{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T16:30:10Z","timestamp":1775665810020,"version":"3.50.1"},"reference-count":43,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2020,10,12]],"date-time":"2020-10-12T00:00:00Z","timestamp":1602460800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Manage. Inf. Syst."],"published-print":{"date-parts":[[2020,12,31]]},"abstract":"<jats:p>As the Internet of Things (IoT) is estimated to grow to 25 billion by 2021, there is a need for an effective and efficient Intrusion Detection System (IDS) for IoT devices. Traditional network-based IDSs are unable to efficiently detect IoT malware and new evolving forms of attacks like file-less attacks. In this article, we present a system level Device-Edge split IDS for IoT devices. Our IDS profiles IoT devices according to their \u201cbehavior\u201d using system-level information like running process parameters and their system calls in an autonomous, efficient, and scalable manner and then detects anomalous behavior indicative of intrusions. The modular design of our IDS along with a unique device-edge split architecture allows for effective attack detection with minimal overhead on the IoT devices. We have extensively evaluated our system using a dataset of 3,973 traditional IoT malware samples and 8 types of sophisticated file-less attacks recently observed against IoT devices in our testbed. We report the evaluation results in terms of detection efficiency and computational.<\/jats:p>","DOI":"10.1145\/3382159","type":"journal-article","created":{"date-parts":[[2020,8,15]],"date-time":"2020-08-15T13:18:42Z","timestamp":1597497522000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":30,"title":["Edge-Based Intrusion Detection for IoT devices"],"prefix":"10.1145","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7148-0000","authenticated-orcid":false,"given":"Anand","family":"Mudgerikar","sequence":"first","affiliation":[{"name":"Purdue University, West Lafayette, Indiana, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Puneet","family":"Sharma","sequence":"additional","affiliation":[{"name":"Hewlett Packard Labs, Milpitas, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Elisa","family":"Bertino","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, Indiana, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,10,12]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"[n.d.]. https:\/\/linux.die.net\/man\/1\/sha256sum.  [n.d.]. https:\/\/linux.die.net\/man\/1\/sha256sum."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/CloudCom.2013.142"},{"key":"e_1_2_1_3_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Antonakakis Manos","year":"2017","unstructured":"Manos Antonakakis , Tim April , Michael Bailey , Matt Bernhard , Elie Bursztein , Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi , Michalis Kallitsis , Deepak Kumar , Chaz Lever , Zane Ma , Joshua Mason , Damian Menscher , Chad Seaman , Nick Sullivan , Kurt Thomas , and Yi Zhou . 2017 . Understanding the Mirai botnet . In 26th USENIX Security Symposium (USENIX Security 17) . 1093--1110. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17). 1093--1110."},{"key":"e_1_2_1_4_1","volume-title":"USENIX Annual Technical Conference, FREENIX Track","volume":"41","author":"Bellard Fabrice","year":"2005","unstructured":"Fabrice Bellard . 2005 . QEMU, a fast and portable dynamic translator . In USENIX Annual Technical Conference, FREENIX Track , Vol. 41 . 46. Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, Vol. 41. 46."},{"key":"e_1_2_1_5_1","volume-title":"19th International Conference on Extending Database Technology (EDBT","author":"Bertino Elisa","year":"2016","unstructured":"Elisa Bertino . 2016 . Data security and privacy in the IoT . In 19th International Conference on Extending Database Technology (EDBT 2016). OpenProceedings.org, 1--3. Elisa Bertino. 2016. Data security and privacy in the IoT. In 19th International Conference on Extending Database Technology (EDBT 2016). OpenProceedings.org, 1--3."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2342509.2342513"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2014.02.022"},{"key":"e_1_2_1_8_1","doi-asserted-by":"crossref","unstructured":"Christian Cervantes Diego Poplade Michele Nogueira and Aldri Santos. 2015. Detection of sinkhole attacks for supporting secure routing on 6LoWPAN for Internet of Things. In IM. 606--611.  Christian Cervantes Diego Poplade Michele Nogueira and Aldri Santos. 