This article has been accepted for publication in IEEE Transactions on Industrial Informatics.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681

JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 1

A Trusted Edge Computing System Based on

Intelligent Risk Detection for Smart IoT
Xiaoheng Deng, Senior member, IEEE, Bin Chen, Xuechen Chen, Xinjun Pei, Shaohua Wan, Senior
Member, IEEE, and Sotirios K. Goudos, Senior Member, IEEE

Abstract—The Internet of Things (IoT) mainly consists of a

IoT
large number of Internet-connected devices. The proliferation Vehicle

of untrusted third-party IoT applications has led to an increase IoT Police

Edge Server

in IoT-based malware attacks. In addition, it is infeasible for Embedded

System
Emergency
Urban UAV

the IoT devices to support the sophisticated detection systems IoT

Applications Communication
Link
due to the restricted resources. Edge computing is considered Managed
Taxi IoT First Edge Server
to be promising. It provides solutions to the data security AID IoT Center Host
IoT Sensor
IoT Bank Taxi
and privacy leakage brought by untrusted third-party IoT IoT Home
Dynamic Market
Video
IoT Tourism
applications. In this article, an intelligent trusted and secure edge Taxi
Monitoring
IoT Vehicle

computing(ITEC) system is proposed for IoT malware detection. Smart Internet-

connected devices
IoT Factory

In this system, a signature-based preidentification mechanism

is built for matching and identifying the malicious behaviors
of untrusted third-party IoT applications. A delay strategy is
then embedded into the risk detection engine in order to “buy
time” for threat analysis, and rate-limit the impact of suspicious
third-party IoT applications in the system. We conduct extensive
experiments to verify the effectiveness of the ITEC system and
show that we can achieve accuracies of up to 98.52%.
Index Terms—Edge computing, Internet of Things(IoT), prei-
dentification database, preidentification mechanism, risk detec-
tion engine.
I. I NTRODUCTION
I N FUTURE smart cities, the Internet of Things (IoT)
[1], [2] deployment includes a wide pervasive network
of Internet-connected vehicles, traffic information collec-
tion, and sensors/(smart) video monitoring that automatically
sense, store, transfer, and process collected data (see Fig. 1).
The third-party IoT applications are deployed on IoT devices,
providing them with new intelligence. However, adversaries
consider the IoT devices as valuable targets. A common attack
Manuscript received 4 October 2022; revised 15 January 2023; accepted
7 February 2023. This work was supported in part by the National Natural
Science Foundation of China under Grant 62172441, Grant 62172449, and
Grant 61772553,in part by the Local Science and Technology Developing
Fundation Guided by Central Goverment under Free Exploration Grant
2021Szvup166, and in part by the Opening Project of State Key Laboratory
of Nickel and Cobalt Resources Comprehensive Utilization under Grant
GZSYS-KY-2022-018 and Grant GZSYS-KY-2022-024. Paper no. TII-22-
4133. (Corresponding author: Xuechen Chen and Xinjun Pei.)
Xiaoheng Deng, Bin Chen, Xuechen Chen, and Xinjun Pei are with
the School of Computer Science and Engineering and the Shenzhen
Research Institute, Central South University, Changsha, 410083, China
(E-mail: dxh@csu.edu.cn, 576337841@qq.com, chenxuec@csu.edu.cn,
pei xinjun@163.com).
Shaohua Wan is with the School of Information and Safety Engineering,
Zhongnan University of Economics and Law, Wuhan 430073, China (e-mail:
shaohua.wan@ieee.org).
Sotirios K. Goudos is with the ELEDIA@AUTH, School of Physics
Aristotle University of Thessaloniki, 541 24 Thessaloniki, Greece (E-mail:
sgoudo@physics.auth.gr).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TII.2023.3245681.
Digital Object Identifier 10.1109/TII.2023.3245681
Fig. 1. Scenario of deploying untrusted third-party IoT applications on Smart
IoT devices.
vector is the use of IoT malware, which is deployed to IoT
devices disguised as IoT applications. The cybercriminals are
more likely to be funded, better resourced, and professionally
trained by illegal organizations or hostile forces [3]. They
design IoT malware to destroy the availability and integrity
of the IoT systems, which may lead to cancelling the smart
urban infrastructure. The IoT applications are divided into two
types: 1)essential system software independently developed
by operators, and 2)untrusted third-party IoT applications
developed by external developers. However, it is difficult to
ensure that the untrusted third-party IoT applications deployed
on IoT devices are trustworthy.
The IoT applications are the key to the security of edge
networks. It is necessary to quickly analyze the untrusted
third-party IoT applications, since the adversaries can plan
to attack any area in the edge network such as physical
damage, unauthorized access [4], irrevocable authorization
[5], privacy information leakage [6] and device hijack [7].
Traditional cloud-based centralized malware detection sys-
tems can detect malware threats by continuously monitoring
IoT networks. Some studies have discussed the possible threat
of IoT malware to the IoT cloud-edge gateway and further
clarified its importance. However, in many cases, these cloud-
based malware detection systems do not have enough time to
prevent malware threats from occurring on user devices due to
network transmission delays. In this context, such a solution
is hardly satisfactory against sophisticated and well-designed
IoT malwares.
Many existing solutions require to deploy the IoT malware
detection system on the IoT devices. In this case, anti-
malware providers strongly prefer lightweight methods to
perform real-time scanning on IoT devices. However, these
solutions are limited in terms of resources, processing power,

