ms
3,180 [40%, 50%] 98.01% 98.00% 97.42% 37ms
3,180 [10%, 90%] 95.98% 95.96% 95.46% 85ms
3,180 [30%, 70%] 97.48% 97.46% 96.59% 81ms
Delay Strategy
3,180 [40%, 60%] 98.52% 98.50% 97.73% 64ms
3,180 [40%, 50%] 98.09% 98.08% 97.58% 61ms
1 0 0 %
9 8 % 9 8 %
9 8 %
9 8 %
9 6 % 9 6 %
9 6 %
9 6 %
9 4 %
9 4 % 9 4 % 9 4 %
9 2 %
9 2 %
9 2 % 9 2 %
9 0 % 9 0 %
9 0 % 9 0 %
8 8 % 8 8 %
8 6 % 8 8 % 8 8 %
8 6 % [ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ]
P re -d e te c tio n R D R D + D M P re -d e te c tio n R D R D + D M [ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ]
[ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ] [ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ] P re d e te c tio n R D R D + D M P re d e te c tio n R D R D + D M
Fig. 5. Ablation Studies for various critical probability intervals. (a)Precision. (b)Accuracy. (c)Recall. (d)F1.
1 2 %
1 4 0
L o w e r
THigh risk . For the M edium and High risk, the malicious be-
1 0 %
1 2 0
M id d le
H ig h haviors can trigger more security risks, such as malicious code
8 %
1 0 0 injection, network backdoor transmission, data establishment
6 %
8 0
and communication. These detection methods are not able to
4 %
6 0
detect the IoT malware at M edium and High risk, while
2 %
4 0
the detection time is also not guaranteed. It can be seen from
0 %
Fig. 7 that the detection time of the high-risk based method is
S
S
S
E
]
E
E
]
R D ]
D
[ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ]
D
D
R D % ]
R D % ]
R D
E +
E +
R D
R D
R D
]
R D ]
0%
0%
E +
0%
0%
E +
longer than that of the low-risk based method. This shows that
%
0%
,6
0
,9
,7
,5
50
,9
,6
,7
0%
0%
0%
0%
0%
0%
P re -d e te c tio n R D R D + D M
0%
0%
[4
[1
[3
[4
[1
[4
[4
[3
Network Controller
ability interval is shortened, the classification efficiency can
be further improved, which indicates that the risk detection
ITEC
Pre-identification
Mechanism
Broadcast Across
Edge Nodes
ITEC
Pre-identification
Mechanism
engine has a real-time detection.
Risk Detection Risk Detection
Engine Across Operator Engine
Edge Code(V2X) Edge Node(V2X)
F. Engineering Applications
Communication Link
Chat Online
RSU In-vehicle Omnidirection RAN In-vehicle
Self-driving constitutes an important part of intelligent
Infotainment Navigation Cameras Infotainment
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 9
The vehicle-road cooperation system collects all valid traffic Conference on Computer and Communications Security,
information and makes reasonable assessments and decisions Virtual Event, USA, November 9-13, 2020, J. Ligatti, X. Ou,
through edge computing processing and analysis to ensure J. Katz, and G. Vigna, Eds. ACM, 2020, pp. 377–390.
[Online]. Available: https://doi.org/10.1145/3372297.3417270
the safety of vehicles during driving. Edge computing offers [7] Z. Feng, N. Guan, M. Lv, W. Liu, Q. Deng, X. Liu, and W. Yi,
advantages in flexible connection, real-time business, data “An efficient uav hijacking detection method using onboard
optimization, application security, and privacy protection as inertial measurement unit,” ACM Transactions on Embedded
an open platform integrating network, processing, and storage Computing Systems, vol. 17, no. 6, pp. 1–19, 2018.
with core application capabilities. We deploy the ITEC system [8] V. A. Thakor, M. A. Razzaque, and M. R. A. Khandaker,
“Lightweight cryptography algorithms for resource-constrained
on the edge server to perform security detection of untrusted iot devices: A review, comparison and research opportunities,”
instant chat online, omnidirection cameras, in-vehicle enter- IEEE Access, vol. 9, pp. 28 177–28 193, 2021. [Online].