2015. Detection of sinkhole attacks for supporting secure routing on 6LoWPAN for Internet of Things. In IM. 606--611.","DOI":"10.1109\/INM.2015.7140344"},{"key":"e_1_2_1_9_1","volume-title":"LinuxWorld Conference and Expo","author":"Chavez Timothy R.","year":"2006","unstructured":"Timothy R. Chavez . 2006 . A look at Linux audit . In LinuxWorld Conference and Expo ( Boston, MA, April). Timothy R. Chavez. 2006. A look at Linux audit. In LinuxWorld Conference and Expo (Boston, MA, April)."},{"key":"e_1_2_1_10_1","unstructured":"Daming D. Chen Maverick Woo David Brumley and Manuel Egele. 2016. Towards automated dynamic analysis for Linux-based embedded firmware. In NDSS.  Daming D. Chen Maverick Woo David Brumley and Manuel Egele. 2016. Towards automated dynamic analysis for Linux-based embedded firmware. In NDSS."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04492-2_66"},{"key":"e_1_2_1_12_1","unstructured":"Catalin Cimpanu. 2018. New Hakai IoT botnet takes aim at D-Link Huawei and Realtek routers. https:\/\/www.zdnet.com\/article\/new-hakai-iot-botnet-takes-aim-at-d-link-huawei-and-realtek-routers\/  Catalin Cimpanu. 2018. New Hakai IoT botnet takes aim at D-Link Huawei and Realtek routers. https:\/\/www.zdnet.com\/article\/new-hakai-iot-botnet-takes-aim-at-d-link-huawei-and-realtek-routers\/"},{"key":"e_1_2_1_13_1","unstructured":"Stephen Cobb. 2017. RoT: Ransomware of Things. ESET.  Stephen Cobb. 2017. RoT: Ransomware of Things. ESET."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/11535218_26"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3307334.3326083"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"e_1_2_1_17_1","unstructured":"Andy Greenberg. 2017. The Reaper Botnet Has Already Infected a Million Networks. https:\/\/www.wired.com\/story\/reaper-iot-botnet-infected-million-networks\/.  Andy Greenberg. 2017. The Reaper Botnet Has Already Infected a Million Networks. https:\/\/www.wired.com\/story\/reaper-iot-botnet-infected-million-networks\/."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2017.2704093"},{"key":"e_1_2_1_19_1","unstructured":"Christine Hall. 2018. Survey Shows Linux the Top Operating System for Internet of Things Devices. https:\/\/www.itprotoday.com\/iot\/survey-shows-linux-top-operating-system-internet-things-devices.  Christine Hall. 2018. Survey Shows Linux the Top Operating System for Internet of Things Devices. https:\/\/www.itprotoday.com\/iot\/survey-shows-linux-top-operating-system-internet-things-devices."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134045"},{"key":"e_1_2_1_21_1","volume-title":"2013 ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 1337--1340","author":"Kasinathan Prabhakaran","unstructured":"Prabhakaran Kasinathan , Gianfranco Costamagna , Hussein Khaleel , Claudio Pastrone , and Maurizio A. Spirito . 2013. An IDS framework for Internet of Things empowered by 6LoWPAN . In 2013 ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 1337--1340 . Prabhakaran Kasinathan, Gianfranco Costamagna, Hussein Khaleel, Claudio Pastrone, and Maurizio A. Spirito. 2013. An IDS framework for Internet of Things empowered by 6LoWPAN. In 2013 ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 1337--1340."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2017.201"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.bushor.2015.03.008"},{"key":"e_1_2_1_24_1","volume-title":"Advanced Technologies, Embedded and Multimedia for Human-centric Computing","author":"Lee Tsung-Han","unstructured":"Tsung-Han Lee , Chih-Hao Wen , Lin-Huang Chang , Hung-Shiou Chiang , and Ming-Chun Hsieh . 2014. A lightweight intrusion detection scheme based on energy consumption analysis in 6LowPAN . In Advanced Technologies, Embedded and Multimedia for Human-centric Computing . Springer , 1205--1213. Tsung-Han Lee, Chih-Hao Wen, Lin-Huang Chang, Hung-Shiou Chiang, and Ming-Chun Hsieh. 2014. A lightweight intrusion detection scheme based on energy consumption analysis in 6LowPAN. In Advanced Technologies, Embedded and Multimedia for Human-centric Computing. Springer, 1205--1213."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICNC.2011.6022060"},{"key":"e_1_2_1_26_1","unstructured":"Shiqing Ma Xiangyu Zhang and Dongyan Xu. 2016. ProTracer: Towards practical provenance tracing by alternating between logging and tainting. In NDSS.  Shiqing Ma Xiangyu Zhang and Dongyan Xu. 2016. ProTracer: Towards practical provenance tracing by alternating between logging and tainting. In NDSS."},{"key":"e_1_2_1_27_1","unstructured":"Open Malware. [n.d.]. http:\/\/openmalware.org.  Open Malware. [n.d.]. http:\/\/openmalware.org."