{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,12]],"date-time":"2026-05-12T03:23:12Z","timestamp":1778556192696,"version":"3.51.4"},"reference-count":19,"publisher":"MDPI AG","issue":"13","license":[{"start":{"date-parts":[[2024,6,25]],"date-time":"2024-06-25T00:00:00Z","timestamp":1719273600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["OIA-2119691"],"award-info":[{"award-number":["OIA-2119691"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>The increasing usage of interconnected devices within the Internet of Things (IoT) and Industrial IoT (IIoT) has significantly enhanced efficiency and utility in both personal and industrial settings but also heightened cybersecurity vulnerabilities, particularly through IoT malware. This paper explores the use of one-class classification, a method of unsupervised learning, which is especially suitable for unlabeled data, dynamic environments, and malware detection, which is a form of anomaly detection. We introduce the TF-IDF method for transforming nominal features into numerical formats that avoid information loss and manage dimensionality effectively, which is crucial for enhancing pattern recognition when combined with n-grams. Furthermore, we compare the performance of multi-class vs. one-class classification models, including Isolation Forest and deep autoencoder, that are trained with both benign and malicious NetFlow samples vs. trained exclusively on benign NetFlow samples. We achieve 100% recall with precision rates above 80% and 90% across various test datasets using one-class classification. These models show the adaptability of unsupervised learning, especially one-class classification, to the evolving malware threats in the IoT domain, offering insights into enhancing IoT security frameworks and suggesting directions for future research in this critical area.<\/jats:p>","DOI":"10.3390\/s24134122","type":"journal-article","created":{"date-parts":[[2024,6,26]],"date-time":"2024-06-26T09:29:33Z","timestamp":1719394173000},"page":"4122","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["Malware Detection for Internet of Things Using One-Class Classification"],"prefix":"10.3390","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0503-2207","authenticated-orcid":false,"given":"Tongxin","family":"Shi","sequence":"first","affiliation":[{"name":"Department of Computer Science, North Dakota State University, Fargo, ND 58102, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Roy A.","family":"McCann","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering, University of Arkansas, Fayetteville, AR 72701, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ying","family":"Huang","sequence":"additional","affiliation":[{"name":"Department of Civil, Construction and Environmental Engineering, North Dakota State University, Fargo, ND 58102, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Wang","sequence":"additional","affiliation":[{"name":"Department of Computer Science, North Dakota State University, Fargo, ND 58102, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4916-8499","authenticated-orcid":false,"given":"Jun","family":"Kong","sequence":"additional","affiliation":[{"name":"Department of Computer Science, North Dakota State University, Fargo, ND 58102, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2024,6,25]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"8182","DOI":"10.1109\/JIOT.2019.2935189","article-title":"IoT: Internet of Threats? A Survey of Practical Security Vulnerabilities in Real IoT Devices","volume":"6","author":"Meneghello","year":"2019","journal-title":"IEEE Internet Things J."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1016\/j.ijcip.2019.01.001","article-title":"Cyber security challenges for IoT-based smart grid networks","volume":"25","author":"Kimani","year":"2019","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_3","unstructured":"(2024, June 07). Smart Meter Hacks Cost Hundreds of Millions Annually, FBI Says. NBCNews.com. Available online: https:\/\/www.nbcnews.com\/id\/wbna47003851."},{"key":"ref_4","unstructured":"(2024, June 07). Sandworm Disrupts Power in Ukraine Using a Novel Attack against Operational Technology, Google. Available online: https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/sandworm-disrupts-power-ukraine-operational-technology."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"213","DOI":"10.1007\/s11416-017-0307-5","article-title":"Intelligent OS X malware threat detection with code inspection","volume":"14","author":"Pajouh","year":"2018","journal-title":"J. Comput. Virol. Hacking Tech."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"6591","DOI":"10.1109\/JIOT.2021.3055937","article-title":"ADEPT: Detection and Identification of Correlated Attack Stages in IoT Networks","volume":"8","author":"Divakaran","year":"2021","journal-title":"IEEE Internet Things J."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"146","DOI":"10.1016\/j.comcom.2021.05.024","article-title":"Internet of Things attack detection using hybrid Deep Learning Model","volume":"176","author":"Sahu","year":"2021","journal-title":"Comput. Commun."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"3187","DOI":"10.1109\/TII.2018.2822680","article-title":"Detection of Malicious Code Variants Based on Deep Learning","volume":"14","author":"Cui","year":"2018","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"46717","DOI":"10.1109\/ACCESS.2019.2906934","article-title":"Robust Intelligent Malware Detection Using Deep Learning","volume":"7","author":"Vinayakumar","year":"2019","journal-title":"IEEE Access"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1007\/s10115-017-1058-9","article-title":"DeepAM: A heterogeneous deep learning framework for intelligent malware detection","volume":"54","author":"Ye","year":"2018","journal-title":"Knowl. Inf. Syst."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"48867","DOI":"10.1109\/ACCESS.2019.2908033","article-title":"Evading Anti-Malware Engines with Deep Reinforcement Learning","volume":"7","author":"Fang","year":"2019","journal-title":"IEEE Access"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"630","DOI":"10.1109\/TETCI.2019.2910243","article-title":"An Enhanced Stacked LSTM Method With No Random Initialization for Malware Threat Hunting in Safety and Time-Critical Systems","volume":"4","author":"Jahromi","year":"2020","journal-title":"IEEE Trans. Emerg. Top. Comput. Intell."},{"key":"ref_13","first-page":"2127","article-title":"A Knowledge Transfer-based Semi-Supervised Federated Learning for IoT Malware Detection","volume":"20","author":"Pei","year":"2023","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Pu, G., Wang, L., Shen, J., and Dong, F. (2021). A Hybrid Unsupervised Clustering-Based Anomaly Detection Method, Tsinghua Science and Technology.","DOI":"10.26599\/TST.2019.9010051"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Zhang, L., Yin, J., Ning, J., Wang, Y., Adebisi, B., and Yang, J. (2022, January 4\u20135). A Novel Unsupervised Malware Detection Method based on Adversarial Auto-encoder and Deep Clustering. Proceedings of the 2022 9th International Conference on Dependable Systems and Their Applications (DSA), Wulumuqi, China.","DOI":"10.1109\/DSA56465.2022.00038"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"2641","DOI":"10.1007\/s10489-018-01405-0","article-title":"RAMD: Registry-based anomaly malware detection using one-class ensemble classifiers","volume":"49","author":"Tajoddin","year":"2019","journal-title":"Appl. Intell."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Al-Qudah, M., Ashi, Z., Alnabhan, M.M., and Abu Al-haija, Q. (2023). Effective One-Class Classifier Model for Memory Dump Malware Detection. J. Sens. Actuator Netw., 12.","DOI":"10.3390\/jsan12010005"},{"key":"ref_18","unstructured":"Garcia, S., Parmisano, A., and Erquiaga, M.J. (2020). IoT-23: A Labeled Dataset with Malicious and Benign IoT Network Traffic, Zenodo. Version 1.0.0; Data Set."},{"key":"ref_19","unstructured":"Shao, E. (2019). Encoding IP Address as a Feature for Network Intrusion Detection. [Master\u2019s Thesis, Purdue University Graduate School]."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/24\/13\/4122\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T15:03:58Z","timestamp":1760108638000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/24\/13\/4122"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,25]]},"references-count":19,"journal-issue":{"issue":"13","published-online":{"date-parts":[[2024,7]]}},"alternative-id":["s24134122"],"URL":"https:\/\/doi.org\/10.3390\/s24134122","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,6,25]]}}}