Internet-of-Things (IoT) devices are vulnerable to malware and require new mitigation techniques due to their limited resources. To that end, previous research has used periodic Remote Attestation (RA) or Traffic Analysis (TA) to detect malware in IoT devices. However, RA is expensive, and TA only raises suspicion without confirming malware presence. To solve this, we design MADEA, the first system that blends RA and TA to offer a comprehensive approach to malware detection for the IoT ecosystem. TA builds profiles of expected packet traces during benign operations of each device and then uses them to detect malware from network traffic in real-time. RA confirms the presence or absence of malware on the device. MADEA achieves 100% true positive rate. It also outperforms other approaches with 160x faster detection time. Finally, without MADEA, effective periodic RA can consume at least ~14x the amount of energy that a device needs in one hour.
View on arXiv@article{prapty2025_2502.15098,
title={ MADEA: A Malware Detection Architecture for IoT blending Network Monitoring and Device Attestation },
author={ Renascence Tarafder Prapty and Rahmadi Trimananda and Sashidhar Jakkamsetti and Gene Tsudik and Athina Markopoulou },
journal={arXiv preprint arXiv:2502.15098},
year={ 2025 }
}