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2017.104"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3321705.3329857"},{"key":"e_1_2_1_30_1","volume-title":"USENIX Annual Technical Conference, General Track. 43--56","author":"Muniswamy-Reddy Kiran-Kumar","unstructured":"Kiran-Kumar Muniswamy-Reddy , David A. Holland , Uri Braun , and Margo I. Seltzer . 2006. Provenance-aware storage systems . In USENIX Annual Technical Conference, General Track. 43--56 . Kiran-Kumar Muniswamy-Reddy, David A. Holland, Uri Braun, and Margo I. Seltzer. 2006. Provenance-aware storage systems. In USENIX Annual Technical Conference, General Track. 43--56."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.3390\/s141224188"},{"key":"e_1_2_1_32_1","first-page":"1","article-title":"IoTPOT: Analysing the rise of IoT compromises","volume":"9","author":"Pa Pa Yin Minn","year":"2015","unstructured":"Yin Minn Pa Pa , Shogo Suzuki , Katsunari Yoshioka , Tsutomu Matsumoto , Takahiro Kasama , and Christian Rossow . 2015 . IoTPOT: Analysing the rise of IoT compromises . EMU 9 (2015), 1 . Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2015. IoTPOT: Analysing the rise of IoT compromises. EMU 9 (2015), 1.","journal-title":"EMU"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.5120\/21565-4589"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.adhoc.2013.04.014"},{"issue":"1","key":"e_1_2_1_36_1","first-page":"229","article-title":"Snort: Lightweight intrusion detection for networks","volume":"99","author":"Roesch Martin","year":"1999","unstructured":"Martin Roesch . 1999 . Snort: Lightweight intrusion detection for networks . In Lisa , Vol. 99 , No. 1 . 229 -- 238 . Martin Roesch. 1999. Snort: Lightweight intrusion detection for networks. In Lisa, Vol. 99, No. 1. 229--238.","journal-title":"Lisa"},{"key":"e_1_2_1_37_1","volume-title":"Sherali Zeadally, Sameera Al-Mulla, and Mohammed Alzaabi.","author":"Salah Khaled","year":"2012","unstructured":"Khaled Salah , Jose M Alcaraz Calero , Sherali Zeadally, Sameera Al-Mulla, and Mohammed Alzaabi. 2012 . Using cloud computing to implement a security overlay network. IEEE Security 8 Privacy 11, 1 (2012), 44--53. Khaled Salah, Jose M Alcaraz Calero, Sherali Zeadally, Sameera Al-Mulla, and Mohammed Alzaabi. 2012. Using cloud computing to implement a security overlay network. IEEE Security 8 Privacy 11, 1 (2012), 44--53."},{"key":"e_1_2_1_38_1","volume-title":"Seppo Virtanen, and Jouni Isoaho.","author":"Thanigaivelan Nanda Kumar","year":"2016","unstructured":"Nanda Kumar Thanigaivelan , Ethiopia Nigussie , Rajeev Kumar Kanth , Seppo Virtanen, and Jouni Isoaho. 2016 . Distributed internal anomaly detection system for Internet-of-Things. In 2016 13th IEEE Annual Consumer Communications 8 Networking Conference (CCNC). IEEE , 319--320. Nanda Kumar Thanigaivelan, Ethiopia Nigussie, Rajeev Kumar Kanth, Seppo Virtanen, and Jouni Isoaho. 2016. Distributed internal anomaly detection system for Internet-of-Things. In 2016 13th IEEE Annual Consumer Communications 8 Networking Conference (CCNC). IEEE, 319--320."},{"key":"e_1_2_1_39_1","unstructured":"VirusTotal. [n.d.]. https:\/\/www.virustotal.com.  VirusTotal. [n.d.]. https:\/\/www.virustotal.com."},{"key":"e_1_2_1_40_1","unstructured":"Jack Wallen. 2017. Five nightmarish attacks that show the risks of IoT security. https:\/\/www.zdnet.com\/article\/5-nightmarish-attacks-that-show-the-risks-of-iot-security\/.  Jack Wallen. 2017. Five nightmarish attacks that show the risks of IoT security. https:\/\/www.zdnet.com\/article\/5-nightmarish-attacks-that-show-the-risks-of-iot-security\/."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1155\/2013\/794326"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASPDAC.2016.7428064"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-21837-3_67"}],"container-title":["ACM Transactions on Management Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3382159","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3382159","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:08Z","timestamp":1750197728000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3382159"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,10,12]]},"references-count":43,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,12,31]]}},"alternative-id":["10.1145\/3382159"],"URL":"https:\/\/doi.org\/10.1145\/3382159","relation":{},"ISSN":["2158-656X","2158-6578"],"issn-type":[{"value":"2158-656X","type":"print"},{"value":"2158-6578","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,10,12]]},"assertion":[{"value":"2019-09-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-10-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}