tainment systems, and other third-party in-vehicle fundamen- Available: https://doi.org/10.1109/ACCESS.2021.3052867
tal softwares for the safety of data and driving during self- [9] J. Luo, X. Deng, H. Zhang, and H. Qi, “Qoe-driven
driving. computation offloading for edge computing,” J. Syst. Archit.,
vol. 97, pp. 34–39, 2019. [Online]. Available: https:
//doi.org/10.1016/j.sysarc.2019.01.019
VII. C ONCLUSION [10] B. Li, Y. Wu, J. Song, R. Lu, T. Li, and L. Zhao, “Deepfed:
In this article, we design and implemented a novel ITEC Federated deep learning for intrusion detection in industrial
system based on a preidentification mechanism and a risk cyber–physical systems,” IEEE Transactions on Industrial In-
formatics, vol. 17, pp. 5615–5624, 2020.
detection engine for IoT malware detection. The experimental [11] I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. Bringas,
results demonstrate that the ITEC system has a greater detec- “Opcode sequences as representation of executables for data-
tion accuracy than other existing IoT malware detection meth- mining-based unknown malware detection,” Information Sci-
ods. The ITEC system has timely responses and the detection ences, vol. 231, pp. 64–82, 2013.
time is reasonably acceptable. In addition, the features within [12] H. H. Pajouh, R. Javidan, R. Khayami, A. Dehghantanha, and
K.-K. R. Choo, “A two-layer dimension reduction and two-
the scope can provide safe and reliable protection services for tier classification model for anomaly-based intrusion detection
the public and open IoT environment. In our future work, we in iot backbone networks,” IEEE Transactions on Emerging
aim at studying: 1) The static analysis of IoT malwares; in Topics in Computing, vol. 7, no. 2, pp. 314–323, 2016.
the case of not executing IoT malware, the instructions and [13] N. Usman, S. Usman, F. Khan, M. A. Jan, A. Sajid, M. Alazab,
structure of IoT malware should be analyzed to determine and P. Watters, “Intelligent dynamic malware detection using
machine learning in ip reputation for forensics data analytics,”
the functions of malware; and 2) The classification of IoT Future Generation Computer Systems, vol. 118, pp. 124–141,
malware types. In the ITEC system, the neural network 2021.
method can be used to perform malware family classification. [14] D. Tian, R. Zhao, R. Ma, X. Jia, Q. Shen, C. Hu, and W. Liu,
“MDCD: A malware detection approach in cloud using deep
ACKNOWLEDGMENT learning,” Trans. Emerg. Telecommun. Technol., vol. 33, no. 11,
2022.
The authors would like to thank Editor-in-Chief, the Asso- [15] P. Brown, A. Brown, M. Gupta, and M. Abdelsalam, “Online
ciate Editor, and the reviewers for their insightful comments malware classification with system-wide system calls in cloud
and suggestions. Moreover, we are grateful for resources from iaas,” in 23rd IEEE International Conference on Information
Reuse and Integration for Data Science, IRI 2022, San Diego,
the High Performance Computing Center of Central South
CA, USA, August 9-11, 2022. IEEE, 2022, pp. 146–151.
University. [16] K. Vahedi and K. Afhamisisi, “Cloud based malware detection
through behavioral entropy,” in 2021 IEEE International Con-
R EFERENCES ference on Big Data (Big Data), Orlando, FL, USA, December
[1] Y. Lu, X. Huang, Y. Dai, S. Maharjan, and Y. Zhang, 15-18, 2021. IEEE, 2021, pp. 6046–6048.
“Blockchain and federated learning for privacy-preserved data [17] R. Feng, S. Chen, X. Xie, G. Meng, S. Lin, and Y. Liu, “A
sharing in industrial iot,” IEEE Transactions on Industrial performance-sensitive malware detection system using deep
Informatics, vol. 16, pp. 4177–4186, 2020. learning on mobile devices,” IEEE Trans. Inf. Forensics Secur.,
[2] P. Ruzafa-Alcazar, P. Fernandez-Saura, E. Marmol-Campos, vol. 16, pp. 1563–1578, 2021.
A. González-Vidal, J. L. Hernández-Ramos, J. Bernal-Bernabe, [18] W. Yuan, Y. Jiang, H. Li, and M. Cai, “A lightweight on-device
and A. F. Skarmeta, “Intrusion detection based on privacy- detection method for android malware,” IEEE Trans. Syst. Man
preserving federated learning for the industrial iot,” IEEE Cybern. Syst., vol. 51, no. 9, pp. 5600–5611, 2021.
