Previous Article in Journal
Linearization Strategies for Energy-Aware Optimization of Single-Truck, Multiple-Drone Last-Mile Delivery Systems
Previous Article in Special Issue
MalScore: A Quality Assessment Framework for Visual Malware Datasets Using No-Reference Image Quality Metrics
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 18
Issue 1
10.3390/fi18010046
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Low-Cost Malware Detection with Artificial Intelligence on Single Board Computers

by
Phil Steadman
*,
Paul Jenkins
,
Rajkumar Singh Rathore
* and
Chaminda Hewage
Cardiff School of Technologies, Cardiff Metropolitan University, Cardiff CF5 2YB, UK
*
Authors to whom correspondence should be addressed.
Future Internet 2026, 18(1), 46; https://doi.org/10.3390/fi18010046 (registering DOI)
Submission received: 3 November 2025 / Revised: 24 December 2025 / Accepted: 30 December 2025 / Published: 12 January 2026
(This article belongs to the Special Issue Intrusion Detection and Resiliency in Cyber-Physical Systems and Networks—2nd Edition)
Browse Figures
Versions Notes

Abstract

The proliferation of Internet of Things (IoT) devices has significantly expanded the threat landscape for malicious software (malware), rendering traditional signature-based detection methods increasingly ineffective in coping with the volume and evolving nature of modern threats. In response, researchers are utilising artificial intelligence (AI) for a more dynamic and robust malware detection solution. An innovative approach utilising AI is focusing on image classification techniques to detect malware on resource-constrained Single-Board Computers (SBCs) such as the Raspberry Pi. In this method the conversion of malware binaries into 2D images is examined, which can be analysed by deep learning models such as convolutional neural networks (CNNs) to classify them as benign or malicious. The results show that the image-based approach demonstrates high efficacy, with many studies reporting detection accuracy rates exceeding 98%. That said, there is a significant challenge in deploying these demanding models on devices with limited processing power and memory, in particular those involving of both calculation and time complexity. Overcoming this issue requires critical model optimisation strategies. Successful approaches include the use of a lightweight CNN architecture and federated learning, which may be used to preserve privacy while training models with decentralised data are processed. This hybrid workflow in which models are trained on powerful servers before the learnt algorithms are deployed on SBCs is an emerging field attacting significant interest in the field of cybersecurity. This paper synthesises the current state of the art, performance compromises, and optimisation techniques contributing to the understanding of how AI and image representation can enable effective low-cost malware detection on resource-constrained systems.

Graphical Abstract

1. Introduction

In an era dominated by the Internet of Things (IoT), the threat posed by malicious software, often referred to as malware, is at a very high level. Malware is an umbrella term used to describe a wide range of disruptive programmes, from viruses and spyware to ransomware, which can cause significant damage to individuals and organisations. Traditional signature-based detection endeavours to keep pace with the hundreds of thousands of new malware variants created daily and the rise of polymorphic code that constantly changes to evade detection [1]. These limitations have made conventional antivirus systems less effective against modern “zero-day” attacks. These attacks executed by malware that combines heterogeneous malicious behaviours such as remote control, data leakage, encryption, mining, code execution hiding, and other hostile actions” [2] means there is a constatnt competition between cyberspecialists and malware producers.
This research highlights the benefits of employing modern technologies alongside existing methods for malware detection, illustrating how the Internet of Things (IoT) devices, such as the Raspberry Pi, or  ARM suite of Single-Board Computers (SBCs), can effectively utilise image recognition in attempting to detect and protect against cyber threats. Furthermore, this paper investigates potential future capabilities that may be incorporated into systems as their processing power increases, enabling the resolution of models with greater complexity.
In response to this increase in volume and impact of attack, there may be a way to significantly improve detection rates by utilising artificial intelligence (AI) and machine learning (ML) to create more dynamic and effective detection systems, rather than relying on fixed signatures. AI-powered systems can scan files based on their intrinsic properties and behaviours to classify them as malicious or benign. Governments and industry leaders have identified this technology as a transformative force capable of redefining entire sectors.
This technological change coincides with the proliferation of Single-Board Computers (SBCs), which are compact, low-cost devices that power everything from smart home gadgets to industrial control systems. The Raspberry Pi is the most prominent example, a versatile, credit card-sized computer that has seen its adoption across education, industry, and hobbyist projects, making it the UK’s best-selling computer export [3].
While powerful for their size, these SBCs have significant resource constraints, including limited processing power, memory, and storage. This creates a fundamental challenge: deploying computationally intensive AI models, such as those needed for malware detection, on these low-power devices. This paper proposes a method of utilising AI-powered malware detection, with a specific focus on methods that convert malware binaries into images for classification. An exploration of the techniques and performance compromises and model optimisation strategies required to effectively implement these advanced security solutions on a resource-constrained platforms such as the Raspberry Pi.

1.1. Problem Statement and Motivation

While AI offers a powerful paradigm for malware detection, a significant challenge lies in deploying these computationally intensive models on the resource-constrained hardware typical of IoT devices and SBCs. Platforms such as the Raspberry Pi are characterised by limited processing power, memory (RAM), and storage, which is in stark contrast to the high-performance servers on which AI models are typically trained. The process of converting binary files to high-resolution images and applying deep convolutional neural networks (CNNs) is particularly demanding. Therefore, there is a requirement to consolidate the existing body of knowledge, mapping the current techniques, their performance, and the outstanding issues that must be resolved to secure the next generation of connected devices.

1.2. Research Questions (RQs)

To guide this systematic review, the following research questions were formulated:
RQ1: 
What are the primary AI-based techniques used for malware detection in existing literature? This is answered in Section 3 (Malware Detection Methods), Section 4 (AI Definitions), and Section 13 (IDS/IPS Evolution).
RQ2: 
What are the specific challenges and proposed solutions for deploying these AI models on single-board computers (SBCs)? This is answered in Section 3.3 (Intersection of Malware and IoT), Section 16 (Edge Computing, SBCs, Federated Learning), and Section 19 (Future Challenges).
RQ3: 
What is the state of the art regarding malware-to-image conversion for detection, and what are its performance compromises on resource-constrained devices? This is addressed in the consolidated analysis of Section 14 and Section 15 (Comparative Analysis).
The paper utilises a systematic review as shown in Figure 1, in a survey of the current literature on the topic.

1.3. Paper Structure

The remainder of this paper is organised as follows. The Review Methodology details the search strategy, study selection criteria, and data synthesis process. The Results section presents the synthesised and experimental results from the selected literature and test results from the research work structured to directly address the research questions. The Discussion section discusses the broader implications of the findings, identifies critical research gaps, and outlines the threats to the validity of this review. The Challenges section discusses the difficulties in IoT and malware classification. Finally, the Conclusions section concludes the paper and proposes key directions for future work.

2. Review Methodology

Researchers undertaking a literature review often employ a strategic approach to information gathering. IEEE Xplore provides access to a wealth of peer-reviewed publications, particularly in engineering and computer science. Its advanced search functionalities allow filtering results by publication date, author, keywords, and specific IEEE journals or conference proceedings. This enables the pinpointing of seminal works and cutting-edge research directly relevant to the topic, ensuring a strong foundation of established knowledge. Attention is paid to highly cited papers and those published in reputable IEEE journals, as these are often indicators of influential research.
Google Scholar acts as a comprehensive search engine for scholarly literature across numerous disciplines. Its strength lies in its ability to index a vast array of sources, including journal articles, conference papers, theses, and books. The citation tracking feature reveals the impact of a particular paper and assists in tracing the evolution of ideas. Additionally, setting up citation alerts allows for staying updated on new publications that cite key papers in the field. When utilising Google Scholar, researchers remain mindful of the source’s credibility and cross-reference findings with publications from established databases like IEEE Xplore.
Supplementing these academic databases with information from leading websites, open-source papers, and relevant blogs offers a more holistic understanding of the topic. Leading websites from reputable institutions or research groups often provide white papers, technical reports, and summaries of ongoing projects, which offer valuable insights into practical applications and current trends. Open-source papers and code repositories, particularly in fields like software engineering and data science, demonstrate real-world implementations and reveal emerging methodologies. Finally, blogs written by experts in the field provide context, commentary, and interpretations of recent research, bridging the gap between academic publications and practical applications. Researchers critically evaluate the reliability and objectivity of information obtained from blogs and websites, prioritising sources with established expertise and transparent methodologies.
Figure 2 shows the strategic literature review process used in this paper. Table 1 shows the count of references used per year, along with the corresponding dates. The trend indicates an increase in papers closer to the present day, highlighting the modern relevance of the research in this paper. This is expanded out with Figure 3 and Figure 4.
The source database encompasses a diverse range of materials, including IEEE papers, conferences, and published books. arXiv is an open-access archive and free distribution service hosting almost 2.4 million scholarly articles across various disciplines, including physics, mathematics, computer science, quantitative biology, quantitative finance, statistics, electrical engineering, systems science, and economics.

3. Malware

3.1. Defining Malware

Malware (short for malicious software) is the term used to describe a broad range of harmful software that is designed to cause damage to computer systems and networks. In the publication “Machine Learning Security Principles”, the authors suggest malware has the potential to “put lives at risk, such as in a medical facility” [4]. This type of software can consist of viruses, worms, Trojan horses, spyware, ransomware, and other types of malicious code. Figure 4 shows the types of malware and cyberattacks. Figure 5 shows the types of malware and cyber threats.
Malware can be distributed through various means such as email attachments, infected websites, or removable media. Once it has infected a system, malware can steal data, corrupt files, encrypt data, install other malicious programs, or take over the system completely. Traditional static and dynamic analyses of detecting malware are proving ineffective in identifying new malware and pose high overhead in terms of memory and time [5]. Newer technologies are required as new malware invasions are equally explored.

3.2. Detection Methods of Malware

Malicious hacker groups have developed sophisticated evasive malware techniques such as polymorphism, metamorphism, and code obfuscations, to name a few [5]. Traditional methods of signature-based detection require the malware to be known, and then the signature is recorded and published. Devices with antivirus software then collect and install these signatures. The whole process takes time, increases the delay in the detection process and hence the prevention of zero-day attacks. Another challenge is the malware’s ability to rewrite itself thus changining its signature. There are a few methods that are used: polymorphism changes its encryption key, whereas metamorphism rewrites its code, both changing its signatures. A paper written by Tahir in 2018 describes this as a “camouflage evolution of malware” [6]. Tahir Expands this by describing malware obfuscation techniques such as register reassignment and subroutine reordering, explaining that obfuscation is the process that “hide[s] the malicious behaviour of malware” [6] using the three approaches, signature, heuristic, and specification-based detection. However, Tahir does not mention the use of AI detection, which has been researched previously. The senior fellow at ICIT in 2017 published his findings that the detection methods Tahir’s paper discusses “are no match for next-generation adversaries” [7]. Scott further states that for over a decade, “cybersecurity has been a game of ’detect and respond’ or ’breach and react”’. Scott explains that “the daily creation of nearly one million new malware, signature-based and heuristic-based anti-malware is insufficient” [7], which counters the arguments of [6].
The detection of malware has progressed very quickly in recent years, from static analysis to hybrid detection methods that combine multiple techniques. Signature-based detection is only possible if the malware is known. Behaviour-based detection is only possible in certain circumstances and datasets. Whereas heuristics-based detection can identify unknown malware by examining the characteristics of the code, this requires carefully tuned software not to give false positives on innocent code. Figure 6 highlights the malware detection methods.
Researchers at Airbus, investigating malware detection using artificial intelligence [8], discussed using software called Cuckoo [9]. This open-source software can produce detailed reports of malware behaviours, API calls, network traffic, and memory analysis. Utilising a hybrid system, they then take these metrics and run them through an AI system to map their Euclidean distance between points, which enables the classification of malware. This method of detection has been supported by research [10] that used behaviour-based CNN alongside heuristic approaches, with success. This method has also proven successful in [11] research conducted as early as 2009. While AI was not available at this time, it was at a time when Windows XP was in circulation, using these runtime metrics and comparing and contrasting them to other programmes malware behaviours were identified. A paper by Rabadi [12] used the exported JSON file from Cuckoo and found in their case XGBoost was the most successful. The following Table 2 is a comprehensive table of AI-based malware detection methods.

3.3. Intersection of Malware and Internet of Things (IoT)

The Internet of Things is the term used to categorise devices that connect to the Internet, this can be everything from smart watches, CCTV systems, smart fridges, smart speakers, thermostats, and even smart cars. The list is almost endless. “A forecast by International Data Corporation (IDC) estimates that there will be 41.6 billion IoT devices in 2025, capable of generating 79.4 zettabytes (ZB) of data” [35], which is an increase, based on estimates in 2019, by almost double. This is subject to change depending on the source of the data. It is, however, and more importantly, well understood that most of these devices, more so the earlier variants, are unlikely to be patched or updated, and are probably susceptible to bugs and variabilities. In the previous section, refs. [8,10,11] used feature extraction for the successful hybrid detection of malware. Paper [36] argued that IoT, given its low computational power, does not work efficiently as enterprise grade compute devices. Researchers at the University of Zurich, using reinforcement learning and behavioural fingerprinting, were able to successfully identify malware using a Raspberry Pi 3. By basing their research on Moving Target Defence (MTD), ref. [2] achieved results of 55% CPU and >80% RAM. Similarly, using a Raspberry Pi 4 4 GB, Tirumala et al. used an alternative approach, configuring the Raspberry Pi as an IDS and used two systems to identify malware. Using “HashSigns and DNASigns” [37], they were able to detect 98% and 99%, respectively, of malware, although they did not publish the CPU or RAM results of their tests. The use of IDS is discussed later in this literature review.
In 2016 at DefCon in Las Vegas, Andrew Tierney demonstrated that certain IoT thermostats that use ML were suspectable to ransomware. Tierney explained these thermostats were similar to Linux servers in the 1990s and everything ran with Root credentials. His hack consisted of setting the temperature to 99 degrees Fahrenheit and implementing a rotating code linked to a command and control server where a Bitcoin would be required to unlock the code [38]. Tierney wanted IoT manufacturers to implement encryption and obfuscation, and not execute code as Root. However, in the paper Ransom AI: AI-powered Ransomware for Stealthy Encryption, encryption techniques were used to mask malware from “dynamic defence mechanisms” [39] uses a reward mechanism to adjust the “rate and stealth capabilities of ransomware configurations” [39]. In 2016, Tierney influenced IoT manufacturers to use encryption. However, in 2023, Von der Assen used encryption to evade detection. As IoT becomes smarter using improved algorithms, the availability of faster compute and the understanding of defence improves. Hackers, researchers, and hobbyists will always find new ways to change the intended behaviour of these IoT devices. The National Cyber Security Centre (NCSC) in 2022 defined the Product Security and Telecommunications Infrastructure Bill as ensuring all IoT devices are created, by law, using “secure by design” principles [40].

3.4. Malware and Trusted Data

Researchers [41] use machine learning to identify malware, then use blockchain to capture this information and keep a record of it so that all nodes can share. This, in turn, can be used to train other models using these newfound data; see federated learning later in this text. Using blockchain to train models also evades the use of adversaries. “One of the major security-related risks towards AI system potential regarding adversaries is for compromising [the] integrity of decision-making procedures” [42]. Basing their research on Android malware, authors use machine learning to extract data points from the malware using clustering and classification techniques. This information is then added to the blockchain, distributing this across the networks giving “high credibility and high efficiency [42]. This mechanism is successful if the source of the original data points can be guaranteed; adding it to the blockchain converts this information into a trusted source. This is a potential attack vector for any hacker to alter any input sources that may alter the outliers, therefore skewing the results [4].
Following blockchain, the argument of decentralised training from trusted sources is critical to the AI/ML. Having the correct training material is fundamental. Federated learning, if configured correctly, can learn from other trusted sources. Using federated learning enables “training machine learning models with decentralized data while preserving its privacy by design [43]”. Having a trusted system to update and renew the AI/ML engines with training data adds trust to the engines in that they are not tampered with or have bad data mislead the engines, which could ultimately result in an attack vector as discussed in the previous section. Authors in [39] uses AI to counteract the malware AI engine, and ref. [44] explains how bad training data can alter the AI engine and have a bias against different data points. This, in turn, could lead to malware having an opportunity to manifest and bypass these detection systems. Using federated or blockchain systems enables the AI to ensure the material it uses training data from trusted and known sources.
The source of data and credibility of the data is critical to the system. Having corrupted data corrupted has significant effects on the outputs. The amount of influence that is observed from a model that has significant anomalies is likely to be outliers and novelty. In the book Machine Learning Security Principles, the authors inform us of Cook’s Distance to measure these anomalies. “Cook’s Distance reduces the work you need to perform to determine where anomalies occur” [4]. This can be extended by using a Z-Score, which identifies any outliers that are “normally beyond the third deviation” [4].
This section reviews the literature on the detection of malware, the use of IoT, and the importance of reliable data. The next section discusses artificial intelligence.

4. Artificial Intelligence

Defining Artificial Intelligence: An Academic Exploration?