IEEE.
Authorized licensed use limited Personal
to: Aristotle use is permitted,
University but republication/redistribution
of Thessaloniki. Downloaded on May 20,2023requires IEEE UTC
at 17:08:05 permission.
from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX
memory, and physical space [8]. Therefore, one promising
solution is to extend the malware detection system to the
edge paradigm. Edge computing processes IoT perception
data in real time near the data source side. It reduces the
response delay and improves the data transmission efficiency.
The development of edge computing has greatly improved the
intelligent management level of IoT systems [9]. Therefore,
applying edge computing to the security defense model in
order to ensure the IoT applications’ reliability becomes a
crucial solution.
In this article, we propose an IoT malware detection system
[named intelligent trusted and secure edge computing (ITEC)
system] to detect malware in the edge network. Specifically,
the ITEC system extends the malware detection system to the
edge computing paradigm. In this system, all untrusted third-
party IoT applications are subjected to the preidentification
mechanism for fast classification. If the maximum likelihood
value of untrusted third-party IoT applications falls into the
critical probability interval, it is subjected to further analysis
by the risk detection engine with a malicious threat-level
algorithm. Then, we use a risk detection engine to analyze
the suspicious third-party IoT applications that cannot be
identified under the preidentification mechanism. Moreover,
a specifical designed delay strategy is used to rate-limit the
impact of suspicious third-party IoT applications. The main
contributions of this article are summarized as follows:
1) An ITEC system is designed and developed to detect
and identify IoT malware in the edge network. More
precisely, the ITEC system is compatible with Android
and Windows series of IoT malware detection schemes.
2) A novel method is proposed to identify the pseudo risk
signature from IoT malware. Moreover, we propose a
delay-strategy-based risk detection engine to assess the
threat level.
3) The experimental results demonstrate that the ITEC
system has a reliable detection and evaluation ability. It
can timely and accurately detect the abnormal situation
of untrusted third-party IoT applications.
The rest of this article is organized as follows. The related
work is reviewed in Section II. Section IV presents the ITEC
detection system model and definitions. Section V shows
the mathematical theory and algorithm. Section VI details
the analysis of the experimental results. Finally, Section VII
concludes this article.
II. R ELATED W ORK
The IoT network faces network threats, such as denial
of service, response injection, and command injection at-
tacks. Many existing studies have adopted static analysis
methods. For example, Li et al. [10] created a novel deep-
learning-based intrusion detection model to detect various net-
work threats against industrial cyber-physical systems (CPSs).
However, this model does not consider the harm to industrial
CPSs caused by the deployment of untrusted third-party IoT
applications. Santos et al. [11] considered the frequency of
specific Opcodes of benign and malicious Windows software
as the input of the learning model. Their method reaches
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
2
a detection accuracy of 95.90%. Another common approach
in the malware detection consists in using dynamic analysis
(e.g., Sandbox) to detect the IoT malware in a virtual isolation
environment. For instance, Pajouh et al. [12] proposed a
two-layer dimensionality reduction and a two-layer classifi-
cation module in order to detect suspicious IoT applications.
However, most of these Sandbox-based detection systems
require high-performance hardware resources, due to the fact
that they apply an execution path and requested privilege
to detect IoT malware. Some malware hide (not run) their
malicious behaviors in the virtual environment. Therefore, the
dynamic-based detection methods [13] may not be suitable for
execution on user devices. In this article, we combine static
and dynamic analysis to implement IoT malware detection on
edge computing platform.
Currently, IoT networks faces serious security threats.
Existing studies have discussed the cloud-based malware
detection system. Tian et al. [14] proposed a cloud-based
dynamic malware detection solution. They first collected the
information of runtime utilization and memory objects from
the virtual machine and then used the multiple-convolutional-
neural-network(multi-CNN) model for malware detection.
Brown et al. [15] analyzed the system calls from the kernel in
cloud infrastructure as a service. They extracted n-gram call
sequence features, which then fed into a tree-based machine
learning model. Vahedi and Afhamisisi [16] proposed the
concept of behavioral entropy to analyze malware files and
then sent the behavioral features to the cloud for similarity
test against known malware families. However, these cloud-
computing-based detection systems have a long network
transmission delay. It is easy to lead to the risk of information
leakage.
Moreover, there are some on-device malware detection
studies, which require to deploy the IoT malware detection
system on the IoT devices. For example, taking into account
the limited computing power and memory of mobile devices,
Feng et al. [17] used a customized deep neural network to per-
form malware detection on mobile devices. Moreover, based
on broad learning, Yuan et al. [18] proposed a lightweight on-
device Android malware detector, which adopted a one-shot
computation to achieve full or incremental training directly on
mobile devices. However, in many cases, it is still difficult to
deploy malware detection systems on IoT devices due to its
limited computing resources. Table I lists some representative
malware detection methods.
In addition to the above studies, some studies have com-
bined blockchain with the IoT to enable secure authentication
and collaborative sharing between different IoT platforms.
The combination of blockchain and the IoT has certain
prospects. Huang et al. [22] proposed a credit-based proof-of-
work mechanism for IoT devices to protect the confidentiality
of sensitive data. They did not consider the security of deploy-
ing untrusted third-party applications on IoT end devices. Cui
et al. [23] proposed a decentralized asynchronous Federated
learning (FL) framework based on blockchain authorization,
which is used for anomaly detection in the IoT network.
However, the framework has high communication and com-
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681

JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 3

TABLE I
C OMPARISON BETWEEN MALWARE DETECTION METHODS .

Literature Category Detection Feature Method Performance Applications

Tian et al. [14] DA CMD RU+MO Multi-CNN Moderate Malware detection
Brown et al. [15] DA CMD N-gram call sequence Tree model Low Malware detection
Vahedi et al. [16] DA CMD Behavioral entropy Similarity test Moderate Malware detection
Feng et al. [17] SA ODMD Static features Deep learning Moderate Malware detection
Yuan et al. [18] SA ODMD Static features Broad learning Moderate Malware detection
Diallo et al. [19] SA EMD Traffic features Adaptive clustering High Intrusion detection
Liu et al. [20] SA EMD Webpage features MLO Moderate Webpage detection
Tan et al. [21] SA EMD ECI EMP Low Malware detection
Our work SA+DA EMD Critical probability interval ITEC High Malware detection
Abbreviation & Terms: SA - Static analysis, DA - Dynamic analysis, CMD - Cloud-based malware detection, ODMD - On-device malware detection, EMD
- Edge-based malware detection, RU - Runtime utilization, MO - Memory objects, MLO - Multidevice load optimization, ECI - End-edge coordinated
inference, EMP - Early-exit and model partitioning.

puting overhead. Guo et al. [24] proposed a distributed trusted

authentication system based on blockchain and edge com-
puting, but the asymmetric encryption mechanism can only
prevent the connection between nodes and terminals from
being attacked. However, blockchains are power-intensive and
low-throughput, which are not suitable for power-constrained
IoT devices. This also limits the use of blockchain in the IoT
network.
Inspired by edge computing, some studies have considered
moving heavy computing tasks to the edge to deal with
security issues and alleviate the shortage of computing re-
sources. Diallo and Patras [19] proposed a network intrusion
detection framework based on adaptive clustering, which
constructs a lightweight neural model composed of multiple
kernel networks to solve the problem of sensitive to subtle
changes in traffic features. To solve the limitation of network
transmission delay and computing resources in mobile social
networks, Liu et al. [20] proposed a lightweight edge-based
mobile malicious webpage detection framework, which can be
deployed on edge nodes and servers. However, little effort has
been made to extend malware detection systems to the edge
paradigm. The most relevant work to us is BYOD [21]. This
work establishes an end-edge coordinated inference-based
malware detection framework, which integrates the early-exit
and model partitioning methods to support rapid localized
inference for smartphones.
This article proposes an edge-based malware detection sys-
tem (ITEC), which extends the malware detection system to
the edge computing paradigm. In the ITEC system, the prei-
dentification mechanism based on risk signatures improves
the timeliness of IoT malware detection. In addition, the
risk detection engine can dynamically execute the suspicious
third-party IoT applications, exposing the threat level of IoT
malware and avoiding the risks of adversarial attacks.
III. THREAT MODEL
In the IoT network, IoT devices are managed and con-
trolled by an operating system, such as Android system.
Typically, the Android system provides users with coarse-
grained permissions. As a result, adversaries can leverage
third-party IoT applications deployed on IoT devices to
access critical external physical system controllers, such as
industrial management systems. In addition, these third-party
Fig. 2. Framework of the ITEC detection system.
IoT applications can create rules to guide sensors to interact
with edge servers. For example, it can collect and analyze
data generated by sensors in real time. In this case, IoT
infrastructures are face more targeted attacks. We list some
of the malware threats facing IoT networks.
1) Adversaries use malware to rapidly generate and evolve
attacks, such as distributed denial attacks and ran-
somware targeting IoT devices.
2) A malware attack may request more permissions than
required and execute an implicit code path to trigger an
implicit trigger-action chain.
3) In IoT networks, malware can act as a “proxy” between
edge servers and end devices, rendering the cloud blind.
In this case, an adversary can mask the messages or get
the end devices out of sync with the edge servers.
4) A malware attack can tamper with the cloud’s authenti-
cation information for IoT devices to steal sensitive user
information leaks, illegally access devices or implement
data injection attacks, among other things.
A. Security Analysis
It is crucial to provide a proactive and rapid IoT malware
detection method in order to protect the whole edge network
and prohibit IoT malware running over the IoT devices. This
paper extends the malware detection system to the edge
computing service platform. The edge computing service
platform is responsible for a part of cloud function computing
services, which provides an open application programming
interface (API) for resource access authorization, data collec-
tion, and analysis. In addition, it can provide a framework

Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX
for deep learning and streaming computing service, and save
the cost of malware detection system development, operation
and maintenance and network bandwidth. Compared with
cloud, the edge provides low latency, flexible, and convenient
security services for IoT services. Finally, this platform uses
a preidentification mechanism and risk detection engine in
order to detect the IoT malware. Specifically, the IoT malware
is divided into Lower, M edium, and High risk levels.
IV. S YSTEM M ODEL AND D EFINITIONS
In this section, we present the ITEC system to protect the
whole edge network and prohibit untrusted third-party IoT
applications running over the network. The overall flow of the
proposed algorithm is presented in Fig. 2. In Section IV-A,
the three-layer structure is introduced. The detection process
is then described in Section IV-B.
A. System Model
As show in Fig. 2, the proposed system mainly consists of
the edge computing hardware environment, edge computing
service platform and ITEC system.
1) Edge Computing Hardware Environment: The first
layer provides basic hardware resources for edge computing
service platforms, such as task calculation and scheduling,
network data transmission, data storage, and other functions.
2) Edge Computing Service Platform: The edge com-
puting service platform extends the computing capacity to
the edge nodes near the end devices. Based on the first
layer, a local edge computing service is created to connect
the IoT devices, forward, store, and analyze the data of
the IoT devices. The corresponding function library, routing
subsystem, and open subsystem are configured.
3) ITEC Detection System: The ITEC system uses a prei-
dentification mechanism and risk detection engine in order to
detect the risks of untrusted third-party IoT applications. The
preidentification mechanism is based on the risk signature of
IoT malware and signature of benign IoT applications.
Finally, this signature is stored in the preidentification
database. A risk detection engine is used to continue the risk
detection for suspicious third-party IoT applications, which
are in the critical probability interval in the preidentification
mechanism. In addition, the IoT malware is divided into
Lower, M edium, and High risk levels.
B. Intelligent Trusted and Secure Edge Computing
1) Preidentification Mechanism: The untrusted third-party
IoT applications submit samples through the submit()
method of the ITEC system. In the preidentification mech-
anism, a risk detection task scheduler is created and the
start() method is called to start the system monitor driver. It
is implemented through the monitor hook() function, con-
tinuously crosses the preIdentification database, and matches
with the extract signature of the untrusted third-party IoT
applications in order to determine whether the application
is safe or not. The process of risk detection for untrusted
third-party IoT applications is shown in Fig. 3.
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
4
Fig. 3. Detection process of the ITEC detection system.
According to the range of the critical probability interval
[Lower, Upper], it is judged whether there is malicious be-
havior. When the maximum likelihood predicted value (P V )
is less than the Lower value, the untrusted third-party IoT
applications are trusted. If the P V is higher than the Upper
value, the untrusted third-party IoT applications are IoT
malware. Moreover, if P V ∈[Lower, Upper], the untrusted
third-party IoT applications are defined as suspicious third-
party IoT applications, which should be detected in the risk
detection engine.
2) Risk Detection Engine: The edge computing server
is responsible for the start of suspicious third-party IoT
applications tasks and the generation of risk detection reports.
It also manages multiple risk detection engines. As the client
of IoT malware risk detection, the risk detection engine
provides a virtual environment for suspicious third-party IoT
applications to run. The malicious threat value of IoT malware
is calculated, and finally, the detection and analysis data to
the edge computing server are reported.
The implementation of risk detection tasks for suspicious
third-party IoT applications is implemented using the de-
tection manager class. This class is inherited from thread
and calls start delaystrategy() function, which starts the
delay strategy in the risk detection engine. The delay strategy
can prolong the sleep time, and slow down the speed of
suspicious third-party IoT applications invading sensitive files
and infecting other applications. The sleep time is added to
system calls in order to reduce the possibility of suspicious
third-party IoT applications accessing nonshared memory,
which uses the system calls, such as N tCreateP rocess
and N tCreateT hread in order to slow down the cre-
ation of processes. The system calls the network handle
N tListenP ort(service listener thread) to reduce the network
connection speed.
V. M ATHEMATICAL T HEORY AND A LGORITHM
In Section V-A and V-B, the mathematical method of
preidentification mechanism is introduced to optimize the
preidentification database and the calculation method in order
to determine the critical probability interval. In Section V-C
and V-D, the calculation method of risk detection engine is in-
troduced to determine the malicious threat level of suspicious
third-party IoT applications and the malicious threat-level
algorithm in order to determine the threat level of suspicious
third-party IoT applications.
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX
A. Preidentification Database
In the signatures collected using antimalware detection
technology, some pseudo risk signature will exist in risk
signature collections. However, in the preidentification mech-
anism stage, the pseudo risk signature may misjudge the
benign IoT applications as the signature of IoT malware.
The Pearson correlation coefficient is first used to calculate
the feature similarity between the pseudo risk signature (it
belongs to benign signature) and risk signature. It is necessary
to separate the pseudo risk signature from the risk signature.
The calculation method is given by
Inf U (i,j)←k
S(i,j)←k =
2 × Relate i←k × Relate j←k
where Inf U (i,j)←k represents the influence of pseudo risk
signature k in risk signature set U (i) and benign signature
set U (j), the Relate i←k represents the degree of association
between the pseudo risk signature k and the risk signature
set U (i), the Relate j←k represents the degree of association
between the pseudo risk signature k and the benign signature
set U (j), U (i) represents the risk signature set of IoT malware
i, U (j) represents the signature set of benign IoT applications
j, k is a pseudo risk signature in the common subset between
IoT malware i and benign IoT application j. According to the
definition, the S(i,j)←k value range of the similarity between
IoT malware i and benign IoT application j is in the range [0,
1]. S(i,j)←k denotes the similarity between the IoT malware
ui and all candidate benign IoT application uj ∈ C (ui ), Si
selects the critical value of neighbor applications for the IoT
malware ui . C (ui ) represents other IoT malwares that share
the same risk signature as IoT malwares i. When S(i,j)←k , the
similarity between the benign IoT application uj and the IoT
malware ui is less than the critical value( S(i,j)←k < Si ), this
indicates that uj is not an IoT malware, nor does it belong
to the set C (ui ) of IoT malwares. The calculation method is
given by:
P malicious threat is expressed as q, q ∈ [0, 1]. The probability
uk ∈ C (ui ) S(i,j) − k
Si =
|C (ui )|
 