Transactions on Industrial Informatics, vol. 19, pp. 1145–1154, [19] A. F. Diallo and P. Patras, “Adaptive clustering-based mali-
2023. cious traffic classification at the network edge,” in 40th IEEE
[3] A. Azmoodeh, A. Dehghantanha, and K. Choo, “Robust mal- Conference on Computer Communications, INFOCOM 2021,
ware detection for internet of (battlefield) things devices using Vancouver, BC, Canada, May 10-13, 2021. IEEE, 2021, pp.
deep eigenspace learning,” IEEE Transactions on Sustainable 1–10.
Computing, pp. 1–1, 2018. [20] Y. Liu, C. Zhu, Y. Wu, H. Xu, and J. Song, “MMWD: an
[4] K. Riad, R. Hamza, and H. Yan, “Sensitive and energetic iot efficient mobile malicious webpage detection framework based
access control for managing cloud electronic health records,” on deep learning and edge cloud,” Concurr. Comput. Pract.
IEEE Access, vol. 7, pp. 86 384–86 393, 2019. Exp., vol. 33, no. 18, 2021.
[5] H. Liu, J. Li, and D. Gu, “Understanding the security of app- [21] X. Tan, H. Li, L. Wang, and Z. Xu, “End-edge coordinated
in-the-middle iot,” Computers & Security, vol. 97, p. 102000, inference for real-time BYOD malware detection using deep
2020. learning,” in 2020 IEEE Wireless Communications and Net-
[6] C. Song and A. Raghunathan, “Information leakage in working Conference, WCNC 2020, Seoul, Korea (South), May
embedding models,” in CCS ’20: 2020 ACM SIGSAC 25-28, 2020. IEEE, 2020, pp. 1–6.
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 10
[22] J. Huang, L. Kong, G. Chen, M. Wu, X. Liu, and P. Zeng, Xuechen Chen (Member IEEE) received the B.S.E.
“Towards secure industrial iot: Blockchain system with credit- degree in electrical engineering from the University
based consensus mechanism,” IEEE Transactions on Industrial of Science and Technology of China, Hefei, China,
Informatics, vol. 15, pp. 3680–3689, 2019. in 2007, and the Ph.D. degree in electrical engineer-
ing from the University of California at Riverside,
[23] L. Cui, Y. Qu, G. Xie, D. Zeng, R. Li, S. Shen, and S. Yu,
Riverside, CA, USA, in 2012.
“Security and privacy-enhanced federated learning for anomaly She is currently an Associate Professor in the
detection in iot infrastructures,” IEEE Transactions on Indus- Department of Computer Science, Central South
trial Informatics, vol. 18, pp. 3492–3500, 2021. University, Changsha, China. Before joining Cen-
[24] S. Guo, X. Hu, S. Guo, X. Qiu, and F. Qi, “Blockchain tral South University, she was an Assistant Profes-
meets edge computing: A distributed and trusted authentication sor with the School of Electronics and Information
system,” IEEE Transactions on Industrial Informatics, vol. 16, Technology, Sun Yat-sen University,Guangzhou, China. Before that, she was
pp. 1972–1983, 2020. with the Bell Labs. Her research interests include distributed computing, joint
[25] R. Wirtz and M. Heisel, “Cvss-based estimation and prioriti- source-channel coding especially in delay-constrained applications, swarm
zation for security risks.” in ENASE, 2019, pp. 297–306. intelligence in optimization, and localization by wireless sensor networks.
[26] VirusShare, “Virusshare.com-because sharing is caring(2019),”
https://virusshare.com.
[27] Raspberry, “Raspberry-pi-store,” https://thepihut.com/
collections/raspberry-pi-store. Xinjun Pei is working toward the Ph.D degree
of computer science with the School of Computer
[28] H. Hashemi, A. Azmoodeh, A. Hamzeh, and S. Hashemi, Science and Engineering, Central South University,
“Graph embedding as a new approach for unknown malware Changsha, China.
detection,” Journal of Computer Virology and Hacking Tech- Since 2017, he has been involved in the direc-
niques, vol. 13, no. 3, pp. 153–166, 2017. tion of information security. His research interests
[29] E. M. Dovom, A. Azmoodeh, A. Dehghantanha, D. E. Newton, include deep learning, edge computing, and Internet
R. M. Parizi, and H. Karimipour, “Fuzzy pattern tree for edge of Things security.
malware detection and categorization in iot,” J. Syst. Archit.,
vol. 97, pp. 1–7, 2019.