The best explanation of artificial intelligence in the mid-1950s was given by John McCarthy from Stanford University: “It is the science and engineering of making intelligent machines, especially intelligent computer programs. It is related to the similar task of using computers to understand human intelligence, but AI does not have to confine itself to methods that are biologically observable” [45]. John McCarthy is known to be one of the fathers of artificial intelligence. The term artificial intelligence is also used broadly to cover other technologies like machine learning, deep learning, and neuro networks, and this list will keep expanding. In 2023/2024, artificial intelligence exploded with tools such as ChatGPT, Google Gemini, and Dall-E. The term AI is frequently used in the media and has become the most notable word in 2023, giving rise to its popularity [46].
There are three classes of AI: Narrow AI, General AI, and Super AI (Figure 7). The first, Narrow AI, also known as the weak AI, can only operate within its constraints. This can be likened to smart assistance like Google Home or Alexa. It has a predefined set of instructions that it is programmed to respond to but is unable to handle tasks outside of its bank of instruction requests. This also includes applications like image or facial recognition and chatbots.
General AI, also known as Strong AI, is a type of AI “that aims to create intelligent systems that are indistinguishable from the human mind” [47]. An AI like this would need to mirror human capacity and have the ability to learn, plan, and be self-aware. Currently, this is still theoretical and has not been achieved. Strong AI often means tested against the Turing test to value its intelligence. However, AI is improving every day. In 2023, machine learning-based weather prediction (MLWP) was able to predict the weather “forecast accuracy by capturing patterns in the data which are not easily represented in explicit equations” [48] by using AI rather than traditional methods. In 2007, IBM’s Watson Supercomputer was able to beat contestants at a US gameshow Jeopardy! [49].
Super AI has the functionality to surpass the human mind. This recently hit UK media with Elon Musk and PM Rishi Sunak meeting in Bletchley Park UK, the home of the World War Two code breakers. The topic of whether the human race should be worried about AI was discussed, namely Super AI. Some are concerned this technology will lead to the end of the human race like in the 1984 film, The Terminator, where the fictitious company Skynet uses AI to take over the world. The human brain is limited to a few billion neurons; one day, it may be possible for computer systems to compute at this level and greater.
In the next section, the detection of malware is discussed, as well as the different methods used.

5. Introduction to the Convergence of Malware and IoT

The Internet of Things (IoT) are connected devices that interact with other devices, things, people, animals, and our surroundings. These devices run on a number of architectures like “MIPS, ARM, PowerPC, Sparc, and they have limited resources” [50]. These devices are suspectable to malware attacks just like conventional computers. This makes reviewing malware dynamically much harder, as it tends to only act under certain conditions. The number of architectures makes discovering it much harder; reviewing it statically is much easier, as the malware is not required to be run to see attackers’ intentions.

5.1. IoT-A New Frontier for Malware

Long before IoT, computer systems were limited to servers and client devices, mainframe computers, and interconnect systems generally at the corporate level. The Internet of Things was not officially named until 1999 [51] by Kevin Aston, MIT’s executive director. However, there are reports that a Coca-Cola machine in Carnegie Mellon University in the early 1980s was connected to the internet so local programmers could see if the machine was stocked and the temperature of the vending machine. Malware ever present in our modern digital life not only targets computers and server systems, but they are now being created for IoT devices, given the mass numbers, Internet connectivity and generally poor security. There are millions of devices on the Internet that were released with default passwords, no mechanism to patch software, and designed with security as an afterthought. New legislation now requires IoT devices to be created with security to be implemented, including not using default passwords. However, this also means there are a number of devices out there still powered on without security enabled. This enables malware creators to target systems that are still used today.

5.2. Understanding the Scale of IoT Device Vulnerability

The number of IoT devices is understood to be increasing at a pace of about 13% each year. There were predictions that by 2025, we would have 100 billion IoT devices, and Juniper research stated back in 2023 that there will be “116 million globally by 2026” [52]. If this is the case, this would be an increase of 1100%, which is significantly larger than the current 13% we see in the trends. It could be fair to assume that there are multiple predictions from a number of different researchers that do not all align with the same common belief in the predictions of IoT devices and the number we are expected to witness in many years.
Figure 8, global IoT market forecast [53] shows a prediction by IoT analytics that only displays a 14% increase up to 2030. Dates in Figure 8 are depicted with a are actuals, f are forecasted.
However large the numbers become, it is now well understood that these new devices have to be configured with a security-first design. It does not matter if there is 1 billion or 100 billion if these devices are designed correctly, secured and patched; then the battle against malware is significantly changed. Traditional computer systems such as servers have poorly designed IoT systems with exposed services like Telnet and SSH: “Telnet and SSH protocol are the most widely used and among the most effective strategies to infect IoT devices. This kind of attack has been present since the first IoT botnet in 2008 and is still commonly used today” [54]. That being said, there will always be new threats and vulnerabilities; even in enterprise systems, errors in code are still found. This is not always due to legacy code—this could also be new technologies, an accident in the code, or mechanisms to use the hardware not as intended.

5.3. Technical Foundations of IoT Malware

The rise of Internet of Things (IoT) devices does bring along some noteworthy security challenges. Cybercriminals are keen on finding and taking advantage of the vulnerabilities these devices often carry, putting both organisations and individual users at risk. These issues can lead to serious consequences; once an IoT device is compromised, it might open the door for attackers to delve deeper into corporate networks. After gaining that initial access, they could escalate their privileges, use lateral movement tactics to reach sensitive areas, and even spread malware throughout the network. Additionally, large groups of compromised devices, known as botnets, can be coordinated to execute widespread cyberattacks, like Distributed Denial-of-Service (DDoS) attacks. “Back, land, Neptune, pod, smurf, teardrop are the types of attacks that fall into the DoS category” [55]. These botnets are typically controlled through a command-and-control (C&C) server, gathering the power of many infected devices. For instance, the 2016 Mirai botnet showcased the potential havoc such attacks can wreak, disrupting many well-known services and sites [56]. The fact that Mirai’s code was open-source only added to the threat level, allowing other malicious actors to take advantage of similar vulnerabilities.
The expanding IoT landscape increases the risk of botnets evolving into even more potent threats. The potential integration of peer-to-peer (P2P) file-sharing technologies could enable attackers to establish device connections without relying on central servers, making detection and prevention significantly more challenging.

5.3.1. Vulnerabilities

The increasing prevalence of IoT devices in homes, including appliances, digital assistants, wearables, and health trackers, creates new attack vectors. Vulnerabilities in these devices can provide access to other devices on the home network, such as laptops and computers. This poses a significant risk, particularly with the rise of remote work and Bring Your Own Device (BYOD) policies, potentially granting attackers access to corporate networks. Attackers frequently target IoT devices with known, existing vulnerabilities to gain access to internal networks. “According to a survey conducted by InternetNZ, about 48% of computers in SMEs are used by hackers for testing new malware and/or as bots to simulate Denial of Service (DoS) attacks” [37]. Techniques like Domain Name System (DNS) rebinding attacks can then be employed to exfiltrate data from both home and corporate networks. Weak or hardcoded passwords remain a common entry point for attackers. Easily guessable or reused passwords can be readily cracked, enabling attackers to compromise devices and launch broader attacks. Insecure networks expose IoT devices to exploitation. Attackers can target weaknesses in network protocols and services to intercept or steal sensitive data transmitted between devices and servers. Man-in-the-middle (MITM) attacks are a particularly relevant threat in this context, facilitating credential theft and device impersonation.
Insecure interfaces, such as Application Programming Interfaces (APIs) and mobile/web applications, can be exploited to compromise devices. Robust authentication and authorisation mechanisms are crucial to validate users and protect cloud and mobile interfaces. Devices with insecure update processes are susceptible to the installation of malicious code, firmware, or software. This is a critical concern, especially for organisations in sectors like energy, healthcare, and industry, where compromised devices can have significant consequences. Secure, encrypted update channels and rigorous software validation are essential. Vulnerabilities in code, software, and legacy systems can compromise the IoT ecosystem. In a recent video by malware researcher John Hammond, he shows how malware is deconstructed using base64 to evade detection, followed by layers of encrypted data, which is then constructed together to create a PowerShell payload that operates undetected to encrypt user data under the guise of CloudFlare [57].
The use of insecure or outdated components, such as open-source code or third-party software, expands the attack surface and introduces potential vulnerabilities. IoT devices often collect personal data, necessitating secure storage and processing in compliance with data privacy regulations. Failure to adequately protect this data may lead to data breaches, which could result in fines and damage to reputation and business losses.
Data transmitted and stored by IoT devices must be safeguarded against unauthorised access. This is vital for preserving the integrity and reliability of IoT applications and organisational decision-making processes. Inadequate device lifecycle management renders devices vulnerable, even after they are no longer in use. Organisations must possess a clear understanding of connected assets and devices, as unauthorised or inactive devices can grant attackers access to corporate networks, facilitating data theft or interception [58]. Many IoT devices are shipped with insecure default settings that simplify initial setup yet pose considerable security risks. Attackers can easily exploit these default configurations to compromise device firmware and initiate broader attacks.
The deployment of Internet of Things (IoT) devices in remote and often unmanaged environments poses significant security challenges [59]. These devices, which are increasingly used in various applications such as agriculture, smart cities, and industrial automation, are especially vulnerable to physical attacks. Since these environments may lack sufficient monitoring and protection, the IoT devices can be targeted by malicious actors. This susceptibility can lead to severe consequences, including disruption of services, unauthorised manipulation of data, or even deliberate sabotage of critical systems, ultimately jeopardising the integrity and reliability of the technologies that rely on these interconnected devices: “None of these systems are inherently designed with security in mind; rather, they prioritise cost-effectiveness and innovation” [60].

5.3.2. Shared Responsibility for IoT Security

Protecting against IoT vulnerabilities requires a shared responsibility among various stakeholders: manufacturers play a critical role in building secure IoT devices. This includes addressing known vulnerabilities, releasing timely patches, providing clear end-of-life support information, prioritising security in product design, conducting thorough testing (e.g., penetration testing), and establishing processes for receiving vulnerability reports.
Users must be aware of the security risks associated with IoT devices and take proactive steps to protect them. This includes securing home networks, changing default passwords, regularly updating device firmware and software, enabling automatic updates, and configuring secure settings. Organisations must secure all connected devices and networks using robust security measures, such as encryption and public key infrastructure. They must also continuously monitor for suspicious activity using tools like IoT vulnerability scanners.

6. Functionality, Spread, and Damage

The Internet of Things (IoT) has become an integral part of modern life, connecting devices that range from smart home appliances to industrial machinery. This interconnectedness, however, presents a significant security challenge due to the diverse array of communication protocols employed by IoT devices. Many of these protocols, designed with limited security considerations, create vulnerabilities that malware can exploit as shown in Figure 9. This paper continues to examine the landscape of IoT protocols, their inherent security weaknesses, and how these vulnerabilities are exploited by malware, posing a considerable threat to individuals, organisations, and even critical infrastructure.

6.1. IoT Protocols and Their Exploits

The world of IoT communication is characterised by a multitude of protocols, each with its own strengths and weaknesses. This diversity, while offering flexibility, complicates security efforts. Protocols like MQTT, designed for resource-constrained devices, are lightweight and efficient but can be vulnerable if not properly configured, leaving them open to eavesdropping and unauthorised control. “MQTT is a machine to machine (M2M) connectivity protocol. An MQTT system consists of clients communicating with a server, where the server is also known as ‘MQTT server’” [61]. CoAP, similar to HTTP but optimised for low power, faces similar security challenges if authentication and authorisation are weak. AMQP, often used in enterprise settings, offers more security features, but misconfigurations and implementation flaws can still create vulnerabilities. Protocols like Zigbee and Z-Wave, common in-home automation, rely heavily on encryption, but vulnerabilities have been discovered that can bypass these protections. Even ubiquitous technologies like Bluetooth and Wi-Fi, while offering robust security in their latest iterations, can be exploited in older versions or through device-specific vulnerabilities. Cellular networks, while generally secure, can also be entry points through device implementations or SIM card vulnerabilities. Finally, even the foundational protocols of the Internet, TCP/IP, can be exploited if software flaws exist in the device or network services are misconfigured.
These IoT protocols often suffer from inherent security weaknesses. A common problem is the lack of robust authentication and authorisation, allowing unauthorised access and control. Many devices ship with easily guessable default credentials, and users often fail to change them. Unencrypted communication is another major issue, exposing sensitive data to eavesdropping. Software flaws, such as buffer overflows, are common in embedded systems and can be exploited to execute malicious code. Manufacturers often neglect to provide timely security updates, leaving devices vulnerable to known exploits. Resource constraints on many devices limit the ability to implement strong security measures, and in some cases, physical access to the device can allow attackers to exploit vulnerabilities directly.
Malware authors are increasingly targeting IoT devices due to their widespread deployment and inherent vulnerabilities. Compromised devices are often recruited into botnets, used to launch DDoS attacks, spread malware, or perform other malicious activities. IoT devices can also be a source of data breaches, as they often collect and store sensitive information. Ransomware attacks can encrypt data on IoT devices, disrupting critical infrastructure. Man-in-the-middle attacks can intercept communication, allowing attackers to eavesdrop or manipulate data. Firmware manipulation can give attackers complete control of a device, and supply chain attacks can compromise devices before they are even deployed.
Several malware examples illustrate the dangers. Mirai exploited default credentials on routers and IP cameras to build a massive botnet for DDoS attacks. Hajime, similar to Mirai, also targeted default credentials and used a peer-to-peer communication mechanism. BrickerBot intentionally bricked devices by corrupting their storage [61], while Satori exploited a zero-day vulnerability to spread rapidly. These examples highlight the diverse ways malware can leverage protocol vulnerabilities to compromise IoT devices.
Mitigating these risks requires a multi-pronged approach. Secure protocol design, incorporating strong authentication, authorisation, and encryption, is crucial. Manufacturers must ensure secure protocol implementation, avoiding common pitfalls. Regular security updates are essential to patch known vulnerabilities. Users must change default credentials and use multi-factor authentication. Network segmentation can limit the impact of a compromise. Firewalls and intrusion detection systems can help detect malicious traffic. Regular vulnerability scanning and penetration testing can identify weaknesses. Finally, security awareness training is crucial to educate users about the risks.
The proliferation of IoT devices has created a complex security landscape in which vulnerable protocols are prime targets for malware. The diversity of protocols, resource constraints, and lack of security awareness create a breeding ground for malicious actors. Addressing this requires a concerted effort from all stakeholders. By implementing secure protocols, practicing good security hygiene, and staying vigilant, we can strive for a more secure IoT ecosystem. Failure to do so will only embolden malware authors and erode trust in this increasingly crucial technology.

6.2. Security Weaknesses in IoT Devices

The world is becoming increasingly connected, with everyday objects like home appliances, watches, and even cars joining the internet. This Internet of Things (IoT) offers convenience and efficiency but also brings significant security risks. Because many IoT devices are simple and have limited resources, they often lack strong security, making them easy targets for hackers.
One of the main reasons IoT devices are vulnerable is their limited resources. Many devices have small processors and limited memory, making it hard to include complex security measures. Think of a simple lightbulb that connects to your Wi-Fi—it is not designed to handle the same level of security as a laptop: “Even the most common electrical appliances, such as ovens and light bulbs, will have their own IP address, and will be reachable remotely” [62]. Manufacturers often prioritise keeping costs low and delivering products to market quickly, which can mean security is overlooked. This results in devices with weak or missing security features. Also, because there are so many different types of IoT devices, it is difficult to create one-size-fits-all security solutions. Devices have multiple hardware options, OS and software, interconnecting sensors and output devices. This also includes how the software is constructed to operate with third-party vendors securely or not securely in some circumstances.
Another problem is how software is developed for these devices. Often, security is not a top priority during development. Programmers may not have enough security training, leading to mistakes in the code that create openings for hackers. Common errors include things like allowing unauthorised access, failing to encrypt data, and having software flaws that hackers can exploit. Also, many IoT devices use open-source software, which can be good for cost and speed, but it can also introduce security problems if that software is not carefully checked and updated. Another issue is corporate budgets, which include issues like deadlines and milestones. For example, for a corporate business, it might be more important to deliver a minimum viable product than a well-polished solution. For a business to operate, it is most likely important to be financially oriented rather than delivering a solution that delivers all features; not unless that is the ask of the customer, but in selling a new product on the open market. Features rich in functionality sell over security. A CEO once told the authors, “A product makes money, the security doesn’t ”.
The ways in which IoT devices communicate with one another and over the internet can also create security vulnerabilities. Many devices utilise simple communication methods that were not designed with robust security in mind. These methods may lack adequate verification processes for determining who is permitted to access the device or may transmit data without encryption, making it easy for hackers to eavesdrop or take control. Even when encryption is implemented, it may be weak or utilise easily guessed keys. “August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service” [63]. The multitude of communication methods available for devices further complicates the challenge of securing them.
How IoT devices are managed and maintained is another area of concern. Many devices are placed in locations where they are easily accessible, making it possible for someone to tamper with them physically. Often, devices come with default passwords that users do not change, making them incredibly easy to hack. Authors in [64] state in their paper that having physical access to a device allows for node tampering, which “can obtain sensitive information such as encryption key”. Also, it can be difficult to update the software on many IoT devices, leaving them vulnerable to newly discovered security problems. Manufacturers may not provide updates regularly, or the update process might be complicated, leading users to put it off.
Physical security is another important factor. If someone can physically access an IoT device, they may be able to tamper with it, steal information, or even take control of it. They could potentially extract sensitive data, change the device’s programming, or plant malicious hardware inside. Many IoT devices are not designed to be tamper-proof, making them vulnerable to this type of attack.
Many IoT devices rely on cloud services to store and process data. While the cloud can be very useful, it also introduces new security risks. If the cloud service itself has security problems, the data from the IoT devices can be exposed. Also, it is important to make sure that only authorised people can access the data stored in the cloud. Because both the device maker and the cloud provider share responsibility for security, it can sometimes be unclear who is in charge of what. Systems like PaaS, IaaS, and SaaS have models that share the responsibility. An SaaS is mainly responsible for hosted services, whereas on-premise and IaaS, the ownership is heavily with the customer. This is further shown in Figure 10.
The consequences of these security weaknesses can be serious. Hacked devices can be used to launch large-scale cyberattacks that disrupt Internet services or even critical infrastructure. They can also be used to steal personal information, which can lead to identity theft and financial loss. In industrial settings, hacked devices can cause damage to equipment or even create safety hazards. Security breaches can have devastating effects on critical infrastructure like power plants or water treatment facilities.
Fixing these problems requires a combined effort from device makers, users, and security experts. Manufacturers need to prioritise security from the beginning of the design process and follow secure coding practices. They should use strong authentication and encryption methods and provide regular security updates. Users need to be educated about the risks and take simple steps like changing default passwords and keeping their devices updated. Security researchers can help by identifying vulnerabilities and developing better security solutions.
Future research should focus on creating lightweight security tools for devices with limited resources, developing standardised security rules for the diverse IoT world, and improving the security of cloud-based systems. There is also a need for ways to automatically find and fix security problems in large numbers of IoT devices. Better communication methods and stronger ways to authenticate devices are also needed. Finally, it is important to research ways to protect the privacy of data collected by IoT devices.