U (j) = uk | S(i,j)←k < Si , uk ∈
/ C (ui ) .
After optimizing the preidentification database, the P V
based on the critical probability interval is introduced in
Section V-B to detect untrusted third-party IoT applications.
B. Critical Probability Interval
The P V between the signature observed by the untrusted
third-party IoT applications in the system monitor driver and
the signature in the preidentification database should be calcu-
lated. Let X1 , X2 , . . . , Xn be the independent and identically
distributed signatures, and x1 , x2 , . . . , xn be the observed
signature values. When the observations x1 , x2 , . . . , xn are
determined, we have θ1 , θ2 , . . . , θn . We use f (xi , θ) to
represent the distribution column P {X = xi } = f (xi , θ) of
signature X
n files with malicious threats for n times of independent de-
Y
L (θ1 , θ2 , . . . , θn ) = f (xi , θ1 , θ2 , . . . , θn )
i=1
L(θ̂) = MaxL(θ).
The P V of L(θ) is obtained by deriving Equation (5) or
considering boundary points. Finally, the value of θ̂ (P V of
parameter θ) is obtained. The pre-identification mechanism
introduces a configurable critical probability interval [Lower,
Upper]. It is required to determine the location relationship
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
5
between the signature and the critical probability interval of
untrusted third-party IoT applications. The calculation method
refers to
 
∆xi ∆xi
∆X = P xi − < X < xi + (6)
2 2
∆x
Z xi + 2 i
∆Xi = f (x, θ)dx ≈ f (xi , θ) ∗ ∆xi . (7)
∆x
xi − 2 i
The calculationQmethod of the critical probability interval
n
is given by: L(θ) i=1 ∆xi , which provides convenience for
the system administrator to operate the threshold of critical
1 probability interval.After obtaining the calculation method of
+ (1)
2 the critical probability interval, it is required to continue the
risk detection for suspicious third-party IoT applications in
the U ncertaintyStage. When P V falls into the minimum
critical probability interval, the ITEC system believes that the
untrusted third-party IoT applications may be IoT malware or
benign IoT applications. Therefore, the ITEC system will start
the risk detection engine according to the minimum critical
probability interval.
In order to maintain the consistency of risk detection for
suspicious third-party IoT applications, the critical probability
interval is set to at least 10% (experimental results), as the
Switch to start the risk detection engine. In Section V-C
and V-D, the theory and method of risk detection engine are
introduced.
C. Malicious Threats Calculation Method
Assuming that in N files of suspicious third-party IoT ap-
plications, after n−th times of dynamic detection, n−k files
are detected to be malicious. The probability of n(N ) = n−k
satisfies a binomial distribution. The probability of detecting
distribution of suspicious third-party IoT applications files
(2) with malicious threats is expressed as

(3) N
P (n(N ) = n − k | q) = q n−k (1 − q)N −n−k . (8)
n−k
Let Vi denote that the i-th file has a malicious threat. It
is required to use the bayesian reasoning method to estimate
the probability that the i + 1 file also has a malicious
threat P (Vi+1 = 1 | n(N ) = n − k). We define Vi+1 = 1
to indicate that the file has a malicious threat, and Vi+1 = 0
to indicate that the file is benign and secure. According to
Bayes theorem, the probability distribution of the i+th file is
expressed as
DisP (Vi+1 =1,n−k)
P (Vi+1 = 1 | n(N ) = n − k) = . (9)
DisP (n−k)
where P (Vi+1 = 1 | n(N ) = n − k) is the probability dis-
tribution of the malicious threat of the (i + 1)th file, and
P (n(N ) = n − k) is the probability distribution of n − k
tection. According to the definition of boundary probability
(4)
distribution, the distribution function equation is given by
(5)
Z 1
DisP (Vi+1 =1,n−k) = P (n(N ) = n − k | q)f (q)q · dq. (10)
0
where P (n(N ) = n − k | q)f (q) represents the probability
density function of malicious threats of n − k files in n
independent detection, P (n(N ) = n − k | q)f (q)q represents
the probability density function of i + 1 files with malicious
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681

JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX 6

Algorithm 1 : Malicious Threat Classification Algorithm. average of the three categories. It is deduced that, when the
Input: AV , AC, RP , U I, WC , WI , WA , E, RL, RC, malicious threat score is between 7 and 10, which is classified
ImpactConfM odif ied , ImpactIntegM odif ied and
ImpactAvailM odif ied . as High risk level IoT malware, it can completely invade
Output: Threat Level(T L) = { Low, Medium, High } based on BS, T S and control the operating system, including the operation and
and ES. management of the system, and obtain the Root authority.
1: for each i package in N do
2: ESC = (8.22)∗ AV ∗ AC ∗ P R∗ U I; When the malicious threat score is between 4 and 6.9, it is
3: ISCBase = 1 − [(1 − WC )∗ (1 − WI )∗ (1 − WA )]; classified as M edium risk level IoT malware. It refers to the
4: if ISCBase <= 0 or ISCBase > 1 then common operation beyond the scope of authority, including
5: BS=0;
6: end if but not limited to avoiding the modification of peripheral
7: if ScopeModifed == Unchanged then data, performing illegal operations, as well as the logic design
8: ISC = 6.42 ∗ ISCBase ; defects and process defects of the application itself. The
9: BS = Roundup (Min((ESC + ISC), 10), 1);
10: else malicious threat score of Lower risk level IoT malware is
11: ISC = 7.52∗ [ISCBase − 0.029] − 3.25 ∗ [ISCBase − 0.02]15 ; between 0 and 3.9. It usually has the risk of interfering with
12: min = Min(1.08 ∗ (ESC + ISC), 10); the normal operation of IoT devices.
13: BS = Roundup (min, 1);
14: T S = Roundup (BS∗ E∗ RL∗ RC); The pseudocode of the malicious threat-level method is
15: end if presented in Algorithm 1. We first obtain the exploitabil-
16: end for ity subscore (ESC) and the basic impact subfactor score
17: ESCModified = 8.22 ∗ AVModified ∗ ACModified ∗ P RModified ∗ U IModified ;
18: Impact CR = 1 -ImpactConf Modiffed ∗ CR; ISCBase . (see Algorithm 1, lines 1-3). In Algorithm 1 (Line
19: Impact IR = 1 -ImpactInteg Modified ∗ IR; 7-15), we use Scope as the mark of the infection range of IoT
20: Impact AR = 1 -ImpactAvail Modiffed ∗ AR; malware to calculate the base score (BS) and the temporal
21: Min− 2 = 1 -(Impact CR )∗ (ImpactIR )∗ (ImpactAR );
22: ISCM odif ied = Min (Min− 2, 0.915); score (T S) (see Algorithm 1, lines 7-15). Specifically, Scope
23: if ScopeModified == U nchanged then indicates whether the scope of influence of IoT malware will
24: ISCBaseModified = 7.52 × (ISCModified − 0.029) − 3.25 × be extended to other components or the ability to obtain
(ISCModified − 0.02)15 ;
25: if ISCBaseModified <= 0 then
permissions. In Algorithm 1 (Line 17-22), we use modified
26: ES = 0; impact subfactor score ISCM odif ied to evaluate the influence
27: else of IoT malware. Finally, based on ISCM odif ied , we can
28: ES = Roundup(Roundup− 1∗ ESC ∗ RL∗ RC);
29: end if
obtain the environmentalscore (ES) to determine whether
30: else the impact of the threat spans different security areas (see
31: ISCBaseModified = 6.42 × ISCModified ; Algorithm 1, lines 23-37). Note that Algorithm 1 has a time
32: if ISCBaseModified <= 0 then
33: ES = 0;
complexity of O(n).
34: else
35: ES = Roundup(Roundup− 2∗ ESC ∗ RL∗ RC); VI. P ERFORMANCE ANALYSIS AND EVALUATION
36: end if
37: end if A computer with an eight-core CPU and 16-GB RAM
38: return BS, T S and ES. is used as the public edge computing hosting host, which
provides basic hardware resources for software deployments,
such as task computing, network communication, primary se-
threats in n times independent detections. By synthesizing lection, identification and inventory storage. The edge server
Equations (9) and (10), the calculation method of malicious system is also deployed on the hosting host system platform
threat of suspicious third-party IoT applications is obtained
as with the corresponding function libraries and modules, such
as the routing subsystem and the open subsystem. In our ex-
n−k+1
P (Vi+1 = 1 | n(N ) = n − k) = . (11) periment, 1200 real-world Windows and Android applications
N +2
are collected from the Virusshare [26] in order to build an IoT
It can be deduced from Equation (11) that the total number malware dataset. A benign dataset with 980 popular benign
of files N of suspicious third-party IoT applications and the applications collected from the official Windows Store and
number of packages n−k with malicious behavior in n times IoT application stores, such as Pi Store [27], is then created.
of detection should be known. The threat impact value of IoT All the benign IoT applications are scanned by antivirus
malware is calculated in the process of dynamic detection, engines to ensure their normal attributes. In this article, some
and a malicious threat level algorithm is proposed to evaluate important experimental parameters of ITEC system are as
the threat level of IoT malware. The related introduction is follows: The optimal critical probability interval is set as
shown in Section V-D. [40%, 60%], transmission power is 12 W, power dissipation
is set to 0.1 nm, the transmission bandwidth is 50 MHz, and
D. Malicious Threat-Level Algorithm the specific parameters are described in Table II.
The CVSS [25] vulnerability scoring rules are improved,
and a malicious threat classification algorithm is proposed. A. Preidentification Database
The malicious threat score is divided into three categories: After optimizing the Pearson’s correlation coefficient, a
basic score, lif ecycle score and environment score. Fi- preidentification database is developed (see Table III). The
nally, the malicious threat score is obtained by a weighted risk signatures extracted by the preidentification mechanism

Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681

JOURNAL OF LAT EX CLASS FILES, VOL. XX, NO. X, XX 20XX 7

TABLE II U ncertaintyStage. When the critical probability interval is

PARAMETER S ETTING 20%, the classification accuracy reaches 93.53%. Although
the set Lower and U pper values are different, the classifi-
Parameter[Symbols] Value[Units]
cation accuracy slightly fluctuates. This means that they are
Maximum Likelihood Predicted Value, P V 0.98
Critical probability interval, Lower 40%
mainly stable, which verifies the stability of the preidentifi-
Critical probability interval, U pper 60% cation mechanism.
Transmission power, T 12Watt
Power dissipation, P d 0.1nmWatt
Intel(R) Core(TM) C. Evaluation of the Risk Detection Engine Detection Per-
Processor i5-6300HQ
CPU@2.30GHz
formance
RAM 16GB Existing studies have provided some malware detection
Bandwidth, W 50MHz
Amounts of sample, Q 3,180 methods, such as Opcode [28], frequency of Opcodes [11],
[29], and low-complexity signature [30]. We compare the
TABLE III
proposed ITEC system with these state-of-the-art detection
P REIDENTIFICATION DATABASE . systems. Table IV summarizes the comparison results. As we
can see, most baseline models achieve high detection accu-
ID Signature Explanation racy, but they are not comparable to our proposed ITEC sys-
1 raises exception One or more processes crashed.
2 allocates rwx Allocates read-write-execute memory.
tem. This may be because in our proposed ITEC system, the
3 pe features The executable has PE anomalies. signature-based preidentification mechanism can distinguish
4 creates exe Creates executable files on the filesystem. benign signatures from malicious signatures, which greatly
5 creates service Creates a service.
6 suspicious proces Creates a suspicious process.
improves the detection accuracy. Haddadpajouh et al. [31]
... ... ... propose a deep learning-based IoT malware detection method.
Executed a process and injected code into it, Moreover, Alshahrani et al. [32] proposes a malware detection
34 injection runpe
probably while unpacking.
Connects to an IP address that is no longer
system that integrates blockchain and deep learning models.
35 dead host Compared with the two baselines [31], [32], our ITEC system
responding to requests.
achieves the best detection accuracy. Specifically, our ITEC
detection system has great advantages in terms of detection
have operational behaviors such as endangering the security efficiency. In most cases,the running time for processing one
performance of the IoT system, modifying the system files, sample is less than 85 ms, which is almost negligible.
and accessing third-party malicious websites through the
background without user permission. The system APIs can be
used to modify the sensitive data, system resources and IoT D. Ablation Experiment
device status. Afterwards, malicious operations are performed We investigate the evaluate the impact of the critical
in the background for the remote malicious code injection and probability interval. In this experiment, we selected the crit-
abnormal network access. The benign signature of IoT appli- ical probability intervals [10%, 90%], [20%, 80%], [30%,
cations usually includes common legal file configuration and 70%] and [40%, 60%] to investigate the influence on the
operation behaviors, such as file reading, registry information, preidentification mechanism, risk detection engine (RD) and
file directory creation, system path establishment, and other risk detection engine with delay strategy (RD+DM). Then,
normal access operations. we give the precision, accuracy, F1, and recall of our method
under different critical probability intervals. As we expected,
B. Evaluate Preidentifiaction Mechanism Performance RD+DM performs consistently well, outperforming the other
two baseline models. Moreover, as can be seen from Fig. 5,
The experimental results show that, when the critical
with the change of critical probability interval, the detection
interval increases, the detection accuracy of the preiden-
performance of RD+DM raises steadily.
tification mechanism decreases. It can be seen from Fig.
Moreover, we use false positive rate (FPR) to evaluate the
4 that, when the critical probability interval increases,
detection performance of ITEC system, which can reflect the
more suspected third-party IoT applications will be in the
possibility of misjudgment of our system. From Fig. 6, we can
see that when the critical probability interval is [10%, 90%],
the FPR of our ITEC system achieves 11%. With the decrease
of the critical probability interval, the FPR of ITEC system
also decreases. When the critical probability interval is [40%,
60%], the FPR of our ITEC system reaches the minimum.
This shows that the ITEC system can correctly identify most
samples and has the fewest misjudgments. However, when
the interval is [40%, 60%], the FPR increases. This suggests
that more samples were misjudged by the ITEC system. In
Fig. 4. Classification performance of the preidentification mechanism under this case, the ITEC system needs to use the risk detection
different critical probability intervals. engine to detect third-party IoT applications.

Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681

JOURNAL OF LAT EX CLASS FILES, VOL. XX, NO. X, XX 20XX 8

TABLE IV
D IFFERENT ALGORITHMS COMPARISON :N UMERICAL RESULTS

Detection Methods Samples size [Lower, Upper] Accuracy F1 Recall Avg.time (per sample)
Santos et al. [11] 17,000 N/A 95.91% 81.75% 77.70% 149.31ms
Hashemi et al. [28] 11,100 N/A 96.87% 86.05% 81.55% N/A
E.M et al. [29] 22,000 N/A 98.17% 99.3% 98.73% 1.36s
Abbas et al. [30] 70 N/A 87.91% 87.37% 86.93% 2.65s
Hamed et al. [31] 552 N/A 97.43% N/A 99.27% 36ms
Hani Alshahrani et al. [32] 3,100 N/A 92.31% 94.12% N/A% 17s
3,180 [10%, 90%] 94.58% 94.50% 94.55% 50ms
3,180 [30%, 70%] 97.06% 97.03% 96.21% 46ms
Risk Detection Engine
3,180 [40%, 60%] 98.06% 98.04% 97.27% 42ms
3,180 [40%, 50%] 98.01% 98.00% 97.42% 37ms
3,180 [10%, 90%] 95.98% 95.96% 95.46% 85ms
3,180 [30%, 70%] 97.48% 97.46% 96.59% 81ms
Delay Strategy
3,180 [40%, 60%] 98.52% 98.50% 97.73% 64ms
3,180 [40%, 50%] 98.09% 98.08% 97.58% 61ms

1 0 0 %
9 8 % 9 8 %
9 8 %
9 8 %
9 6 % 9 6 %
9 6 %
9 6 %
9 4 %
9 4 % 9 4 % 9 4 %

9 2 %
9 2 %
9 2 % 9 2 %

9 0 % 9 0 %

9 0 % 9 0 %
8 8 % 8 8 %

8 6 % 8 8 % 8 8 %
8 6 % [ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ]
P re -d e te c tio n R D R D + D M P re -d e te c tio n R D R D + D M [ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ]
[ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ] [ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ] P re d e te c tio n R D R D + D M P re d e te c tio n R D R D + D M

(a) (b) (c) (d)

Fig. 5. Ablation Studies for various critical probability intervals. (a)Precision. (b)Accuracy. (c)Recall. (d)F1.

1 2 %
1 4 0
L o w e r
THigh risk . For the M edium and High risk, the malicious be-
1 0 %
1 2 0
M id d le
H ig h haviors can trigger more security risks, such as malicious code
8 %
1 0 0 injection, network backdoor transmission, data establishment
6 %
8 0
and communication. These detection methods are not able to
4 %
6 0
detect the IoT malware at M edium and High risk, while
2 %
4 0
the detection time is also not guaranteed. It can be seen from
0 %
Fig. 7 that the detection time of the high-risk based method is
S

S
S
E

]
E

E
]

R D ]
D

[ 1 0 % ,9 0 % ] [ 2 0 % ,8 0 % ] [3 0 % , 7 0 % ] [4 0 % , 6 0 % ] [4 0 % , 5 0 % ]
D
D
R D % ]

R D % ]
R D

E +

E +
R D

R D

R D

]
R D ]
0%
0%

E +
0%

0%

E +

longer than that of the low-risk based method. This shows that
%
0%
,6

0
,9

,7

,5

50
,9

,6
,7
0%
0%

0%

0%

0%

0%

P re -d e te c tio n R D R D + D M
0%
0%
[4
[1

[3

[4

[1

[4

[4
[3

the efficiency of the risk detection engine is better than that

Fig. 6. Comparative classifica- Fig. 7. Comparison of detection
tion performance in various criti- time of different detection meth-
of the preidentification mechanism. If the critical probability
cal probability intervals. ods for IoT malware of different interval is small, the efficiency is high. After introducing the
risk levels. delay strategy, the detection efficiency is reduced, and the
classification accuracy is improved by limiting the speed of
Central Cloud
the IoT malware accessing sensitive files. If the critical prob-
Remote Interaction

Network Controller
ability interval is shortened, the classification efficiency can
be further improved, which indicates that the risk detection
ITEC
Pre-identification
Mechanism
Broadcast Across
Edge Nodes
ITEC
Pre-identification
Mechanism
engine has a real-time detection.
Risk Detection Risk Detection
Engine Across Operator Engine
Edge Code（V2X） Edge Node（V2X）

F. Engineering Applications
Communication Link

Chat Online
RSU In-vehicle Omnidirection RAN In-vehicle
Self-driving constitutes an important part of intelligent
Infotainment Navigation Cameras Infotainment

transportation system. As shown in Fig. 8, with the accelera-

Fire
rescue Control
Millimeter
Wave
Rader
Engineering
rescue
Medical rescue Navigation Millimeter
Wave
Rader
In-car Entertainment tion of onboard basic software updating, third-party intelligent
transportation operators provide users with diversified ser-
Fig. 8. Schematic diagram of malware detection based on the ITEC system vices through in-vehicle infotainment systems (e.g., car nav-
in the Cooperative Vehicle Infrastructure System.
igation systems and instant-messaging programs), enhancing
user experience. In general, self-driving requires high safety
performance. Malware could cause serious consequences,
E. Detection Time of IoT Malware With Different Risk Levels
such as illegal access to the vehicle, sensitive information
The experimental results are shown in Fig. 7. In general, leakage, and data injection attack. In the worst case, the
the threat levels sort as follows: TLower risk < TMedium risk < malware could take control of a vehicle, leading to a crash.

Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX
The vehicle-road cooperation system collects all valid traffic
information and makes reasonable assessments and decisions
through edge computing processing and analysis to ensure
the safety of vehicles during driving. Edge computing offers
advantages in flexible connection, real-time business, data
optimization, application security, and privacy protection as
an open platform integrating network, processing, and storage
with core application capabilities. We deploy the ITEC system
on the edge server to perform security detection of untrusted
instant chat online, omnidirection cameras, in-vehicle enter-
tainment systems, and other third-party in-vehicle fundamen-
tal softwares for the safety of data and driving during self-
driving.
VII. C ONCLUSION
In this article, we design and implemented a novel ITEC
system based on a preidentification mechanism and a risk
detection engine for IoT malware detection. The experimental
results demonstrate that the ITEC system has a greater detec-
tion accuracy than other existing IoT malware detection meth-
ods. The ITEC system has timely responses and the detection
time is reasonably acceptable. In addition, the features within
the scope can provide safe and reliable protection services for
the public and open IoT environment. In our future work, we
aim at studying: 1) The static analysis of IoT malwares; in
the case of not executing IoT malware, the instructions and
structure of IoT malware should be analyzed to determine
the functions of malware; and 2) The classification of IoT
malware types. In the ITEC system, the neural network
method can be used to perform malware family classification.
ACKNOWLEDGMENT
The authors would like to thank Editor-in-Chief, the Asso-
ciate Editor, and the reviewers for their insightful comments
and suggestions. Moreover, we are grateful for resources from
the High Performance Computing Center of Central South
University.
R EFERENCES
[1] Y. Lu, X. Huang, Y. Dai, S. Maharjan, and Y. Zhang,
“Blockchain and federated learning for privacy-preserved data
sharing in industrial iot,” IEEE Transactions on Industrial
Informatics, vol. 16, pp. 4177–4186, 2020.
[2] P. Ruzafa-Alcazar, P. Fernandez-Saura, E. Marmol-Campos,
A. González-Vidal, J. L. Hernández-Ramos, J. Bernal-Bernabe,
and A. F. Skarmeta, “Intrusion detection based on privacy-
preserving federated learning for the industrial iot,” IEEE
Transactions on Industrial Informatics, vol. 19, pp. 1145–1154,
2023.
[3] A. Azmoodeh, A. Dehghantanha, and K. Choo, “Robust mal-
ware detection for internet of (battlefield) things devices using
deep eigenspace learning,” IEEE Transactions on Sustainable
Computing, pp. 1–1, 2018.
[4] K. Riad, R. Hamza, and H. Yan, “Sensitive and energetic iot
access control for managing cloud electronic health records,”
IEEE Access, vol. 7, pp. 86 384–86 393, 2019.
[5] H. Liu, J. Li, and D. Gu, “Understanding the security of app-
in-the-middle iot,” Computers & Security, vol. 97, p. 102000,
2020.
[6] C. Song and A. Raghunathan, “Information leakage in
embedding models,” in CCS ’20: 2020 ACM SIGSAC
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
9
Conference on Computer and Communications Security,
Virtual Event, USA, November 9-13, 2020, J. Ligatti, X. Ou,
J. Katz, and G. Vigna, Eds. ACM, 2020, pp. 377–390.
[Online]. Available: https://doi.org/10.1145/3372297.3417270
[7] Z. Feng, N. Guan, M. Lv, W. Liu, Q. Deng, X. Liu, and W. Yi,
“An efficient uav hijacking detection method using onboard
inertial measurement unit,” ACM Transactions on Embedded
Computing Systems, vol. 17, no. 6, pp. 1–19, 2018.
[8] V. A. Thakor, M. A. Razzaque, and M. R. A. Khandaker,
“Lightweight cryptography algorithms for resource-constrained
iot devices: A review, comparison and research opportunities,”
IEEE Access, vol. 9, pp. 28 177–28 193, 2021. [Online].
Available: https://doi.org/10.1109/ACCESS.2021.3052867
[9] J. Luo, X. Deng, H. Zhang, and H. Qi, “Qoe-driven
computation offloading for edge computing,” J. Syst. Archit.,
vol. 97, pp. 34–39, 2019. [Online]. Available: https:
//doi.org/10.1016/j.sysarc.2019.01.019
[10] B. Li, Y. Wu, J. Song, R. Lu, T. Li, and L. Zhao, “Deepfed:
Federated deep learning for intrusion detection in industrial
cyber–physical systems,” IEEE Transactions on Industrial In-
formatics, vol. 17, pp. 5615–5624, 2020.
[11] I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. Bringas,
“Opcode sequences as representation of executables for data-
mining-based unknown malware detection,” Information Sci-
ences, vol. 231, pp. 64–82, 2013.
[12] H. H. Pajouh, R. Javidan, R. Khayami, A. Dehghantanha, and
K.-K. R. Choo, “A two-layer dimension reduction and two-
tier classification model for anomaly-based intrusion detection
in iot backbone networks,” IEEE Transactions on Emerging
Topics in Computing, vol. 7, no. 2, pp. 314–323, 2016.
[13] N. Usman, S. Usman, F. Khan, M. A. Jan, A. Sajid, M. Alazab,
and P. Watters, “Intelligent dynamic malware detection using
machine learning in ip reputation for forensics data analytics,”
Future Generation Computer Systems, vol. 118, pp. 124–141,
2021.
[14] D. Tian, R. Zhao, R. Ma, X. Jia, Q. Shen, C. Hu, and W. Liu,
“MDCD: A malware detection approach in cloud using deep
learning,” Trans. Emerg. Telecommun. Technol., vol. 33, no. 11,
2022.
[15] P. Brown, A. Brown, M. Gupta, and M. Abdelsalam, “Online
malware classification with system-wide system calls in cloud
iaas,” in 23rd IEEE International Conference on Information
Reuse and Integration for Data Science, IRI 2022, San Diego,
CA, USA, August 9-11, 2022. IEEE, 2022, pp. 146–151.
[16] K. Vahedi and K. Afhamisisi, “Cloud based malware detection
through behavioral entropy,” in 2021 IEEE International Con-
ference on Big Data (Big Data), Orlando, FL, USA, December
15-18, 2021. IEEE, 2021, pp. 6046–6048.
[17] R. Feng, S. Chen, X. Xie, G. Meng, S. Lin, and Y. Liu, “A
performance-sensitive malware detection system using deep
learning on mobile devices,” IEEE Trans. Inf. Forensics Secur.,
vol. 16, pp. 1563–1578, 2021.
[18] W. Yuan, Y. Jiang, H. Li, and M. Cai, “A lightweight on-device
detection method for android malware,” IEEE Trans. Syst. Man
Cybern. Syst., vol. 51, no. 9, pp. 5600–5611, 2021.
[19] A. F. Diallo and P. Patras, “Adaptive clustering-based mali-
cious traffic classification at the network edge,” in 40th IEEE
Conference on Computer Communications, INFOCOM 2021,
Vancouver, BC, Canada, May 10-13, 2021. IEEE, 2021, pp.
1–10.
[20] Y. Liu, C. Zhu, Y. Wu, H. Xu, and J. Song, “MMWD: an
efficient mobile malicious webpage detection framework based
on deep learning and edge cloud,” Concurr. Comput. Pract.
Exp., vol. 33, no. 18, 2021.
[21] X. Tan, H. Li, L. Wang, and Z. Xu, “End-edge coordinated
inference for real-time BYOD malware detection using deep
learning,” in 2020 IEEE Wireless Communications and Net-