[30] M. F. B. Abbas and T. Srikanthan, “Low-complexity signature-
based malware detection for iot devices,” in International
Conference on Applications and Techniques in Information
Security. Springer, 2017, pp. 181–189. Shaohua Wan (Senior Member, IEEE) received the
[31] H. Haddadpajouh, A. Mohtadi, A. Dehghantanaha, H. Karim- Ph.D. degree in edge intelligence from the School
ipour, X. Lin, and K. R. Choo, “A multikernel and metaheuris- of Computer, Wuhan University, Wuhan, China, in
tic feature selection approach for iot malware threat hunting in 2010.
He is currently a Full Professor with the Shen-
the edge layer,” IEEE Internet of Things Journal, vol. 8, pp.
zhen Institute for Advanced Study, University of
4540–4547, 2021. Electronic Science and Technology of China, Shen-
[32] H. Alshahrani, “Droid-iot: Detect android iot malicious appli- zhen, China. From 2016 to 2017, he was a Vis-
cations using ml and blockchain,” Cmc-computers Materials & iting Professor with the Department of Electrical
Continua, vol. 70, pp. 739–766, 2022. and Computer Engineering, Technical University
of Munich, Munich, Germany. He is an author
of more than 150 peer-reviewed research papers and books, including
more than 40 IEEE/ACM Transactions papers, such as IEEE TRANSAC-
Xiaoheng Deng (Senior member, IEEE) received TIONS ON INDUSTRIAL INFORMATICS, IEEE TRANSACTIONS ON
the Ph.D. degree in computer science from Cen- INTELLIGENT TRANSPORTATION SYSTEMS, ACM Transactions on
tralSouth University, Changsha, China, in 2005. Internet Technology, IEEE TRANSACTIONS ON NETWORK SCIENCE
Since 2006, he has been an Associate Professor AND ENGINEERING, IEEE TRANSACTIONS ON MULTIMEDIA, IEEE
and then a Full Professor with the Department of TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS, ACM
Communication Engineering, CentraSouth Univer- Transactions on Multimedia Computing, Communications, and Applications,
sity, where he is currently a Joint Researcher with IEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTATIONAL
Shenzhen Research Institute. His research interests INTELLIGENCE, and Pattern Recognition, and many top conference papers
include edge computing Internet of Things, online in the fields of edge intelligence. His main research interests include deep
social network analysis, data mining, and pattern learning for Internet of Things.
recognization.
Dr. Deng is a Senior Member of the China Computer Federation(CCF),
a Member of the CCF Pervasive Computing Council, and a Member of the
Association for Computing Machinery. From 2009 to 2010, he was a Chair Sotirios K. Goudos (Senior Member, IEEE) re-
of the CCF YOCSEF CHANGSHA. ceived the B.Sc. degree in physics, the M.Sc. of
Postgraduate Studies in electronics, and the Ph.D.
degree in physics from the Aristotle University of
Thessaloniki, Thessaloniki, Greece, in 1991, 1994,
Bin Chen was born in Shaoyang, Hunan, China in and, 2001, respectively, the M.Sc. degree in infor-
1992. He received the B.S. degree in information mation systems from the University of Macedonia,
security from Hunan Police Academy, Changsha, Thessaloniki, Greece, in 2005, and the diploma
China, in 2016, and the M.S. degree in computer degree in electrical and computer engineering from
science from the School of Computer Science and the Aristotle University of Thessaloniki in 2011.
Engineering, Central South University, Changsha, Prof. Goudos is an Associate Editor for IEEE
in 2021. TRANSACTIONS ON ANTENNAS AND PROPAGATION, IEEE ACCESS,
His major research interests include edge com- IEEE OPEN JOURNAL OF THE COMMUNICATION SOCIETY, Interna-
puting and Internet of Things security. tional Journal of Antennas and Propagation, EURASIP Journal on Wireless
Communications and Networking, and Electronics. He is the founding Editor-
in-Chief for Telecom, an open-access journal(MDPI publishing). He is an
IEEE Greece Section Secretary.
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.