7. Entry Points for Malware on IoT Devices

7.1. The Compounding Risks of Insecure IoT Devices

The spread of Internet of Things (IoT) devices has ushered in an era of unprecedented connectivity, but it has also created a complex web of compounding security risks. Foundational vulnerabilities create a fertile ground for exploitation, such as inherent device limitations due to cost and processing constraints, coupled with software and firmware flaws like weak authentication and unpatched code. Furthermore, network vulnerabilities, including insecure communication protocols, exacerbate these weaknesses, leaving devices exposed to malicious actors. Expanding on this in a graphical representation in Figure 11.
However, the true danger lies in the compounding nature of these risks. The sheer scale and ubiquity of IoT devices dramatically increase the attack surface, while their interconnectedness allows a single compromised device to serve as a gateway to entire networks, including critical infrastructure. This interconnectedness is a key factor in the compounding risks. In addition to this, the vast amounts of data collected by these devices raise serious privacy concerns, as aggregated data can create detailed personal profiles. Moreover, insecure IoT devices are frequently conscripted into botnets, enabling large-scale distributed denial-of-service (DDoS) attacks that can disrupt essential services. Finally, vulnerabilities within the supply chain can introduce compromises during manufacturing or distribution. “Supply chain security risks add a layer of concern, as compromises during manufacturing or distribution can introduce backdoors or vulnerabilities that may go undetected until exploited” [66], which can lead to widespread security breaches.
Reducing supply chain security risks requires the implementation of clear and safe practices. This means confirming the integrity of components, ensuring secure manufacturing methods, and establishing systems to identify and manage vulnerabilities throughout the device’s lifecycle.
The real-world consequences of these accumulating risks are significant. Attacks on vital infrastructure, including power grids and water systems, can lead to severe outcomes. In healthcare, compromised medical devices threaten patient safety and jeopardise confidential health data. Industrial espionage through attacks on industrial IoT (IIoT) devices represents a serious risk to intellectual property and economic stability. Even at home, insecure smart devices can be used for surveillance and theft. “In healthcare, for example, IoT devices may collect sensitive patient data, while smart home devices continuously monitor users’activities and preferences. The pervasive nature of IoT, combined with insufficient privacy safeguards, can lead to unauthorised surveillance, profiling, or the unintended exposure of personal information” [66]. Thus, tackling the compounding risks posed by insecure IoT devices necessitates a comprehensive approach that includes strong security protocols, enhanced firmware management, and thorough regulatory frameworks.

7.2. Case Studies in IoT Malware

When researching IoT and malware, most, if not all, researchers always mention the 2016 Distributed Denial of Service (DDoS) Mirai attack. This malware is often cited as the most pertinent, as it was the first botnet designed for a Linux system using an ARC processor. On 21 October 2016, this botnet installed on thousands of IoT devices and targeted DNS provider Dyn with 1 terabits per second, knocking out major websites such as Twitter, GitHub, HBO, Reddit, Netflix, PayPal, and Airbnb.
The Mirai code was released shortly after this attack. Security experts and amateur hackers have utilised this code to understand and create other botnets. This resulted in the next IoT malware on a much larger scale—Reaper (also known as IoTrooper), with reportedly 2 million IoT devices infected compared to Mirai’s half a million. While Mirai and Reaper are very similar, they also operate in different ways. Mirai exploits default user credentials that are often left unchanged by users, whereas Reaper takes advantage of known IoT vulnerabilities in systems like home routers and IP security cameras. Although patches are available for most of these systems, in 2017, automatic firmware updates were not yet available. It typically required users to download a patch from the vendor’s website and upload it to the device, which most users did not do. Automatic patching of IoT devices is a game changer in the fight against malware, enabling the distribution of security patches to devices over the internet and significantly reducing threats on a nearly global scale.

7.3. Implications for Multi-Vector Attacks

Multi-vector attacks are attacks that are aimed at multiple parts of a system simultaneously. One attack alone might not be successful; however, if you attack one part of the system and it commands another operation, this secondary operation might be the target which enables an attack. The multi-vector attack is used to make a code to do something and then attack this new operation. Multi-vector attacks generally require more resources and are more sophisticated but can have potentially better results. It is also possible to use multi-vector attacks to hide an actual attack; for example, the noise and confusion of a DDoS might be a smoke screen for an account takeover or stealing data from a system. It is also hard for teams to defend against a multi-vector attack as the team trying to resolve the issues has to understand the attack and identify each one, potentially leaving the attacker longer to conduct its operation as the security team might be focusing the efforts on another part of the system.
In the combat of malware, it is also possible to use this very mechanism to detect it. By monitoring multiple vectors of a system, it is possible to create a holistic representation of the system behaviours, rather than a linear method of analysing malware. “Multi-Vector Anomaly Profiling (MVAP) emerges as a groundbreaking approach, offering a comprehensive analysis of system behaviours across multiple dimensions to identify subtle anomalies indicative of ransomware activity” [67].

7.4. Malware Development and the IoT

IoT malware is on the rise, becoming ever-more attractive to attackers as organisations integrate IoT into their businesses and organisations, especially in the advent of Industry 4.0.

7.4.1. Botnets

As previously discussed, botnets and DDoS are attacks that use the shear masses of infected devices to target a victim or victims. The infected IoT system and be controlled by a command and control service (Figure 12) issuing commands to the botnets to initiate their attacks. There are several topologies of these botnets, centralised, meshed, and hybrid, as seen in Figure 13, Figure 14 and Figure 15. Arrows show the direction of commands
Centralised setups are the simplest to establish and can scale rapidly, utilising a single command and control (C&C) server to manage relay and attack nodes. However, this model presents drawbacks, such as a single point of failure, since each node might have the C&C server’s address hardcoded into its software. If the C&C server is ultimately removed, the botnet becomes ineffective, but a new C&C server can be established by changing the IP associated with the URL; however, the URL or DNS name could be blacklisted. This challenge can be mitigated using a Domain Generation Algorithm (DGA), which generates DNS names based on a variable like time. Generally, if all nodes are synchronised, they produce a DGA, and if all are accurate, they generate the same DNS name for a brief perio—typically 24 h—long enough to execute commands without becoming globally blacklisted. Another strategy involves querying a popular, legitimate website for a specific element or string.
P2P botnets consists entirely of command and control (C&C) servers, either fully meshed or connected to at least one other botnet. This decentralised structure mitigates the challenges associated with a centralised system. However, there are constraints based on the botnet links, which are limited by the number of TCP sockets available. Additionally, as nodes are added or removed, it becomes necessary to send more command messages to inform each node of the current members. Initial members must have a starting list of nodes that researchers can extract from the code for disruption or infiltration; alternatively, initial lists can be gathered from file-sharing platforms. Not all nodes are directly accessible via the internet, leading to some nodes becoming NAT-Nodes. These NAT-Nodes are the ones that carry out the attacks because they are internet-facing. The remaining nodes are referred to as super-nodes, which serve as the C&C servers.
The third topology is a hybrid of centralised and P2P. This consists of a proxy layer between the attack/worker nodes and the C&C server, ultimately hiding the C&C behind a meshed network of proxy nodes. Nodes are determined to be worker or proxy nodes by metrics like network latency. Examples of hybrid botnets are the Miner botnet and the Zeus botnet [68].

7.4.2. Ransomware’s Reach in IoT

“Ransomware reach” describes the scope or number of systems, devices, or users that a ransomware attack might impact within a network or organisation, illustrating how extensive the consequences could be if the attack succeeds. It highlights the potential volume of files or data that could be encrypted and held for ransom by the attacker. This is further explained in Table 3.
The impact of ransomware and its attackers relies heavily first in the environment and second on the experience and determination of the assailant. That said, even the most persistent attacker in a fortified environment may still fail to achieve its desired outcome.

7.4.3. Cryptocurrency Mining

Cryptocurrency mining is the process of computing the blockchain and using mathematical equations to find a prime that ensures a set value, thus making the blockchain robust. Before discussing malicious actors and mining, it is crucial to consider a future concept of utilising unused IoT computing power that idles during the day and undertakes limited tasks until needed. The idea of employing IoT for cryptocurrency mining represents a form of distributed mining. However, the viability and profitability of this endeavour come into question, given that the power consumption required for mining and IoT devices is not ideal for crypto mining due to their lack of GPU and computational power. “This scenario becomes particularly concerning when considering the energy mix used to power these devices, which often includes non-renewable sources” [69]. This concept becomes even more intriguing with the introduction of algorithms that are designed for small IoT devices, making them more energy-efficient.
If IoT cryptocurrency mining endeavours persist, without any hesitation it will become a more attractive attack vector. Improved return on investment results from improved software algorithms and hardware, including those with more capable AI chips. Their enhancement for customer-based cryptocurrency mining will only become more attractive to attackers. Attackers are not interested in energy efficiency or using non-renewable sources, nor are they concerned about the electricity bill an IoT device consumes. It could be fairly plausible that IoT devices have a software cap on the amount of computations for mining to ensure the devices are compliant to standards, such as noise and heat. An attacker might even be able to circumnavigate capacity, pushing the IoT devices beyond their programmed limits in order to compute more cryptocurrency for the attacker. Increasing the attacker’s return on investment—the investment being the efforts used to attack a number of IoT devices, which are distributed over a large number of devices—could be significant in the extra computational calculations.
Much the same way a DDNS attack is carried out, instead of the payload being a tool to flood another IP address from a mass of IoT devices, this command and control network would be used to control IoT devices, the payload being to mine cryptocurrency for the purpose of making the crypto attcker money in an anonymous account that would be retrieved later, secured in the blockchain.

7.4.4. DNS Hijacking

Domain name service (DNS) is the service that translates full qualified domain names (FQDNS) or URLs such as cardiffmet.ac.uk into routable address in the form of Internet Protocol (IP) addresses (15.197.233.159). Converting a human-readable name into a numeric number (or Hexadecimal for IPv6) allows the device to route traffic over the network or Internet to its intended target and return. The DNS is a system of servers that either resolve or forward on the request to an upstream sever in order to issue the DNS records to the sender on the resolved address. Interjecting a rouge DNS server, man-in-the-middle (MITM) attack, or hardcode addresses can trick the IoT device into sending its data to another system without knowing. There are methods in place that ensure systems only talk to who they intend to talk to using encryption, mutual TLS, and machine-to-machine authentications. These security applications have the potential to be turned off in a compromised system. However, a system designed well should be able to detect this and report on it.
The reporting of IoT devices introduces additional complexities. For IIoT devices that connect to customer-managed systems, this is generally accepted in a similar manner to how event logs, syslogs, and telemetry data are collected for the security, monitoring, and performance of computer systems. However, for home and personal IoT devices that lack centralised control by the customer, exporting data to manufacturers or their SaaS services may violate data protection regulations like GDPR. There is a delicate boundary between system status and customer data. If a system reports any information that could identify a customer or share data with a third party—such as the country where the data are stored—it could result in a privacy breach.
DNS hijacking is not new; it involves various methods such as falsifying addresses and using Cyrillic characters in place of Latin ones. Until recently, most DNS traffic was unencrypted, meaning that a majority of this data was readable and could be intercepted, altered, or even exploited to drip-feed information out of a system. By altering the DNS packet itself and entering data into the blank spaces in plaintext or base64, an attacker could export valuable data while bypassing IDS and IPS, along with content inspection firewalls, because DNS traffic is generally permitted and rarely questioned. Figure 16 shows a typical DNS hijacking sequence.
IoT devices interact with the networks very much the same as a laptop, mobile phone, or server. They use parts of the OSI 7-Layer model to interact with the physical, data, network, and session layers (the bottom four layers). They are susceptible to attacks in the same manner other network devices are, including the DNS hijack. When a user browses a website that has potentially been redirected, the browser will attempt to inform the user of this and request the user make an informed decision on its next step. An IoT device does not have this option to decide yet; it relies on its code to either accept the connection or reject it, with very little, if any, acceptance from the user, application, or commodity it is operating for.
DNS hijacking is a method of using the system to either redirect traffic to another server or hiding data in the payload. With systems like mTLS, machine-to-machine authentication and encrypted DNS, the attack vector changes and minimises the issues faced with current DNS technologies.

8. IoT Malware Identification Strategies

There are two strategies when it comes to identifying malware: static and dynamic (see Figure 17). Dynamic implies watching the executable run and monitoring their actions. However, this is not always the best method, as the executables may only run in a certain way when under certain circumstances. Static detection commonly uses “control flow graph (CFG), operation codes (opcode), strings, file header, [and] grey-scale image” [70]. In this section, we review the strategies used for IoT malware identification.

8.1. The Role of Network Analysis in Thwarting IoT Malware Spread

In contrast to traditional malware for computers, IoT malware is specifically designed to function within the limits of devices that have restricted processing capacity and memory. This type of malicious software can take on various forms, such as viruses that latch onto clean files, self-replicating worms, and Trojans that masquerade as genuine applications. The consequences of successful IoT malware attacks can be significant, potentially compromising personal privacy through data theft and unauthorised monitoring, disrupting vital services, and even causing physical damage in critical infrastructure scenarios. Figure 18 shows a typical attack lifecycle.
The growing number of interconnected devices inherently broadens the attack surface available to malicious actors, making comprehensive security strategies paramount.
In this context, network analysis becomes vital for comprehending, identifying, and reducing the impact of IoT malware. Security experts can uncover crucial insights into their behaviour by carefully investigating network traffic patterns, communication protocols, and data flows linked to IoT devices. This clarity is vital for spotting unusual activities that might signal a malware infection or efforts to spread harmful code throughout the network. Efficient network analysis methods, including traffic monitoring, deep packet inspection, and anomaly detection, are fundamental in establishing strong defences against the continuously changing threat posed by IoT malware. The rapid growth of the IoT creates a significant challenge, as the escalating number of connected devices results in a correspondingly larger attack surface for malware. Having separated networks for IoT devices reduces the blast radius of infected devices. “Think of it as creating digital quarantine zones. If one IoT device becomes infected, it doesn’t have free rein over your entire network” [71].
Table 4 shows some of the network-based attacks, noting some of the largest network attacks, not only directed at IoT but other devices as well, like computer systems. WannaCry in 2017 almost took down the UK’s National Health Service. Stuxnet for the infamous Iranian nuclear facilities, noting this worm was actually introduced by a USB planted in the car park to infiltrate the network hunting for Siemens software to attack.
In summary, network analysis is crucial and complex in the fight against IoT malware. It offers vital insights into the communication habits and behaviours of connected devices, allowing security experts to spot suspicious actions, pinpoint compromised devices, and execute effective countermeasures. Techniques like traffic monitoring, deep packet inspection, network flow analysis, and anomaly detection provide distinct benefits in identifying malicious activities within the IoT landscape. Moreover, strategically applying network segmentation adds an essential defence by segregating IoT devices and restricting malware spread throughout the network.