working Conference, WCNC 2020, Seoul, Korea (South), May
25-28, 2020. IEEE, 2020, pp. 1–6.
 This article has been accepted for publication in IEEE Transactions on Industrial Informatics. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TII.2023.3245681
JOURNAL OF LAT
EX CLASS FILES, VOL. XX, NO. X, XX 20XX
[22] J. Huang, L. Kong, G. Chen, M. Wu, X. Liu, and P. Zeng,
“Towards secure industrial iot: Blockchain system with credit-
based consensus mechanism,” IEEE Transactions on Industrial
Informatics, vol. 15, pp. 3680–3689, 2019.
[23] L. Cui, Y. Qu, G. Xie, D. Zeng, R. Li, S. Shen, and S. Yu,
“Security and privacy-enhanced federated learning for anomaly
detection in iot infrastructures,” IEEE Transactions on Indus-
trial Informatics, vol. 18, pp. 3492–3500, 2021.
[24] S. Guo, X. Hu, S. Guo, X. Qiu, and F. Qi, “Blockchain
meets edge computing: A distributed and trusted authentication
system,” IEEE Transactions on Industrial Informatics, vol. 16,
pp. 1972–1983, 2020.
[25] R. Wirtz and M. Heisel, “Cvss-based estimation and prioriti-
zation for security risks.” in ENASE, 2019, pp. 297–306.
[26] VirusShare, “Virusshare.com-because sharing is caring(2019),”
https://virusshare.com.
[27] Raspberry, “Raspberry-pi-store,” https://thepihut.com/
collections/raspberry-pi-store.
[28] H. Hashemi, A. Azmoodeh, A. Hamzeh, and S. Hashemi,
“Graph embedding as a new approach for unknown malware
detection,” Journal of Computer Virology and Hacking Tech-
niques, vol. 13, no. 3, pp. 153–166, 2017.
[29] E. M. Dovom, A. Azmoodeh, A. Dehghantanha, D. E. Newton,
R. M. Parizi, and H. Karimipour, “Fuzzy pattern tree for edge
malware detection and categorization in iot,” J. Syst. Archit.,
vol. 97, pp. 1–7, 2019.
[30] M. F. B. Abbas and T. Srikanthan, “Low-complexity signature-
based malware detection for iot devices,” in International
Conference on Applications and Techniques in Information
Security. Springer, 2017, pp. 181–189.
[31] H. Haddadpajouh, A. Mohtadi, A. Dehghantanaha, H. Karim-
ipour, X. Lin, and K. R. Choo, “A multikernel and metaheuris-
tic feature selection approach for iot malware threat hunting in
the edge layer,” IEEE Internet of Things Journal, vol. 8, pp.
4540–4547, 2021.
[32] H. Alshahrani, “Droid-iot: Detect android iot malicious appli-
cations using ml and blockchain,” Cmc-computers Materials &
Continua, vol. 70, pp. 739–766, 2022.
Xiaoheng Deng (Senior member, IEEE) received
the Ph.D. degree in computer science from Cen-
tralSouth University, Changsha, China, in 2005.
Since 2006, he has been an Associate Professor
and then a Full Professor with the Department of
Communication Engineering, CentraSouth Univer-
sity, where he is currently a Joint Researcher with
Shenzhen Research Institute. His research interests
include edge computing Internet of Things, online
social network analysis, data mining, and pattern
recognization.
Dr. Deng is a Senior Member of the China Computer Federation(CCF),
a Member of the CCF Pervasive Computing Council, and a Member of the
Association for Computing Machinery. From 2009 to 2010, he was a Chair
of the CCF YOCSEF CHANGSHA.
Bin Chen was born in Shaoyang, Hunan, China in
1992. He received the B.S. degree in information
security from Hunan Police Academy, Changsha,
China, in 2016, and the M.S. degree in computer
science from the School of Computer Science and
Engineering, Central South University, Changsha,
in 2021.
His major research interests include edge com-
puting and Internet of Things security.
Authorized licensed use limited to: Aristotle University of Thessaloniki. Downloaded on May 20,2023 at 17:08:05 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
10
Xuechen Chen (Member IEEE) received the B.S.E.
degree in electrical engineering from the University
of Science and Technology of China, Hefei, China,
in 2007, and the Ph.D. degree in electrical engineer-
ing from the University of California at Riverside,
Riverside, CA, USA, in 2012.
She is currently an Associate Professor in the
Department of Computer Science, Central South
University, Changsha, China. Before joining Cen-
tral South University, she was an Assistant Profes-
sor with the School of Electronics and Information
Technology, Sun Yat-sen University,Guangzhou, China. Before that, she was
with the Bell Labs. Her research interests include distributed computing, joint
source-channel coding especially in delay-constrained applications, swarm
intelligence in optimization, and localization by wireless sensor networks.
Xinjun Pei is working toward the Ph.D degree
of computer science with the School of Computer
Science and Engineering, Central South University,
Changsha, China.
Since 2017, he has been involved in the direc-
tion of information security. His research interests
include deep learning, edge computing, and Internet
of Things security.
Shaohua Wan (Senior Member, IEEE) received the
Ph.D. degree in edge intelligence from the School
of Computer, Wuhan University, Wuhan, China, in
2010.
He is currently a Full Professor with the Shen-
zhen Institute for Advanced Study, University of
Electronic Science and Technology of China, Shen-
zhen, China. From 2016 to 2017, he was a Vis-
iting Professor with the Department of Electrical
and Computer Engineering, Technical University
of Munich, Munich, Germany. He is an author
of more than 150 peer-reviewed research papers and books, including
more than 40 IEEE/ACM Transactions papers, such as IEEE TRANSAC-
TIONS ON INDUSTRIAL INFORMATICS, IEEE TRANSACTIONS ON
INTELLIGENT TRANSPORTATION SYSTEMS, ACM Transactions on
Internet Technology, IEEE TRANSACTIONS ON NETWORK SCIENCE
AND ENGINEERING, IEEE TRANSACTIONS ON MULTIMEDIA, IEEE
TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS, ACM
Transactions on Multimedia Computing, Communications, and Applications,
IEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTATIONAL
INTELLIGENCE, and Pattern Recognition, and many top conference papers
in the fields of edge intelligence. His main research interests include deep
learning for Internet of Things.
Sotirios K. Goudos (Senior Member, IEEE) re-
ceived the B.Sc. degree in physics, the M.Sc. of
Postgraduate Studies in electronics, and the Ph.D.
degree in physics from the Aristotle University of
Thessaloniki, Thessaloniki, Greece, in 1991, 1994,
and, 2001, respectively, the M.Sc. degree in infor-
mation systems from the University of Macedonia,
Thessaloniki, Greece, in 2005, and the diploma
degree in electrical and computer engineering from
the Aristotle University of Thessaloniki in 2011.
Prof. Goudos is an Associate Editor for IEEE
TRANSACTIONS ON ANTENNAS AND PROPAGATION, IEEE ACCESS,
IEEE OPEN JOURNAL OF THE COMMUNICATION SOCIETY, Interna-
tional Journal of Antennas and Propagation, EURASIP Journal on Wireless
Communications and Networking, and Electronics. He is the founding Editor-
in-Chief for Telecom, an open-access journal(MDPI publishing). He is an
IEEE Greece Section Secretary.