8.2. Protecting Against IoT Malware

To protect against IoT malware, it is essential to first understand and categorise the attack; see Table 5, Attack Vectors of IoT. This paper categorises the methods used. While there is overlap between some of these vectors, all malware can be categorised using this complied table.
While network analysis greatly aids in fighting IoT malware, it faces inherent challenges due to the distinct nature of resource-limited and varied IoT settings. Many IoT devices come with restricted processing capacity and memory, complicating the implementation of advanced network analysis tools on the devices themselves. This limitation often means relying on passive monitoring or simpler analysis methods. Ozsoy et al. proposed using a malware-aware processor (MAP) which would be universal in IoT systems [82]. The extensive diversity among IoT devices spanning numerous architectures, operating systems, and communication protocols adds to the challenge. Creating universal network analysis solutions that can effectively oversee and secure all these different types of devices is a daunting task, frequently necessitating customised strategies and specific profiling for each device.
A significant trend is the rising use of artificial intelligence (AI) and machine learning (ML) to create enhanced and adaptable threat detection and prediction mechanisms. AI and ML algorithms can process extensive network data, recognise nuanced patterns that suggest malicious activities, and respond to changing threats more efficiently than conventional rule-based systems. This encompasses the advancement of advanced anomaly detection methods that can manage the intricate and frequently chaotic data produced by IoT devices [71]. Table 6, Network Analysis Techniques for IoT Malware Detection, breaks down the types of network monitoring used to identify malware in IoT and networks.
Network analysis provides valuable tools to combat IoT malware, yet it is crucial to recognise the challenges posed by the resource limitations and diverse nature of IoT settings. The growing sophistication of malware and the widespread use of encryption requires ongoing innovation and adaptation in network analysis methods. Future advancements, such as the incorporation of artificial intelligence and machine learning, enhancements in edge computing, and the creation of standardised security frameworks, show great potential for improving network analysis’s ability to counteract the evolving threat of IoT malware [83]. Ultimately, a thorough and multi-faceted security strategy that combines strong network analysis with other vital security measures is necessary to protect our increasingly connected Internet of Things environment.

9. Best Practices in the Prevention of IoT Malware Infection

The proliferation of Internet of Things (IoT) devices has brought convenience and efficiency but also significant security concerns due to their interconnected nature and often limited security. Malware targeting these devices can lead to data breaches, financial losses, service disruptions, privacy violations, and the creation of botnets for DDoS attacks. Proactive security measures are crucial to mitigate these risks for individuals, organisations, and manufacturers. This report outlines best practices, ranging from basic security hygiene to advanced technical measures, to prevent IoT malware infections. This is visually represented in Figure 19.
The swift uptake of IoT devices has resulted in a substantial, frequently unsecured attack surface. The pace of innovation sometimes surpasses security advancements, leading users to favour convenience over safety, which creates new vulnerabilities. When an IoT device is compromised, attackers can gain entry to an entire network, enabling them to exploit critical assets further.

9.1. Understanding the Threat: Common Attack Vectors and Vulnerabilities

Understanding how IoT devices become infected is crucial for prevention. Weak or default passwords serve as a primary entry point, frequently exploited by automated tools such as the Mirai botnet. Many devices continue to be shipped with default credentials that users neglect to change, emphasizing a persistent vulnerability. Software vulnerabilities and outdated firmware pose another significant threat. Attackers can exploit unpatched flaws to gain unauthorised access and install malware. Updating firmware is crucial but challenging due to market fragmentation and inconsistent update mechanisms. As a result, many devices remain vulnerable long after flaws are discovered. Phishing and social engineering attacks also target IoT users, deceiving them into installing malware or divulging sensitive information. Attackers may exploit the human element, as users might be less vigilant with IoT devices compared to computers.
Man-in-the-middle (MITM) attacks can compromise communication between IoT devices and cloud services, allowing attackers to inject malware or steal data. Secure communication protocols like HTTPS and TLS/SSL are essential for mitigation [84]. The reliance on cloud services introduces another vulnerability if the communication channel is not secure. Network infrastructure weaknesses, such as weak Wi-Fi passwords, open router ports, and lack of segmentation, can also be exploited to infect IoT devices within a network [85]. The security of IoT devices is linked to the security of the network they are connected to. In addition to these vectors, IoT malware takes advantage of particular software vulnerabilities such as buffer overflows, command and SQL injection flaws, cross-site scripting (XSS), insecure APIs, and the absence of encryption for sensitive data. Many of these vulnerabilities are typical software security problems, highlighting the necessity for improved secure development practices within the IoT sector. The constrained resources of devices can further impede the adoption of strong security measures.

9.2. Fundamental Best Practices for Prevention

There are basic things all network devices can do to prevent or reduce the likelihood of attack. These can include not using default passwords, enforcing encryption, and robust patching or firmware and software. In this section, we discuss the fundamentals of prevention.

9.2.1. Implementing Strong and Unique Passwords

Changing default passwords on all IoT devices immediately is crucial. Strong passwords should incorporate a mix of uppercase and lowercase letters, numbers, and symbols while avoiding personal information or common words [86]. Password managers can assist in generating and storing complex passwords. Using unique passwords for each device and account helps prevent widespread compromises if one password is breached. Manufacturers should require password changes during setup and ensure user-friendly interfaces.

9.2.2. Securing Your Network (Wi-Fi and Router Configuration)

When securing the Wi-Fi network, a strong, unique password should be used and it should be ensured that encryption is current (WPA2 or WPA3). The router’s default admin password should be immediately changed. The router firmware needs to be regularly updated to fix vulnerabilities, UPnP should be turned off unless essential, as it may open unnecessary ports. The router’s firewall should be activated, and setting up a separate guest network for IoT devices should be contemplated to keep them isolated from the main network.

9.2.3. Managing Firmware Updates Effectively

It is essential to keep the firmware of IoT devices updated to ensure security. Automatic updates should be activated, if they are available. If that is not possible, updates should be checked for regularly through official manufacturer channels. Additionally, the manufacturer’s update history should be reviewed prior to buying a device.

9.2.4. The Importance of Network Segmentation for IoT Devices

Network segmentation keeps IoT devices separate, reducing the risk of malware spreading. For basic segmentation, the guest Wi-Fi network feature should be utilised on routers. More experienced users might establish VLANs. In highly sensitive settings, using distinct physical networks should be considered. Ffirewall rules should be set up to permit only essential communication to and from IoT devices.

9.2.5. Leveraging Firewalls and Intrusion Detection/Prevention Systems

Firewalls regulate network traffic by blocking unauthorised connections. The router’s firewall should be active. Dedicated firewall solutions should be explored for enhanced control. Intrusion Detection Systems (IDSs) keep an eye on suspicious activities, whereas Intrusion Prevention Systems (IPSs) automatically thwart threats. Given their distinct traffic patterns, anomaly-based IDS are particularly relevant for IoT.
It is vital to educate users about IoT risks and best practices. Users should be notified about suspicious emails and links, especially those related to updates. Verifying update legitimacy and the importance of physical device security should be emphasised. Users should be educated on privacy implications and how to configure settings. Users should also be encouraged to report suspicious device behaviour.

9.3. Advanced Strategies for Enhanced Security

Continuously analysing network traffic helps identify malware infections by spotting unusual behaviours. Techniques such as Deep Packet Inspection (DPI), flow analysis, and behavioural analysis are effective. AI and machine learning improve detection by recognising deviations from standard patterns. Additionally, tools can classify IoT devices based on their traffic characteristics.
Automatic security updates and patch management provide a timely defence against vulnerabilities. They reduce the chances for attackers, particularly for those who might forget to update manually. Quick automatic patching fixes vulnerabilities without requiring complete firmware updates. However, updates may occasionally introduce bugs or alter functionality unexpectedly. Users depend on manufacturers to deliver prompt and dependable updates, and the update process must remain secure. Thoughtful implementation and user awareness are essential.

10. Predicting the Evolution of IoT Malware Threats

The journey of IoT malware is likely to become more sophisticated and complex as time goes on. Experts foresee a move away from basic botnets towards cleverer attack strategies that can dodge the current security safeguards [87]. A big worry we have is the expected rise of ransomware aimed at IoT devices. These attacks could really disrupt crucial services, from smart city infrastructure to healthcare systems, as attackers may ask for hefty financial payouts to get everything back on track. Additionally, with the fast-paced growth of the IoT ecosystem, including the rollout of 6G networks, open radio access network (O-RAN) architectures, and the blending of artificial intelligence, there is a chance that bad actors will find ways to use these advancements to create new and even stronger attack strategies [88]. The interconnectedness of IoT devices also heightens the risk of them being used as gateways to access larger, sensitive networks and crucial infrastructure, which could result in serious damage or data breaches. It is also interesting to note that the occurrence and types of IoT malware attacks can differ across the globe, shaped by factors like IoT adoption rates, the maturity of cybersecurity measures, and local cybercriminal activity.

10.1. Emerging Technologies in the Fight Against IoT Malware

Artificial intelligence (AI) and machine learning (ML) are becoming valuable allies in the battle against IoT malware. Innovative AI/ML techniques are being nurtured for tasks like malware detection, analysis, and mitigation, paving the way for smarter and more adaptable security solutions. Through machine learning algorithms, we can train systems to spot intriguing patterns in network traffic and device behaviour that hint at botnet activity, allowing for quick identification and action [89]. Deep learning models, including vonvolutional neural networks (CNNs) and long short-term memory (LSTMs), are being embraced in IoT threat detection, showcasing impressive accuracy in recognising harmful patterns within complex datasets. Sasi et al. explain this: federated learning emerges as a fantastic way for on-device malware detection while safeguarding user privacy, empowering multiple devices to collaboratively train a common model without sharing local information [88]. Generative AI methods are also being investigated for data augmentation, boosting security systems’ threat detection abilities by creating synthetic malware samples for training. Lastly, graph-based techniques are showing great promise in analysing, comparing, and detecting new malware types by visualising malware binaries as graphs and exploring their structural characteristics; “using chronological, geographical, individual, dependence, activity, the relationship between events or exchanges, and other contextual security data, it is possible to determine whether suspicious behaviour occurs” [90].

10.1.1. The Potential of Blockchain Technology for Enhanced IoT Security

Blockchain technology has amazing potential to boost IoT security. Its unique features, like decentralisation and immutability, can truly enhance data integrity and security within the IoT ecosystem. Imagine using blockchain for collaborative threat intelligence, which allows for the safe and open sharing of information about emerging threats among IoT devices and security stakeholders. In federated IoT environments, blockchain solutions can make secure communication easier and help build trust between devices from different domains [89]. Blockchain is being explored for special applications in IoT, such as creating a secure and transparent log of Electronic Health Record (EHR) access in healthcare IoT systems.

10.1.2. Hardware-Based Security Solutions and Trusted Execution Environments

Hardware-based security solutions are becoming increasingly important in our fight against IoT malware. With hardware-assisted runtime malware detection, we can enjoy better performance and enhanced security compared to traditional software-only methods, as it utilises special hardware resources for effective monitoring and analysis. Trusted Execution Environments (TEEs) create safe and isolated spaces within the device’s processor [91], allowing sensitive tasks to be carried out securely, free from threats posed by malware running in the regular operating system. “The digital key is the foundation for building up secure cryptographic protocols that are built on block ciphers, stream ciphers and hash functions” [92]. In federated IoT setups, Physical Unclonable Functions (PUFs) serve as unique identifiers embedded in the hardware, providing strong device authentication and improving the safety of communication between devices.

10.1.3. Graph-Based Analysis for Identifying and Classifying Malware

Graph-based analysis has become a vital method for revealing and detecting IoT malware. By using Control Flow Graphs (CFGs) to represent malware binaries, researchers can assess structural characteristics and pinpoint subtle similarities and differences among malware samples, including those aimed at various hardware architectures. Alasmary et al. implemented machine learning classifiers to differentiate IoT malware from benign software, achieving a notable accuracy of 97.9% with Random Forests (RFs) [93]. Visualising malware families and their development through graph representations can assist in creating more effective and generalised detection signatures. Figure 20 Control flow Graphs, shows a very simple a 7 node, with nine edges (the arrows) graph. A chain of transitions example can be shown as a → b → d → f. The arrows show how a researcher would map out the characteristics to the next node.
This analytic approach proves especially adept at identifying polymorphic and metamorphic malware, which frequently alters their code to escape detection by concentrating on their behavioural patterns as depicted in graph structures. The fight against malware will evolve, and diagrams such as Figure 21 will change over time as new technologies are created and evolve.

11. The Potential of AI and Machine Learning in IoT Malware Detection and Prevention

It was reported in July 2024 that Google’s data centres produced more carbon dioxide than in previous years. This is understood to be because of the increase in the use of AI and the the amount of computing, which lead to “a 48% increase over the equivalent figure for 2019” [94].

12. Characteristics and Taxonomy of IoT Malware

With the rise of IoT across numerous platforms, devices, and applications, hackers find a multitude of platforms attractive for the distribution of malware due to the vulnerabilities in these devices. It was very common at the dawn of IoT for all passwords to be default. Efforts have been made to improve these systems. This issue is exacerbated when businesses stop patching their products or go out of business. This applies to older IoT models that lack an automatic patching mechanism and rely on an administrator to actively patch devices.
IoT devices are diverse and made cheaply, so it is difficult to keep track of all the devices. This also extends to the research: “most present studies lack a deep understanding of IoT malware and its various aspects” [95].

12.1. How IoT Malware Differs from Traditional Malware

IoT malware, compared to traditional malware, has many similarities which mirror each other by having similar traits like similar lifecycles and exploits. They also differ because IoT devices run on different architectures, have different access to the files systems, and utilise packing to evade detection. “IoT malware evolution follows a similar lifecycle trend to traditional malware by using exploits for infection, packing its payload to avoid detection, using specialized capabilities based on device resources, and leveraging P2P and centralized infrastructure for C&C call-back” [56].
Researchers Vignau et al. found that some cheaper legacy IoT devices had full Linux OS systems with bash shells, where the programming focused more on device functionality than security. A device like a smart bulb does not require a full OS with commands that can interact with features like firewalls. “There is no reason to include such commands in an IoT-connected device” [54].

12.2. Attack Vectors Specific to IoT

At HP Protect 2014 conference, some key facts in research on IoT were presented. Research looked at a number of devices, including door locks, scales, garage door openers, TVs, webcams, and more. A total of 90% of IoT devices collected some type of personal data. Six out of ten devices had vulnerabilities like cross-site scripting and weak credentials; this included 80% of devices not requiring strong passwords. In addition, 70% of devices at the time of publishing did not encrypt their network traffic and a further 70% of devices allowed the publishers to access content with account numeration [96].

13. IDS/IPS

13.1. What Is an IDS/IPS?

Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) are applications that normally reside on the boundary of a network or on a particular application. These systems are put in the path of network traffic to inspect it. IDS inspects the traffic for “intrusion threats, attacks and malicious activities” [97] and then creates an alert in a SIEM for administrators to action, reducing the mean time to detect (MTTDD). However, the attack will have already taken place. IPS differs by being able to act on the identification of the threat by proactively being able to provide detection in real time.
The issue with traditional signature-based IDSs/IPSs is they scan the payload for signatures. However, now encryption is near 95%: “payload analysis cannot be performed without deciphering the encrypted traffic” [98]. The ability to decrypt this encrypted data would open up severe security concerns, reduce the integrity of the data, and also pose ethical issues in inspecting users’ data. Due to the data being encrypted, rather than the payload being inspected, the IDS/IPS uses “features such as package length, acknowledge package number and package arrival and departure times are used instead of package content” [98]. Complexities also include different protocols, algorithms, and applications, from Web traffic, VoIP, and SSH to VPN traffic, each coming with different behaviours and patterns which can be interrogated against expected traffic.

13.2. How Do IDS/IPS Work?

There are five main families of IDS/IPS systems. NIDS is a network-based intrusion detection system that normally sits at the boundary of a network, such as a Next-Gen firewall. Host intrusion detection systems (HIDSs) reside on the host system directly; however, this can be harder to manage given the quantity of devices. “This can become burdensome depending on the organization’s size” [99]. There are also protocol detection systems (PIDSs) and application protocol detection systems (APIDSs) which monitor a group of applications and the protocols used. When proprietary protocols are used, APIDSs can be configured to report on specific protocols: “On an advanced level it can be trained to reduce an infinite set of protocols to an acceptable subset of that application that is being monitored” [100]. The last model, Hybrid IDS, is a hybrid instruction detection system, which is several methods combined together.
Encryption changed the foundations of how IDS/IPS works. Like antivirus programs, traditional inspection methods used signature-based detection methods to identify data being passed through the detection applications. Being able to inspect the payload and add the packets together, an IDS was able to understand what data in the packet were intended to achieve and run this against libraries of signatures. This, again, like antivirus signature-based detection, required researchers to identify the risk, publish, and for the IDS engine to update. This slow method does not work well against zero-day attacks.

13.3. Using IDS/IPS for Malware Detection

IDS/IPS systems have a finite number of resources, such as CPU, RAM, etc., so these systems, when performant, do not inspect all traffic. For example, TCP packets that have a low TTL are ignored as these are likely to be dropped by the network anyway. This causes an interesting TTL evasion by inserting TLS packets with low TTLs. This is demonstrated in Figure 22 [101].
If an attacker has several packets transmitting malware, extra packets are injected with shorter TTLs to disguise the malware. For example, the packets “F”—“I”—“L”—“E” would be detected by the IDS/IPS; however, adding a packet “&” with a low TTL would mean this malware package “F”—“I”—“&”—“L” – “E” is now undetectable by the IDS and will not create an alert condition [102]. However, the TTL of the packet “&” will expire and never reach the target therefore the original payload malware reaches the target.
In a TCP packet, the TTL is configured by the sender and is reduced by one each time it passes a layer 3 node. Figure 23 shows the location of the Time to Live within a TLS packet.
The researchers running these experiments were 100% successful. Their IDS/IPS did not trigger an alert, and using this evasion technique they “succeeded tlspacketin taking a reverse shell on victim machine” [102] using Snort as their IDS/IPS. If the traffic was encrypted, it could be argued that this IDS/IPS would not be able to detect this attack anyway. That being said, researchers found a single evasion technique from the 1990s that was able to evade the detection of three leading IDS/IPS systems: “FortiGate, Snort and ZyXEL” [103]. This paper goes further to propose and test the hypothesis using the header information in the TCP packets. This is the same information used in Quality of Service (QoS) data and Class of Service (CoS). Running the data through SVM and Random Forest ML, Jingping et al. were able to disguise TCP streams as Codeword Streams and evade detection.
In this section, we look at IDSs/IPSs, how they work, how they have evolved, and the limitations they face with the payload data being encrypted. In the next section, we look at minimisation, how computation has shrunk, and how researchers have been using devices like Raspberry Pi with AI and ML.

14. Malware as an Image (Image Recognition Using AI)

Expanding on the previous chapter, this section looks deeper into artificial intelligence and how it is used to classify images, including converting data files into images for the purposes of using AI to identify malware based on appearance. There are a number of AI models; a small subsection of these are presented in Table 7.

14.1. Character Recognition

The most common and widely used dataset for learning character recognition is the MNIST dataset, which has 70,000 images, using the characters 0–9 based on 28 × 28 pixels (784 pixels). Figure 24 [104] below shows an example of these figures.
Using the convolutional neural network (CNN) to classify images is fairly standard and well understood. The mechanism to teach the engines does requires fewer outliers and over/underscoring. Two functions of the CNN are the Sigmoid function and the rectified linear unit (ReLU) function. The images below, Figure 25, show how both functions work. The Sigmoid has a finite upper and lower value where, as the ReLu, “if it is greater than 0, it remains. Otherwise, it is 0” [106].
ReLU is far faster to train than Sigmoid. This is because ReLU can assume everything is that is negative is actually zero, whereas Sigmoid would have to still compute the value for both positive and negative values. Paper [106] investigates the learning pattern of CNN using Sigmoid and ReLU, identifying that not only the learning rate is improved but with ReLU performance in the recognition of the characters is also greater. In paper [107], the research looked at using CNN vs. Deep Belief NetWork (DBN) and concluded that a CNN is best suited to 2D rather than 1D data modelling like sounds.

14.2. Image Recognition

Image recognition using AI can far outperform manual tasks and speed up production while also being less destructive. In the paper Development of image recognition software based on artificial intelligence algorithm for the efficient sorting of apple fruit [108], using image recognition, the researchers classified apples using CNN models. The outcome was successful, resulting in 99.38% identification of the sizing of apples using the circumference of each apple based on its characteristics from imagery alone. It should be noted that this research did not apply in the quality control check from manually checking the apples. This research was not looking for defects or bad apples. Being able to classify and quality contro requires two different processes using two different models.
CNNs are designed to make decisions on data arrays: “1D for signals and sequences, including language; 2D for images or audio spectrograms; and 3D for video or volumetric images” [109]. The image below, Figure 26, shows a CNN network. The first input layer identifies lines, edges, and corners. The next layers using these data then find the objects, patterns, shapes, and structures. From this, the CNN classifies the images given the shapes and patterns it has identified.
Figure 26 [110] shows a 2 × 2 matrix, where the output is calculated by adding its value neighbours, and then factoring in the weighted bias of the kernel.

14.3. Malware as an Image

Malware identification as an image is not a new concept; it has been around for many years. The process involves converting the binary file to an image. The 2D images can be presented as a one-channel grey scale or a three-channel RGB. We note that three channels require more computation than one channel. As new AI engines are created, authors [111] have explored the effectiveness of using different methods to scan malware in image form. They identified that using the model, long short-term memory (LSTM) and the gated recurrent unit (GRU) proved more successful as language models rather than CNNs. On this basis, their research showed that CNNs are still a leader in image AI. Furthering this, the researchers identified using character-level convolutional neural network (CHAR-CNN) which involves eight RELU layers, and “the Sigmoid activation function is employed in the final layer for binary classification” [111]. This contrasts with [112], who continued using CNNs but suggested complimenting this AI with a softmax loss given malware datasets can be degraded due to the unbalanced malware classes. Softmax is implemented in the last layer of an AI model and uses decimial probability in a multi-class system. Interestingly, they finally opted for pre-trained models using Visual Geometry Group 19 (VGG-19) which is built on 19 layers. In Figure 27, the VGG-19 model [113] is a visual presentation of VGG-19.
The VGG-19 can be modified and fine-tuned. By altering the softmax, the researchers where able to classify the files with far greater results. “Softmax loss is a combination of softmax regression and entropy loss, used in multi-class classification problems” [112]. Researchers furthered this by using eight DL engines for comparison: “VGG16, AlexNet, DarkNet-53, DenseNet-201, Inception-V3, Places365-GoogleNet, ResNet-50, and MobileNetV2, that were already pre-trained on the ImageNet database” [115]. It was found that the VGG-16 was far superior once fine-tuned, achieving 99.7% success rate. Table 8 shows a great variance between the layers and the execution time, which are very important considerations when minimising this work for small board computation.

15. Comparative Analysis of Image-Based Detection

The existing body of knowledge presents a multitude of AI-driven approaches for malware detection, which can broadly be categorized into two primary methodologies: feature extraction from code properties and the direct conversion of malware binaries into visual representations. This section examines the latter, focusing on the “Malware-as-an-Image” paradigm where binary files are transformed into 2D matrices for organisations by deep learning models as seen in Figure 28, particularly convolutional neural networks (CNNs) as seen in Figure 29.
A significant distinction in the literature lies in the dimensionality of the input data. Research varies between using single-channel greyscale images versus three-channel RGB representations. While RGB models may offer higher feature density, the literature indicates that grayscale representations are often superior for resource-constrained environments. By reducing the input dimensions and the size, the computational cost is significantly lowered, which a critical factor for deployment on SBCs where processing power and memory are limited.
It was said in [116] that malware is not a new code that is written from scratc; it is code that is just improved. This means there are similarities in the code, patterns, and metrics that can be captured, analysed, and be reported on. Using AI, researchers can take these metrics and create very large databases of malware behaviours. Authors in [117] used linear support vector machines (SVMs) and were able to pass the database through their program and identify changes in the malware over time. The data in the database identified 54 features like code size, total number of exports, and number of DLL imports. The SVM, using a separating hyperplane, was able to classify the data into families.
Using a very similar technique, the authors of [118] created two folders, a folder of benign and Windows PE files in the other. The researchers extracted data from the files, but they did not state which method they used. They also removed several malware samples that did not score above 75% using VirusTotalAPI, which may give the malware more bias. However, using this model, they achieved a 97% detection rate of unseen malware vs. benign.
In paper An Efficient DenseNet-Based Deep Learning Model for Malware Detection [5], authors converted files into two-dimensional images, then passed them through deep learning to classify them. Figure 2 below shows how this is achieved with animals using the CNN model. The researchers used the DenseNet model which is a variant of a convolutional neural network (CNN). Using image processing for malware is similar to the use of normal image recognition. Using the DenseNet Model, it successfully identified patterns in the code that do not identically match, achieving 98% detection rates across three different malware sets. However, it was less successful with a dataset it was not trained on, with only an 89% success rate. This is different from the signature where the RAW code needs to be identical. This method of detection was also observed in several other papers.
The model in Figure 29 is a fairly small engine, which is similar to the one used in the research on a small board computer. There are much larger models that have a far greater number of layers but require machines with greater computing power. Researchers in ref. [119] have used malware sets in their research. These datasets were precompiled as greyscale images producing a result of 99%, taking only 1.18 s to detect new malware using CNNs. The paper concludes: they used 9300 malware images, and to improve on this, they hoped they could run these tests in a real-world situation rather than a lab environment [120]. Continuing this research but implementing a two-stage approach using CNNs and long short-term memory (LSTM), they were able to extract feature recognition with reduced dimensions, achieving a 99.98% success rate. Using hybrid models is more common in most recent research. Using a similar system of greyscale images, in [121], Gabor wavelet transform and GIST were used; however, this paper had far less success than the previous, with only 96% rate.
Using imagery in malware and AI, the authors of [122] went further and researched whether they could evade detection by using imagery against three CNN engines. With very surprising results, 100% of the polymorphic Linux malware and 93% of polymorphic Windows malware were not incorrectly classified. Interestingly, another paper by Von der Assen used AI to evade detection, this time using reinforcement learning (RL) and fingerprinting to identify when it is best to send malware to a device. After a few minutes, the authors of [39] were able to send their payload to a Raspberry Pi4, with a 90% success rate of not being detected. This was achieved by sending an analytical program to measure the device (a Linux command called perf) and send information back to a command and control server. From these results, using the AI Isolation Forest, the ransomware server was able to select its malware using AI and deploy with far greater success.
Converting malware into imagery has been utilised in many papers. Researchers [36] used this in several different ways. Table 9 below is a summary of all the latest research collected from Google Scholar using imagery to detect malware.
Using malware as an image has been researched by many researchers and has proved to have high success rates [70]. There are multiple models for different applications including lighter models for IT devices that do not have as many resources.

15.1. Benefits and Challenges of Using AI for Malware Detection

The benefits of using artificial intelligence (AI) have become more and more important in the cybersecurity race. The detection of malware traditionally used signature-based detection systems are unable to detect zero-day threats. This is because signature-based detection only worked if the malware had previously been detected and thus known.
AI can learn more about malware and its patterns, and having more data to train the model decreases false positives. The authors of [140] used CNN and long short-term memory (LSTM) in their research for malware detection. Authors in [119] also found the same results in the image recognition research, having more data to learn from decreased the false positive rate. There is, however, an alternative, where we over-fit a dataset. Models work well with known data but struggle with unseen data, this is “because of the presence of noise, the limited size of the training set, and the complexity of classifiers, overfitting happens” [141]. Being able to adjust the weights of certain values, making them key points, or to implement a phenomenon called Early-Stopping, can cause the machine to not underfit or overfit using validation by implementing a cost function.

15.2. Image Generation Strategies and Preprocessing

The efficacy of convolutional neural networks (CNNs) in malware detection relies heavily on the conversion of the binary-to-image conversion process. This transformation treats the malware executable as a stream of 8-bit unsigned integers, where each byte ( B i ) corresponds to a grayscale pixel ( P i ) with an intensity ranging from 0 (black) to 255 (white).
A significant challenge in this domain is the variance in file sizes, which ranges from mere kilobytes to gigabytes. Since standard CNN architectures such as VGG-16 or ResNet-50 require fixed-size input tensors (e.g., 224 × 224 pixels), researchers and engineers must standardise the dimensions of these files. To fit square input requirements, smaller files are typically padded with null bytes (0x00) at the sequence’s end, ensuring the original geometric structure remains undistorted.

15.3. Challenges for Detecting Malware Using AI

Artificial intelligence is not immune to adversarial attacks, where the engine is attacked using false data or inputs to change the way the AI detects malware. This was discussed in the previous section, with [39,122] being able to use different ways to get past AI detection. Authors in [142] previously researched this and found it was possible to detect adversarial attacks using Random Forest and the nearest neighbour classifier with a recall of 0.99. The datasets used were image-based, much like in the research of [122], except Pawlicki, Choraś and Kozik (2020) [142] used the “Fast Gradient Sign Method, Basic Iterative Method, Carlini and Wagner Attack, and Projected Gradient Descent” unlike the former, who used polymorphic malware images for their adversarial attack.
The lack of transparency of artificial intelligence makes it a challenge for humans to explain or understand. Joel Dudley, an Associate Professor of Genetics and Genomic Sciences, was quoted in a MIT article as follows: “We can build these models, but we don’t know how they work.”. It is the black box problem of artificial intelligence, where the machine crunches the data without my explanation of what is happening. Authors in [143] argues that AI needs “to provide human causally understandable explanations, also known as causability”.
Another challenge for artificial intelligence is the use of poor-quality, incomplete, or biased data. Using data like this can lead to incorrect learning, decision-making, and ultimately in field of research, the misdetection of malware. The book Machine Learning Security Principles [4] discusses that in a lab environment, it is normal to have a single dataset compared to real life where data can come from many sources, have null fields, and measure the data differently. It is also possible to have biased data, with the example of training any airport facial recognition with certain types of face, which could then mean someone with a face shape not in the training data could remain undetected by the artificial intelligence or even completely miscategorised. Figure 30 is a graphical representation of the IoT Ecosystem Vulnerability Analysis.
This research aims to explore the use of malware on a small-board computer. The research of malware detection on Raspberry Pis is currently fairly limited, but as IoT and single-board computers become more powerful, the field in this domain will grow. In 2016, researchers [62] used SNORT, an opensource IDS on a Raspberry Pi 2. Physical limitations of the Raspberry Pi, for example, having the NIC on the USB bus, meant they observed very high CPU rates. The researchers did observe that Raspberry Pi 2 was a capable IDS platform [144].

16. Edge Computing and IoT

16.1. A Review of Small Board Computing and Edge Computing

In 2023, Microsoft announced that they are developing two computer chips for the cloud computing platform Azure [145]. Microsoft has created the Azure Maia AI chip and the Arm-based Azure Cobalt CPU which are planned to be released in 2024. This is a clear sign that AI is going to be game-changing in technology as we currently know. The new Maia has 105 billion transistors, which is smaller than Nvidia’s competitor running 153 billion transistors on a GPU [146]. These new AI chips are going to be data centre-based, whereas this study investigates the other end of the spectrum and uses small board computation where the chips are significantly slower and the boards are credit card-sized. Examples of this would be a military fighter jet where real estate in the aircraft is costly. Having successful AI systems miniaturised eould be the success of this research, without the luxury of large data centres and the compute power they offer. This research can also be used for IoT devices and even in electric vehicles, which is a data centre on wheels [147].
Data centres on wheels are an interconnected network of sensors, processors, and entertainment systems, which also include several interfaces such as Bluetooth and USB. Authors in [148] explains that these networks of interconnected devices all connect to several central domains: “Telematics Domain, Infotainment Domain, Chassis Domain, Powertrain Domain, Body Domain and Sensor Domain,” [148], which all communicate via a central gateway. This means that a potential breach of one system could have detrimental effects on other systems within the vehicles.
Using a small compute board like the Raspberry Pi (see Figure 31), researchers have created small-scale yet fairly performant devices that can complete several tasks, such as weather, PV Solar, or even Lidar sensors using Raspberry Pi’s GPIO pins. Using these small boards, researchers, industry, and even hobbyists can create several applications due to “low cost and small size” [149].
Using these small boards, SMEs can create, fairly quickly and cheaply, a wide range of applications directly on these boards, and scale. The operational implications of providing a secure environment for SMEs are costly due to demanding resource requirements like manpower and technology [37]. However, Besimi et al. argue that using Raspberry Pi “requires more time on management, deployment and configuration” [151], but it should be noted that their field of research is clustered Raspberry Pis vs. Google cloud compute for data mining.
The image (Figure 32) below is the author’s Raspberry Pi Lab, consisting of a number of Raspberry Pis and networking equipment. This is the lab used in the research for the detection of malware on Raspberry Pis.
Figure 33, shows Industrial Raspberry Pi 5 [152], an ED-IPC3020, an industrial case for Raspberry Pi 5. It opens possibilities for smaller boards in the industry, creating smarter controllers and reducing the requirements for larger computers/servers to manage and maintain a series of peripherals such as sensors and servos.
The Industrial Internet of Things (IIoT) connects industries, enabling companies to remotely interact with their systems and gain visibility and control over their devices.

16.2. Minimisation and Architectural Optimisation for SBCs

In 1965, Gordon E. Moore observed the rate of semiconductors and components doubled every period, coining the term Moore’s Law [153]. Components are now as small as smartwatches but with more computational power than the Apollo Space Missions. These devices can offer new capabilities given their resources and power.
The power of small board computers has improved greatly over the years, with the computing power approaching the ability required for making decisions, given the size of ever-increasing datasets. As noted by Karunaratna et al., “Artificial Intelligence Applications, once limited to only supercomputers” [154] are now feasible on edge devices. However, deploying “heavyweight” models such as VGG-16 and ResNet-50 directly to these devices remains prohibitive. These models are characterised by a high density of parameters—VGG-16, for instance, contains approximately 138 million parameters and requires significant floating-point operations per inference. On resource-constrained hardware like the Raspberry Pi, which relies on ARM Cortex-A CPU cores, such computational demands result in high latency and rapid thermal throttling, rendering real-time malware detection impractical without the use of additional boards or “HATS”.
Consequently, the state of the art in SBC-based detection has shifted towards “lightweight” convolutional neural networks designed specifically for mobile and edge environments. MobileNetV2 is a primary candidate in this domain. As shown previously in Table 8, MobileNetV2 requires significantly less storage (13 MB vs. 515 MB for VGG16) and execution time (0.35 s vs. 0.70 s per sample) [115]. It distinguishes itself through the use of depthwise separable convolutions. Unlike standard convolutions that perform spatial filtering and feature generation in a single step, MobileNet splits this into two lighter layers. This architectural change drastically reduces the computation cost and model size with minimal loss in accuracy, making it highly compatible with the SIMD instruction sets found in modern ARM processors.
Another architecture gaining traction in the IoT security space is SqueezeNet. This model achieves AlexNet-level accuracy with approximately 50× fewer parameters by utilising “Fire modules” a squeeze layer comprising 1 × 1 convolution filters feeding into an expand layer. For malware detection on IoT devices, where storage is often limited to small flash memory chips, SqueezeNet’s ability to compress models allows the entire inference engine to reside closer to the processor cache, significantly speeding up execution times compared to memory-bound architectures.
Cloud computing was seen to be the dawn of said new supercomputing with almost unlimited resources; however, Cloud also comes with limitations like latency and jitter. In the paper Collaborate Edge and Cloud Computing With Distributed Deep Learning for Smart City Internet of Things [155], the authors studied using local computing, edge computing, and cloud computing. Their research found that while the cloud had the resources, edge computing had better response times given locality. With the advances in technology and protocols like 5G [156], the latency between cloud and edge is reduced, but the aim of this research is to focus on localised and edge computing to ensure autonomy and security.
Table 10, Cloud vs. Edge [156], below shows the comparison of cloud and edge computing.
The argument for latency over performance and a hybrid of both very much depends on the resources, network speed, latency, jitter, and the size of data being processed. One of the biggest factors that should be considered is responsiveness. For example, if a system’s primary function was to conduct a simple scan of itself, this could be run and no other resources could be reliant on it. If the AI was tasked with making a decision that another task depended on, the decision-making speed could be critical; an example of this is a control plane of an aircraft: the system would want this to be instant and not left to the mercy of network lag.
The power of small boards has improved greatly over the years with the computing power approaching the ability of what is required for calculating decisions, given the size of ever-increasing datasets, “Artificial Intelligence Applications, once limited to only supercomputers” [154]. There are several types of small boards from AMD to ARM, and now there is a newer RISK-V, adding multiple engines of machine learning and deep learning. It is a challenge to find what engines are implemented against which datasets and how to create the most optimal outcomes in relation to efficiency and accuracy. This is notwithstanding that it would be far better to use powerful GPUs which are much better and suited for this sort of computational work; however, IoT genuinely lacks the performance of GPUs given their size and power consumption.
Figure 34 is the conceptual model proposed in this research which enables the AI to train and learn on powerful servers. Using this trained knowledge, it is issued to the Raspberry Pi which can then use these trained data to classify new files. The purpose of this research is to define the AI engine and produce the best results for devices with generally lesser capacity such as Raspberry Pi.
In 2022/2023, a new type of processor was introduced. For a long time, there have only been two main chips. Alongside CPU and the GPU, a new type of processor was created aimed at AI. The Neural Processing Unit (NPU) is designed to work with deep neural networks with the ability to compute huge amounts of data like images and video. The reason this is a massive breakthrough with AI or more so the deep neuro networks is that most of this is accomplished on the cloud in massive data centres, which also means sharing the data which could potentially be sensitive. Being able to process these data locally on a device such as a mobile phone means the data do not need to be sent off for processing. This, in conjunction with federated learning, means the calculations can be updated improving the AI which is being run on the NPU.

17. Hybrid Workflow and Model Optimisation

To address the inherent limitations of Single Board Computers (SBCs) in managing the intensive computational demands of deep learning training, a hybrid workflow is adopted as a strategic necessity. This approach acknowledges that platforms such as Raspberry Pi possess finite storage and processing capabilities, which are insufficient for hosting or processing the vast datasets required for initial model development. Consequently, the primary training phase is offloaded to high-performance servers or cloud-based environments capable of handling significant workloads. During this stage, malware binaries are transformed into 2D grayscale representations, enabling complex convolutional neural networks (CNNs) to identify malicious patterns within a high-resource environment. By leveraging these powerful external systems, it becomes possible to utilize sophisticated architectures that would otherwise cause an SBC to exceed its operational thresholds.
The transition from high-performance training to edge-based deployment requires a rigorous optimisation phase to ensure compatibility with the target SBC’s ARM-based architecture. This stage focuses on architectural minimisation, where the heavyweight models developed on servers are refined or replaced by more efficient, lightweight counterparts such as MobileNetV2. The effectiveness of this reduction is quantified in Table 11, which demonstrates the significant drop in storage requirements when transitioning to optimised architectures. To further reduce execution cost, optimisation strategies are employed, including TensorFlow Lite integration and INT8 quantisation. These methods effectively convert 32-bit floating-point parameters into 8-bit integers, significantly diminishing the model’s memory footprint and reducing the number of required operations. Such refinement is critical for maintaining real-time detection capabilities while preventing the rapid thermal throttling and RAM saturation that often plague resource-constrained hardware during inference.
The final phase of the workflow involves deploying these optimised weights onto the SBC for local inference and proactive monitoring. Unlike traditional systems that require continuous data transmission to a central hub, this hybrid model allows the Raspberry Pi to function as an autonomous detection engine. To facilitate ongoing system improvements without compromising privacy or network bandwidth, the architecture incorporates principles of federated learning (FL). In this paradigm, only the refined model gradients or updated weights are communicated back to the central server, rather than the raw malware samples or local data. This cyclical process ensures that the malware detection system remains dynamic and robust against evolving threats while adhering to a low-cost, decentralised operational model suitable for the modern IoT landscape.

17.1. Summary of Challenges for Detecting Malware Using SBC

  • The power of the CPU/GPU in SBC is far lesser than that of their larger counterparts in data centres. This makes the training much harder and far longer in time to compute.
  • To train AI, a large amount of data is required. The larger the dataset, the better the results of the algorithms. However this comes with its own disadvantages. IoT devices like SBC only have a finite amount of storage, nowhere near the amount required to host training material.
  • Having an SBC taught to identify malware is important. Each device, over time, encounters different amounts of malware (if any at all). As AI improves and malware evolves, they will drift at varying speeds to their counterparts.
Federated learning (FL) is the process of taking the metrics from several systems and using the data to train other systems securely. The training is offloaded to a primary server or a meshed network, updating these nodes with findings as well as from other connected devices all sharing their results.

17.2. Federated Learning for Malware Detection

The process of training AI models comes with its complexities. Training data are often large in size and must be filtered for any outliers and anomalies that can have a direct influence on the algorithm. There is also the question of ethics and data confidentiality. To train an AI, the systems need to be issued both malware and benign samples. It would be unwise to issue the end device real malware to train itself, and it is also not possible to have a library so large of equal datasets for a small device where the storage is in the region of 4 GB NAND flash storage and the memory is about 2 GB SDRAM [example: Google Nest Hub 2nd Gen] [157]. The storage in these devices is nowhere near large enough to hold the training data required to teach the devices how to classify the data.
A solution to this is to offload all the heavy training to a larger, more complex system using faster computer systems that are capable of significantly more computing power than an IoT device. This introduces the concept of federated learning (FL). “Federated learning is a decentralised model, born at the intersection of on-device and edge computing” [158]. Using the data learned on IoT and edge devices, knowledge is transferred to a centralised or decentralised system to collate what has been learned and shared with other heterogeneous systems.
This creates new ethical complications if the sources of data are uploaded to a centralised locations. This could break international privacy laws by copying data belonging to another to a centralised location; as Rey et al. note, centralised training “is not suitable for scenarios where device behaviours contain sensitive or confidential data” [43]. This could also become a hacker’s target as a source of interesting data. FL mitigates this by sending only the metrics—specifically the model weights or gradients—learned rather than the actual data. However, while FL preserves privacy, it introduces significant communication overhead. Transmitting these weights for heavy models like VGG-16 can strain the limited network bandwidth of SBCs, reinforcing the need for the lightweight architectures discussed in the previous section.
Challenges around the standardisation of federated learning would ensure that all devices that report back to centralised or decentralised systems adhere to the same set of standards. Nguyen et al. discuss using standardised protocols on edge computing to leverage a unified framework to manage this overhead. “The Industry Specification Group (ISG) of the European Telecommunications Standards Institute (ETSI) has released an initiative called ETSI Multi-access Edge Computing (MEC)” [159]. This standard not only speeds up the connectivity time by being closer to the edge devices but also helps manage the computational burden on the client side. Proambage et al. also discuss that the use of MEC will reduce traffic by using local services by “processing and storage capabilities for the large IoT traffic created within a building” [160]. Using systems like MEC might not benefit systems like malware detection currently if real-time nanosecond response is not critical, but as technologies evolve, MEC would be an ideal candidate to teach all local devices of an attack in real time.

18. Trends, Challenges, and Opportunities

The use of artificial intelligence in the detection of malware over the more traditional signature detection has grown in popularity given that malware production is on the rapid increase and also can polymorph to evade signature detection. Zero-day attacks can potentially halt the use of AI just by the characteristics of the code. AI can identify malware that it has never identified before, whereas signature-based detection can only work on known and identified malware.
There are two main ways AI is used to identify malware. The first that this research aims towards is converting the code into images and using CNNs to identify patterns in the code in the same way cats and dogs can be categorised by the neuro network. The second option is to extract strings from the code and learn their behaviours and patterns. These are mainly numerically based and can be examined using machine learning such as Random Forests or Support Vector Machine (SVM). The corporate enterprise Airbus have chosen this method in their research strategy, which directed researchers to identify gaps in an image-based AI model. “Multiple deep neural networks exist but for the image classification the CNN is said to be the best neural network” [161].

19. Future Challenges and Emerging Research Directions

This section highlights the challenges likely to be faced during the research on this topic.

19.1. Hardware

The hardware landscape for this research is constantly evolving, and new technologies are emerging at an accelerated pace. Newer Single Board Computers (SBCs) are being released with significantly improved processing capabilities, including the integration of dedicated Neural Processing Units (NPUs) and AI-specific HATs designed to accelerate tensor operations. These advancements, such as those seen in the latest Raspberry Pi 5 or Orange Pi 5 architectures, represent a shift toward high-speed local inference that may eventually reduce the reliance on cloud-based training. However, a persistent challenge for this research remains keeping hardware relevant over several years, as older devices begin to show their age due to failing components and the increasing compute requirements of modern software. This performance gap is particularly evident when comparing the ARM-based architecture of SBCs against the high-performance x86 environments used in cloud services. While cloud platforms are essential for processing complex datasets that are too large for small boards, it remains a critical unknown whether the same configurations and model architectures can maintain parity when transferred to the slower, resource-constrained environment of an SBC.

19.2. Software

In the current software ecosystem, Python remains the primary language for AI and deep neural network development, particularly through TensorFlow and Keras. To complement these frameworks, a suite of additional packages—including Matplotlib, NumPy, and OpenCV—must be meticulously managed to manipulate and visualise data. Throughout this research, significant challenges have arisen regarding package availability, mismatched version numbers, and breaking changes to command structures. These dependency issues often make it difficult to replicate other researchers’ work, as code written for a high-performance environment may not be directly portable to an ARM-based SBC. As the industry moves toward 2025, there is a growing need to determine whether specialised code implementations are required for cloud versus edge environments, or whether a unified workflow can be achieved. This includes exploring optimisation strategies such as INT8 quantisation and TensorFlow Lite, which are becoming essential to ensure that sophisticated models can run on limited hardware without compromising system stability.

19.3. Learning and Future Methodologies

While the research fields for convolutional neural networks (CNNs) and malware detection are individually mature, the combination of the two remains relatively light on research, leaving many gaps to explore. Future work must bridge these areas, particularly regarding the integration of Generative AI (GenAI) and Explainable AI (XAI) [31,34]. GenAI offers a path forward for training models when real-world malware samples are scarce by generating synthetic datasets, while XAI is necessary to move away from “black box” models toward “causable” AI that security professionals can trust and understand. Additionally, the role of federated learning (FL) must be considered—whether it should be built into a physical lab environment or discussed as a theoretical framework. Given the immense size of modern datasets and the time required to compute these models, cloud services like Google Colab are indispensable for the training phase. This creates a sensible real-world workflow where models are trained in the cloud and exported to SBCs for testing, significantly reducing the time required for each experimental cycle.
The practical reality of these resource constraints was observed during initial testing. A Raspberry Pi 4B with 4 GB of RAM crashed within seconds of executing a Python CV2 command intended to resize images from the CIFAR-100 dataset [162]. Figure 35 is a screenshot of the command run. This specific task was a prerequisite for the Keras engine to ingest data into the deep neural network. As shown in Figure 36, the system memory maxed out at 3.90 GB, leading to immediate failure. Interestingly, similar limitations were encountered in the Google Colab free edition, where the RAM also maxed out during the same image-processing task. These findings underscore that the processing of imagery for malware detection is extremely RAM-intensive, and future research must prioritise memory-efficient data handling to ensure robust performance on “low-cost” hardware.

19.4. Summary

There are a lot of moving parts in this research. We note that the most important is the speed at which AI is improving, with new models appearing. There will be new models created which will need to be factored into the findings of this research as possible as candidates for a future implementation. Hardware will also improve, which may require new equipment being purchased, especially if SBC comes with NPU chips built in, as this will increase performance given the ability to add extra steps to the models to improve the model success rates.

20. Conclusions

This review paper critically surveys the detection of malware using artificial intelligence and small board computation. In addition, this literature review expands on the technologies and the challenges faced as protocols change. Traditional signature-based detection was used in IDS/IPS detection as well as traditional antivirus; however, one of the biggest challenges faced is the fact that the majority of network traffic is now encrypted, and therefore the payload cannot be signature-scanned. Hackers have given malware the ability to polymorph, to change their code to evade detection.
Interconnected devices are on the rise. By 2025, it is predicted that there will be 40+ billion devices connected to the Internet, from a range of manufacturers with a variety of security implementations. Having the ability to shrink malware detection so it can be used on devices like IoT will reduce zero-day attacks, offer genuine end-point protection, and not require regular updating of signature databases.
The datasets used to train these models must be verified and untampered, and any outliers must be removed to ensure that the data used to train the AI are reliable. This will be the source of truth for the AI engines to make decisions based upon. Putting in mechanisms to ensure these datasets are not tampered with is essential as this will become the next target in the future for attackers.
Devices like Raspberry Pi, given their size and cost, make ideal platforms for industry, hobbyists, and researchers, with an almost unlimited amount of possibilities and uses. Their size, cost, and robustness make these small boards a perfect platform to investigate the detection of malware using artificial intelligence.

Author Contributions

Conceptualisation, P.S., P.J., R.S.R. and C.H.; methodology, P.S.; software, P.S.; validation, P.S., P.J., R.S.R. and C.H.; formal analysis, P.S.; investigation, P.S.; resources, P.S.; data curation, P.S.; writing—original draft preparation, P.S.; writing—review and editing, P.J., R.S.R. and C.H.; visualisation, P.S.; supervision, P.J., R.S.R. and C.H.; project administration, P.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The data presented in this study are available in the article.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Scheldt, A. 7 Most Common Types of Malware. 2023. Available online: https://www.comptia.org/blog/7-most-common-types-of-malware (accessed on 16 November 2023).
  2. Celdrán, A.H.; Sánchez, P.M.S.; von der Assen, J.; Schenk, T.; Bovet, G.; Pérez, G.M.; Stiller, B. RL and Fingerprinting to Select Moving Target Defense Mechanisms for Zero-day Attacks in IoT. arXiv 2022, arXiv:2212.14647. [Google Scholar] [CrossRef]
  3. Mistry, S.; Pajak, D. Get Started With Machine Learning on Arduino|Arduino Documentation. 2024. Available online: https://docs.arduino.cc/tutorials/nano-33-ble-sense/get-started-with-machine-learning/ (accessed on 4 February 2024).
  4. Mueller, J.P.; Stephens, R. Machine Learning Security Principles: Keep Data, Networks, Users, and Applications Safe from Prying Eyes; Packt Publishing: Birmingham, UK, 2022. [Google Scholar]
  5. Hemalatha, J.; Roseline, S.A.; Geetha, S.; Kadry, S.; Damaševičius, R. An Efficient DenseNet-Based Deep Learning Model for Malware Detection. Entropy 2021, 23, 344. [Google Scholar] [CrossRef]
  6. Tahir, R. A Study on Malware and Malware Detection Techniques. Int. J. Educ. Manag. Eng. 2018, 8, 20–30. [Google Scholar] [CrossRef]
  7. Scott, J. Signature Based Malware Detection Is Dead; Institute for Critical Infrastructure Technology: Washington, DC, USA, 2017. [Google Scholar]
  8. French, R.; Smith, A.; Robinson, M.; Jenkins, P. Initial Video Conference with Airbus. 2023. (Video Call Via Skype). Available online: https://meet.google.com/pup-jbks-chs (accessed on 2 November 2025).
  9. Cuckoo. 2023. Available online: https://cuckoosandbox.org/ (accessed on 16 November 2023).
  10. Djenna, A.; Bouridane, A.; Rubab, S.; Marou, I.M. Artificial Intelligence-Based Malware Detection, Analysis, and Mitigation. Symmetry 2023, 15, 677. [Google Scholar] [CrossRef]
  11. Kolbitsch, C.; Comparetti, P.M.; Kruegel, C.; Kirda, E.; Zhou, X.; Wang, X. Effective and Efficient Malware Detection at the End Host. In Proceedings of the 18th Usenix Security Symposium, Montreal, QC, Canada, 10–14 August 2009. [Google Scholar]
  12. Rabadi, D.; Teo, S.G. Advanced Windows Methods on Malware Detection and Classification. In Proceedings of the Annual Computer Security Applications Conference, Austin, TX, USA, 7–11 December 2020; pp. 54–68. [Google Scholar] [CrossRef]
  13. Schultz, M.; Eskin, E.; Zadok, F.; Stolfo, S. Data Mining Methods for Detection of New Malicious Executables. In Proceedings of the Proceedings 2001 IEEE Symposium on Security and Privacy, S&P 2001, Oakland, CA, USA, 14–16 May 2001; pp. 38–49. [Google Scholar] [CrossRef]
  14. Kolter, J.Z.; Maloof, M.A. Learning to Detect Malicious Executables in the Wild. In Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Seattle, WA, USA, 22–25 August 2004; pp. 470–478. [Google Scholar] [CrossRef]
  15. Christodorescu, M.; Jha, S.; Seshia, S.; Song, D.; Bryant, R. Semantics-Aware Malware Detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P’05), Oakland, CA, USA, 8–11 May 2005; pp. 32–46. [Google Scholar] [CrossRef]
  16. Bayer, U.; Comparetti, P.M.; Hlauschek, C.; Kruegel, C.; Kirda, E. Scalable, Behavior-Based Malware Clustering. In Proceedings of the 16th Annual Network and Distributed System Security (NDSS) Symposium 2009, San Diego, CA, USA, 8–11 February 2009. [Google Scholar]
  17. Bailey, M.; Oberheide, J.; Andersen, J.; Mao, Z.M.; Jahanian, F.; Nazario, J. Automated Classification and Analysis of Internet Malware. In Recent Advances in Intrusion Detection; Kruegel, C., Lippmann, R., Clark, A., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4637, pp. 178–197. [Google Scholar] [CrossRef]
  18. Rieck, K.; Trinius, P.; Willems, C.; Holz, T. Automatic Analysis of Malware Behavior Using Machine Learning. J. Comput. Secur. 2011, 19, 639–668. [Google Scholar] [CrossRef]
  19. Santos, I.; Brezo, F.; Ugarte-Pedrero, X.; Bringas, P.G. Opcode Sequences as Representation of Executables for Data-Mining-Based Unknown Malware Detection. Inf. Sci. 2013, 231, 64–82. [Google Scholar] [CrossRef]
  20. Saxe, J.; Berlin, K. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features. In Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, PR, USA, 20–22 October 2015; pp. 11–20. [Google Scholar] [CrossRef]
  21. Kolosnjaji, B.; Zarras, A.; Webster, G.; Eckert, C. Deep Learning for Classification of Malware System Call Sequences. In AI 2016: Advances in Artificial Intelligence; Kang, B.H., Bai, Q., Eds.; Springer International Publishing: Cham, Switzerland, 2016; Volume 9992, pp. 137–149. [Google Scholar] [CrossRef]
  22. Raff, E.; Barker, J.; Sylvester, J.; Brandon, R.; Catanzaro, B.; Nicholas, C. Malware Detection by Eating a Whole EXE. arXiv 2017, arXiv:1710.09435. [Google Scholar] [CrossRef]
  23. Anderson, H.S.; Roth, P. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. arXiv 2018, arXiv:1804.04637. [Google Scholar] [CrossRef]
  24. Gibert, D.; Mateu, C.; Planes, J. The Rise of Machine Learning for Detection and Classification of Malware: Research Developments, Trends and Challenges. J. Netw. Comput. Appl. 2020, 153, 102526. [Google Scholar] [CrossRef]
  25. Naeem, H.; Guo, B.; Naeem, M.R. A Light-Weight Malware Static Visual Analysis for IoT Infrastructure. In Proceedings of the 2018 International Conference on Artificial Intelligence and Big Data (ICAIBD), Chengdu, China, 26–28 May 2018; pp. 240–244. [Google Scholar] [CrossRef]
  26. Catak, F.O.; Yazı, A.F. A Benchmark API Call Dataset for Windows PE Malware Classification. arXiv 2021, arXiv:1905.01999. [Google Scholar] [CrossRef]
  27. Kalash, M.; Rochan, M.; Mohammed, N.; Bruce, N.D.B.; Wang, Y.; Iqbal, F. Malware Classification with Deep Convolutional Neural Networks. In Proceedings of the 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, France, 26–28 February 2018; pp. 1–5. [Google Scholar] [CrossRef]
  28. Hei, Y.; Yang, R.; Peng, H.; Wang, L.; Xu, X.; Liu, J.; Liu, H.; Xu, J.; Sun, L. HAWK: Rapid Android Malware Detection through Heterogeneous Graph Attention Networks. arXiv 2021, arXiv:2108.07548. [Google Scholar] [CrossRef] [PubMed]
  29. Marais, B.; Quertier, T.; Morucci, S. AI-based Malware and Ransomware Detection Models. arXiv 2022, arXiv:2207.02108. [Google Scholar] [CrossRef]
  30. Akhtar, M.S.; Feng, T. Evaluation of Machine Learning Algorithms for Malware Detection. Sensors 2023, 23, 946. [Google Scholar] [CrossRef]
  31. Kasarapu, S.; Shukla, S.; Hassan, R.; Sasan, A.; Homayoun, H.; Dinakarrao, S.M.P. Generative AI-Based Effective Malware Detection for Embedded Computing Systems. arXiv 2024, arXiv:2404.02344. [Google Scholar] [CrossRef]
  32. Madamidola, O.A.; Ngobigha, F.; Ez-zizi, A. Detecting New Obfuscated Malware Variants: A Lightweight and Interpretable Machine Learning Approach. Intell. Syst. Appl. 2025, 25, 200472. [Google Scholar] [CrossRef]
  33. Bena, N.; Anisetti, M.; Gianini, G.; Ardagna, C.A. Certifying Accuracy, Privacy, and Robustness of ML-Based Malware Detection. SN Comput. Sci. 2024, 5, 710. [Google Scholar] [CrossRef]
  34. Manthena, H.; Shajarian, S.; Kimmell, J.; Abdelsalam, M.; Khorsandroo, S.; Gupta, M. Explainable Artificial Intelligence (XAI) for Malware Analysis: A Survey of Techniques, Applications, and Open Challenges. IEEE Access 2025, 13, 61611–61640. [Google Scholar] [CrossRef]
  35. DellTechnologies. Internet of Things and Data Placement|Edge to Core and the Internet of Things|Dell Technologies Info Hub. 2023. Available online: https://infohub.delltechnologies.com/l/edge-to-core-and-the-internet-of-things-2/internet-of-things-and-data-placement/ (accessed on 30 November 2023).
  36. Gaurav, A.; Gupta, B.B.; Panigrahi, P.K. A Comprehensive Survey on Machine Learning Approaches for Malware Detection in IoT-based Enterprise Information System. Enterp. Inf. Syst. 2023, 17, 2023764. [Google Scholar] [CrossRef]
  37. Tirumala, S.S.; Nepal, N.; Ray, S.K. Raspberry Pi-based Intelligent Cyber Defense Systems for SMEs and Smart-homes: An Exploratory Study. EAI Endorsed Trans. Smart Cities 2022, 6, e4. [Google Scholar] [CrossRef]
  38. Raywood, D. Thermostat Hacked to Run Ransomware. 2016. Available online: https://www.infosecurity-magazine.com/news/defcon-thermostat-control-hacked/ (accessed on 3 December 2023).
  39. von der Assen, J.; Celdrán, A.H.; Luechinger, J.; Sánchez, P.M.S.; Bovet, G.; Pérez, G.M.; Stiller, B. RansomAI: AI-powered Ransomware for Stealthy Encryption. arXiv 2023, arXiv:2306.15559. [Google Scholar]
  40. Cameron, L. Lindy Cameron at Singapore International Cyber Week. 2022. Available online: https://www.ncsc.gov.uk/speech/lindy-cameron-singapore-international-cyber-week (accessed on 3 December 2023).
  41. Kumar, R.; Zhang, X.; Wang, W.; Khan, R.U.; Kumar, J.; Sharif, A. A Multimodal Malware Detection Technique for Android IoT Devices Using Various Features. IEEE Access 2019, 7, 64411–64430. [Google Scholar] [CrossRef]
  42. Jakka, D.G.; Yathiraju, N.; Ansari, D.M.F. Artificial Intelligence in Terms of Spotting Malware and Delivering Cyber Risk Management. J. Posit. Sch. Psychol. 2022, 6, 6156–6165. [Google Scholar]
  43. Rey, V.; Sánchez Sánchez, P.M.; Huertas Celdrán, A.; Bovet, G. Federated Learning for Malware Detection in IoT Devices. Comput. Networks 2022, 204, 108693. [Google Scholar] [CrossRef]
  44. Bose, S.; Barao, T.; Liu, X. Explaining AI for Malware Detection: Analysis of Mechanisms of MalConv. In Proceedings of the 2020 International Joint Conference on Neural Networks (IJCNN), Glasgow, UK, 19–24 July 2020; pp. 1–8. [Google Scholar] [CrossRef]
  45. McCarthy, J. What Is Artificial Intelligence? Stanford University: Stanford, CA, USA, 2007. [Google Scholar]
  46. Addley, E. AI’ Named Most Notable Word of 2023 by Collins Dictionary. The Guardian, 1 November 2023. Available online: https://www.theguardian.com/technology/2023/nov/01/ai-named-most-notable-word-of-2023-by-collins-dictionary (accessed on 14 November 2023).
  47. What Is Strong AI?|IBM. 2023. Available online: https://www.ibm.com/topics/strong-ai (accessed on 14 November 2023).
  48. Lam, R.; Sanchez-Gonzalez, A.; Willson, M.; Wirnsberger, P.; Fortunato, M.; Alet, F.; Ravuri, S.; Ewalds, T.; Eaton-Rosen, Z.; Hu, W.; et al. Learning Skillful Medium-Range Global Weather Forecasting. Science 2023, 382, eadi2336. [Google Scholar] [CrossRef] [PubMed]
  49. IBM Watson. 2023. Available online: https://www.ibm.com/watson (accessed on 15 November 2023).
  50. Mehrban, A.; Ahadian, P. Malware Detection in IoT Systems Using Machine Learning Techniques. Int. J. Wirel. Mob. Networks 2023, 15, 13–23. [Google Scholar] [CrossRef]
  51. Foote, K.D. A Brief History of the Internet of Things. 2022. Available online: https://www.dataversity.net/brief-history-internet-things/ (accessed on 7 February 2025).
  52. Smith, S. 5G IoT Connections to Surpass 100 Million for First Time Globally by 2026|Press. 2023. Available online: https://www.juniperresearch.com/press/5g-iot-connections-to-surpass-100-mn/ (accessed on 7 February 2025).
  53. Sinha, S. State of IoT 2024: Number of Connected IoT Devices Growing 13% to 18.8 Billion Globally. 2024. Available online: https://iot-analytics.com/number-connected-iot-devices/ (accessed on 7 February 2025).
  54. Vignau, B.; Khoury, R.; Hallé, S. 10 Years of IoT Malware: A Feature-Based Taxonomy. In Proceedings of the 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C), Sofia, Bulgaria, 22–26 July 2019; pp. 458–465. [Google Scholar] [CrossRef]
  55. Syarif, A.R.; Gata, W. Intrusion Detection System Using Hybrid Binary PSO and K-nearest Neighborhood Algorithm. In Proceedings of the 2017 11th International Conference on Information & Communication Technology and System (ICTS), Surabaya, Indonesia, 31 October 2017; pp. 181–186. [Google Scholar] [CrossRef]
  56. Alrawi, O.; Lever, C.; Valakuzhy, K.; Court, R.; Snow, K.; Monrose, F.; Antonakakis, M. The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle; Georgia Tech: Atlanta, GA, USA, 2021. [Google Scholar]
  57. Hammond, J. 2025. Available online: https://www.youtube.com/watch?v=sznUqJHlzUo (accessed on 20 February 2025).
  58. Staff, A. Five Most Famous DDoS Attacks and Then Some. 2022. Available online: https://www.a10networks.com/blog/5-most-famous-ddos-attacks/ (accessed on 4 August 2024).
  59. Rani, S.; Tripathi, K.; Kumar, A. Machine Learning Aided Malware Detection for Secure and Smart Manufacturing: A Comprehensive Analysis of the State of the Art. Int. J. Interact. Des. Manuf. IJIDeM 2024, 18, 1421–1443. [Google Scholar] [CrossRef]
  60. Carrillo-Mondejar, J.; Suarez-Tangil, G.; Costin, A.; Rodríguez, R.J. Exploring Shifting Patterns in Recent IoT Malware. In Proceedings of the 23rd European Conference on Cyber Warfare and Security, Jyvaskyla, Finland, 27–28 June 2024; Volume 23. [Google Scholar] [CrossRef]
  61. Zhao, B.; Ji, S.; Lee, W.H.; Lin, C.; Weng, H.; Wu, J.; Zhou, P.; Fang, L.; Beyah, R. A Large-Scale Empirical Study on the Vulnerability of Deployed IoT Devices. IEEE Trans. Dependable Secur. Comput. 2022, 19, 1826–1840. [Google Scholar] [CrossRef]
  62. Sforzin, A.; Mármol, F.G.; Conti, M.; Bohli, J.M. RPiDS: Raspberry Pi IDS—A Fruitful Intrusion Detection System for IoT. In Proceedings of the 2016 Intl IEEE Conferences on Ubiquitous Intelligence & Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld), Toulouse, France, 18–21 July 2016; pp. 440–448. [Google Scholar] [CrossRef]
  63. Toubba, K. Security Incident December 2022 Update—LastPass—The LastPass Blog. 2022. Available online: https://blog.lastpass.com/posts/notice-of-recent-security-incident (accessed on 20 February 2025).
  64. Deogirikar, J.; Vidhate, A. Security Attacks in IoT: A Survey. In Proceedings of the 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), Palladam, India, 10–11 February 2017; pp. 32–37. [Google Scholar] [CrossRef]
  65. NCSC. Cloud Security Shared Responsibility Model. 2022. Available online: https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model (accessed on 3 March 2025).
  66. Iwuanyanwu, U.; Oyewole, O.; Fakeyede, O.; Okeleke, E.; Apeh, J. IOT device security risks: A comprehensive overview and mitigation strategies. J. Technol. Innov. 2023, 3, 38–43. [Google Scholar] [CrossRef]
  67. Chadler, S.; Davis, S.; Delacroix, T.; Carrington, W. Ransomware Detection Using Multi-Vector Anomaly Profiling for Maximum Security. Res. Sq. 2024, preprint. [Google Scholar] [CrossRef]
  68. Vormayr, G.; Zseby, T.; Fabini, J. Botnet Communication Patterns. IEEE Commun. Surv. Tutor. 2017, 19, 2768–2796. [Google Scholar] [CrossRef]
  69. IoT Business News. IoT Meets Bitcoin: How Smart Devices Are Mining Cryptocurrency. 2024. Available online: https://iotbusinessnews.com/2024/03/15/13225-iot-meets-bitcoin-how-smart-devices-are-mining-cryptocurrency/ (accessed on 3 March 2025).
  70. Ngo, Q.D.; Nguyen, H.T.; Le, V.H.; Nguyen, D.H. A Survey of IoT Malware and Detection Methods Based on Static Features. ICT Express 2020, 6, 280–286. [Google Scholar] [CrossRef]
  71. Gaydos, B. Defending Against IoT Threats: A Comprehensive Guide to IoT Malware Protection. 2024. Available online: https://duplocloud.com/blog/defending-against-iot-threats-a-comprehensive-guide-to-iot-malware-protection/ (accessed on 17 March 2025).
  72. McCart, C. What Is IoT Malware? Threats to Your Smart Home Security. 2024. Available online: https://www.comparitech.com/antivirus/what-is-iot-malware-and-how-can-you-secure-your-smart-home/ (accessed on 17 March 2025).
  73. Amelia, N.T. Implications of the WannnaCry Ransomware Attack on Personal Security: Analysis of Human Security Concepts. PROIROFONIC 2025, 1, 634–641. [Google Scholar]
  74. Secarma. The Growing Threat of IoT Cyber-Attacks—What You Need to Know. Secarma: Penetration Testing and Cybersecurity Company. 2024. Available online: https://secarma.com/the-growing-threat-of-iot-cyber-attacks (accessed on 17 March 2025).
  75. Portnox. Exploring IoT Attacks. 2025. Available online: https://www.portnox.com/cybersecurity-101/iot-attacks/ (accessed on 17 March 2025).
  76. Pawar, D.S. IoT Attack Surge: Threats and Security Solutions|EC-Council. 2024. Available online: https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/the-rise-of-iot-attacks-endpoint-protection-via-trending-technologies/ (accessed on 17 March 2025).
  77. Morgunov, V.; Shmelev, Y. IoT Threats in 2023. 2023. Available online: https://securelist.com/iot-threat-report-2023/110644/ (accessed on 17 March 2025).
  78. Asimily. The Top Internet of Things (IoT) Cybersecurity Breaches in 2024. 2024. Available online: https://asimily.com/blog/the-top-internet-of-things-iot-cybersecurity-breaches-in-2024/ (accessed on 17 March 2025).
  79. Lazurca, F. Top 10 Vulnerabilities That Make IoT Devices Insecure. 2024. Available online: https://www.cyberark.com/resources/blog/top-10-vulnerabilities-that-make-iot-devices-insecure (accessed on 17 March 2025).
  80. Olaes, T. Top IoT Security Challenges and Best Practices. 2024. Available online: https://www.balbix.com/insights/addressing-iot-security-challenges/ (accessed on 17 March 2025).
  81. Illing, D. Common Cyber-Attacks in the IoT. 2023. Available online: https://www.globalsign.com/en/blog/common-cyber-attacks-in-the-iot (accessed on 17 March 2025).
  82. Ozsoy, M.; Khasawneh, K.N.; Donovick, C.; Gorelik, I.; Abu-Ghazaleh, N.; Ponomarev, D. Hardware-Based Malware Detection Using Low-Level Architectural Features. IEEE Trans. Comput. 2016, 65, 3332–3344. [Google Scholar] [CrossRef]
  83. Casado-Vara, R.; Severt, M.; Díaz-Longueira, A.; Rey, Á.M.D.; Calvo-Rolle, J.L. Dynamic Malware Mitigation Strategies for IoT Networks: A Mathematical Epidemiology Approach. Mathematics 2024, 12, 250. [Google Scholar] [CrossRef]
  84. Hosseinzadeh, S.; Rauti, S.; Laurén, S.; Mäkelä, J.M.; Holvitie, J.; Hyrynsalmi, S.; Leppänen, V. Diversification and Obfuscation Techniques for Software Security: A Systematic Literature Review. Inf. Softw. Technol. 2018, 104, 72–93. [Google Scholar] [CrossRef]
  85. Sivanathan, A.; Gharakheili, H.H.; Loi, F.; Radford, A.; Wijenayake, C.; Vishwanath, A.; Sivaraman, V. Classifying IoT Devices in Smart Environments Using Network Traffic Characteristics. IEEE Trans. Mob. Comput. 2019, 18, 1745–1759. [Google Scholar] [CrossRef]
  86. Bezawada, B.; Bachani, M.; Peterson, J.; Shirazi, H.; Ray, I.; Ray, I. Behavioral Fingerprinting of IoT Devices. In Proceedings of the 2018 Workshop on Attacks and Solutions in Hardware Security, Toronto, ON, Canada, 15–19 October 2018; pp. 41–50. [Google Scholar] [CrossRef]
  87. Djenna, A. Internet of Things Meet Internet of Threats: New Concern Cyber Security Issues of Critical Cyber Infrastructure. Appl. Sci. 2021, 11, 4580. [Google Scholar] [CrossRef]
  88. Sasi, T.; Lashkari, A.H.; Lu, R.; Xiong, P.; Iqbal, S. A Comprehensive Survey on IoT Attacks: Taxonomy, Detection Mechanisms and Challenges. J. Inf. Intell. 2024, 2, 455–513. [Google Scholar] [CrossRef]
  89. Nazir, A.; He, J.; Zhu, N.; Wajahat, A.; Ma, X.; Ullah, F.; Qureshi, S.; Pathan, M.S. Advancing IoT Security: A Systematic Review of Machine Learning Approaches for the Detection of IoT Botnets. J. King Saud Univ.—Comput. Inf. Sci. 2023, 35, 101820. [Google Scholar] [CrossRef]
  90. Mazhar, T.; Talpur, D.B.; Shloul, T.A.; Ghadi, Y.Y.; Haq, I.; Ullah, I.; Ouahada, K.; Hamam, H. Analysis of IoT Security Challenges and Its Solutions Using Artificial Intelligence. Brain Sci. 2023, 13, 683. [Google Scholar] [CrossRef]
  91. Shukla, S.; Dhavlle, A.; D, S.M.P.; Homayoun, H.; Rafatirad, S. Iron-Dome: Securing IoT Networked Systems at Runtime by Network and Device Characteristics to Confine Malware Epidemics. In Proceedings of the 2022 IEEE 40th International Conference on Computer Design (ICCD), Olympic Valley, CA, USA, 23–26 October 2022; pp. 259–262. [Google Scholar] [CrossRef]
  92. Gao, Y.; Al-Sarawi, S.F.; Abbott, D. Physical Unclonable Functions. Nat. Electron. 2020, 3, 81–91. [Google Scholar] [CrossRef]
  93. Alasmary, H.; Khormali, A.; Anwar, A.; Park, J.; Choi, J.; Nyang, D.; Mohaisen, A. Analyzing, Comparing, and Detecting Emerging Malware: A Graph-based Approach. arXiv 2019, arXiv:1902.03955. [Google Scholar] [CrossRef]
  94. Jackson, F. Google’s Emissions Increased by 48% Since 2019, Thanks to AI Pursuits. 2024. Available online: https://www.techrepublic.com/article/google-ai-environmental-impact/ (accessed on 8 July 2024).
  95. Victor, P.; Lashkari, A.H.; Lu, R.; Sasi, T.; Xiong, P.; Iqbal, S. IoT Malware: An Attribute-Based Taxonomy, Detection Mechanisms and Challenges. Peer-Netw. Appl. 2023, 16, 1380–1431. [Google Scholar] [CrossRef] [PubMed]
  96. HP. The Internet of (Insecure) Things. 2014. Available online: https://h41382.www4.hpe.com/gfs-shared/downloads-352.pdf (accessed on 8 July 2024).
  97. Ashoor, A.S.; Gore, S. Intrusion Detection System (IDS) &Intrusion Prevention System (IPS): Case Study. Int. J. Sci. Eng. Res. 2011, 2, 1–3. [Google Scholar]
  98. Uğurlu, M.; Doğru, İ.A.; Arslan, R.S. A New Classification Method for Encrypted Internet Traffic Using Machine Learning. Turk. J. Electr. Eng. Comput. Sci. 2021, 29, 2450–2468. [Google Scholar] [CrossRef]
  99. Ledesma, J. IDS vs. IPS: What Organizations Need to Know. 2022. Available online: https://www.varonis.com/blog/ids-vs-ips (accessed on 3 December 2023).
  100. Parkar, P. A Network Intrusion Detection System Based on Ensemble Machine Learning Techniques. In Proceedings of the 2021 IEEE 2nd International Conference on Applied Electromagnetics, Signal Processing, & Communication (AESPC), Bhubaneswar, India, 26–28 November 2021; pp. 1–6. [Google Scholar] [CrossRef]
  101. Cheng, T.H.; Lin, Y.D.; Lai, Y.C.; Lin, P.C. Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems. IEEE Commun. Surv. Tutor. 2012, 14, 1011–1020. [Google Scholar] [CrossRef]
  102. Kılıç, H.; Katal, N.S.; Selçuk, A.A. Evasion Techniques Efficiency Over The IPS/IDS Technology. In Proceedings of the 2019 4th International Conference on Computer Science and Engineering (UBMK), Samsun, Turkey, 11–15 September 2019; pp. 542–547. [Google Scholar] [CrossRef]
  103. Jia, J.; Chen, K.; Chen, J.; Zhou, D.; Ma, W. Detection and Recognition of Atomic Evasions Against Network Intrusion Detection/Prevention Systems. IEEE Access 2019, 7, 87816–87826. [Google Scholar] [CrossRef]
  104. LeCun, Y.; Cortes, C.; Burges, C.J. MNIST Handwritten Digit Database; ATT Labs: Middletown Township, NJ, USA, 2010; Volume 2, Available online: http://yann.lecun.com/exdb/mnist (accessed on 19 November 2025).
  105. Baldominos, A.; Saez, Y.; Isasi, P. A Survey of Handwritten Character Recognition with MNIST and EMNIST. Appl. Sci. 2019, 9, 3169. [Google Scholar] [CrossRef]
  106. Wang, Y.; Li, F.; Sun, H.; Li, W.; Zhong, C.; Wu, X.; Wang, H.; Wang, P. Improvement of MNIST Image Recognition Based on CNN. IOP Conf. Ser. Earth Environ. Sci. 2020, 428, 012097. [Google Scholar] [CrossRef]
  107. Wu, M.; Chen, L. Image Recognition Based on Deep Learning. In Proceedings of the 2015 Chinese Automation Congress (CAC), Wuhan, China, 27–29 November 2015; pp. 542–546. [Google Scholar] [CrossRef]
  108. Yang, M.; Kumar, P.; Bhola, J.; Shabaz, M. Development of Image Recognition Software Based on Artificial Intelligence Algorithm for the Efficient Sorting of Apple Fruit. Int. J. Syst. Assur. Eng. Manag. 2022, 13, 322–330. [Google Scholar] [CrossRef]
  109. LeCun, Y.; Bengio, Y.; Hinton, G. Deep Learning. Nature 2015, 521, 436–444. [Google Scholar] [CrossRef] [PubMed]
  110. Traore, B.B.; Kamsu-Foguem, B.; Tangara, F. Deep Convolution Neural Network for Image Recognition. Ecol. Inform. 2018, 48, 257–268. [Google Scholar] [CrossRef]
  111. Athiwaratkun, B.; Stokes, J.W. Malware Classification with LSTM and GRU Language Models and a Character-Level CNN. In Proceedings of the 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), New Orleans, LA, USA, 5–9 March 2017; pp. 2482–2486. [Google Scholar] [CrossRef]
  112. Yue, S.; Wang, T. Imbalanced Malware Images Classification: A CNN Based Approach. arXiv 2022, arXiv:1708.08042. [Google Scholar] [CrossRef]
  113. Zheng, Y.; Agyepong, K. Mass Detection with Digitized Screening Mammograms by Using Gabor Features. In Proceedings of the Medical Imaging; Giger, M.L., Karssemeijer, N., Eds.; SPIE: Bellingham, WA, USA, 2007; p. 651402. [Google Scholar] [CrossRef]
  114. Nshafiei. English: VGG Artificial Neural Network Design. 2019. Available online: https://commons.wikimedia.org/wiki/File:VGG_structure.jpg (accessed on 19 November 2025).
  115. El-Shafai, W.; Almomani, I.; AlKhayer, A. Visualized Malware Multi-Classification Framework Using Fine-Tuned CNN-Based Transfer Learning Models. Appl. Sci. 2021, 11, 6446. [Google Scholar] [CrossRef]
  116. Walenstein, A. Exploiting Similarity Between Variants to Defeat Malware. In Proceedings of the BlackHat DC 2007, Washington, DC, USA, 28 February–1 March 2007. [Google Scholar]
  117. Wadkar, M.; Di Troia, F.; Stamp, M. Detecting Malware Evolution Using Support Vector Machines. Expert Syst. Appl. 2020, 143, 113022. [Google Scholar] [CrossRef]
  118. Rad, B.B.; Nejad, M.K.H.; Shahpasand, M. Malware Classification and Detection Using Artificial Neural Networks. J. Eng. Sci. Technol. 2018, 13, 14–23. [Google Scholar]
  119. Vasan, D.; Alazab, M.; Wassan, S.; Safaei, B.; Zheng, Q. Image-Based Malware Classification Using Ensemble of CNN Architectures (IMCEC). Comput. Secur. 2020, 92, 101748. [Google Scholar] [CrossRef]
  120. Smmarwar, S.; Gupta, G.; Jumar, S. AI-empowered Malware Detection System for Industrial Internet of Things. Comput. Electr. Eng. 2023, 108, 108731. [Google Scholar] [CrossRef]
  121. Makandar, A.; Patrot, A. Malware Analysis and Classification Using Artificial Neural Network. In Proceedings of the 2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15), Bangalore, India, 21–22 December 2015; pp. 1–6. [Google Scholar] [CrossRef]
  122. Catalano, C.; Chezzi, A.; Angelelli, M.; Tommasi, F. Deceiving AI-based Malware Detection through Polymorphic Attacks. Comput. Ind. 2022, 143, 103751. [Google Scholar] [CrossRef]
  123. Saridou, M.; Glatard, T.; Kalout, H. Image-Based Malware Detection Using α-Cuts and Binary Visualisation. Appl. Sci. 2023, 13, 4624. [Google Scholar] [CrossRef]
  124. Yuan, B.; Wang, J.; Liu, D.; Guo, W.; Wu, P.; Bao, X. IoT Malware Classification Based on Lightweight Convolutional Neural Networks. IEEE Internet Things J. 2022, 9, 3770–3783. [Google Scholar] [CrossRef]
  125. Li, Q.; Mi, J.; Li, W.; Wang, J.; Cheng, M. CNN-Based Malware Variants Detection Method for Internet of Things. IEEE Internet Things J. 2021, 8, 16946–16962. [Google Scholar] [CrossRef]
  126. Sharma, G.A.; Singh, K.J.; Singh, M.D. A Deep Learning Approach to Image-Based Malware Analysis. In Progress in Computing, Analytics and Networking; Das, H., Pattnaik, P., Rautaray, S., Li, K.C., Eds.; Springer: Singapore, 2020; pp. 331–340. [Google Scholar] [CrossRef]
  127. Mercaldo, F.; Santone, A. Deep Learning for Image-Based Mobile Malware Detection. J. Comput. Virol. Hack. Tech. 2020, 16, 157–171. [Google Scholar] [CrossRef]
  128. Bakour, K.; Ünver, H.M. VisDroid: Android Malware Classification Based on Local and Global Image Features, Bag of Visual Words and Machine Learning Techniques. Neural Comput. Appl. 2021, 33, 3133–3153. [Google Scholar] [CrossRef]
  129. Jiang, Y.; Li, S.; Wu, Y.; Zou, F. A Novel Image-Based Malware Classification Model Using Deep Learning. In Proceedings of the 26th International Conference on Neural Information Processing (ICONIP), Sydney, Australia, 12–15 December 2019; pp. 248–258. [Google Scholar] [CrossRef]
  130. Su, J.; Vasconcellos, V.D.; Prasad, S.; Daniele, S.; Feng, Y.; Sakurai, K. Lightweight Classification of IoT Malware Based on Image Recognition. In Proceedings of the 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), Tokyo, Japan, 23–27 July 2018; Volume 2, pp. 664–669. [Google Scholar] [CrossRef]
  131. Agarap, A.F.M. Towards Building an Intelligent Anti-Malware System: A Deep Learning Approach Using Support Vector Machine (SVM) for Malware Classification. arXiv 2017, arXiv:1801.00318. [Google Scholar]
  132. Tobiyama, S.; Yamaguchi, Y.; Shimada, H.; Ikuse, T.; Yagi, T. Malware Detection with Deep Neural Network Using Process Behavior. In Proceedings of the 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), Atlanta, GA, USA, 10–14 June 2016; Volume 2, pp. 577–582. [Google Scholar] [CrossRef]
  133. Pascanu, R.; Stokes, J.W.; Sanossian, H.; Marinescu, M.; Thomas, A. Malware Classification with Recurrent Networks. In Proceedings of the 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Brisbane, QLD, Australia, 19–24 April 2015; pp. 1916–1920. [Google Scholar] [CrossRef]
  134. El-Ghamry, A.; Gaber, T.; Mohammed, K.K.; Hassanien, A.E. Optimized and Efficient Image-Based IoT Malware Detection Method. Electronics 2023, 12, 708. [Google Scholar] [CrossRef]
  135. Ding, Y.; Xia, X.; Chen, S.; Li, Y. Android Malware Detection Method Based on Bytecode Image. J. Phys. Conf. Ser. 2020, 1693, 012165. [Google Scholar] [CrossRef]
  136. Bakır, H.; Elmabruk, K. DroidEncoder: Malware Detection Using Auto-Encoder Based Feature Extractor and Machine Learning Algorithms. Comput. Electr. Eng. 2023, 110, 108804. [Google Scholar] [CrossRef]
  137. Shaukat, K.; Luo, S.; Varadharajan, V. A Novel Deep Learning-Based Approach for Malware Detection. Eng. Appl. Artif. Intell. 2023, 122, 106030. [Google Scholar] [CrossRef]
  138. Ahmed, M.; Afreen, N.; Ahmed, M.; Sameer, M.; Ahamed, J. An Inception V3 Approach for Malware Classification Using Machine Learning and Transfer Learning. Int. J. Intell. Netw. 2023, 4, 11–18. [Google Scholar] [CrossRef]
  139. Zhu, H.; Wei, H.; Wang, L.; Xu, Z.; Sheng, V.S. An Effective End-to-End Android Malware Detection Method. Expert Syst. Appl. 2023, 218, 119593. [Google Scholar] [CrossRef]
  140. Mustafa Majid, A.A.; Alshaibi, A.J.; Kostyuchenko, E.; Shelupanov, A. A Review of Artificial Intelligence Based Malware Detection Using Deep Learning. Mater. Today Proc. 2023, 80, 2678–2683. [Google Scholar] [CrossRef]
  141. Ying, X. An Overview of Overfitting and Its Solutions. J. Phys. Conf. Ser. 2019, 1168, 022022. [Google Scholar] [CrossRef]
  142. Pawlicki, M.; Choraś, M.; Kozik, R. Defending Network Intrusion Detection Systems against Adversarial Evasion Attacks. Future Gener. Comput. Syst. 2020, 110, 148–154. [Google Scholar] [CrossRef]
  143. Chou, Y.L.; Moreira, C.; Bruza, P.; Ouyang, C.; Jorge, J. Counterfactuals and Causability in Explainable Artificial Intelligence: Theory, Algorithms, and Applications. Inf. Fusion 2022, 81, 59–83. [Google Scholar] [CrossRef]
  144. Steadman, P.; Jenkins, P.; Rathore, R.S.; Hewage, C. Challenges in Implementing Artificial Intelligence on the Raspberry Pi 4, 5 and 5 with AI HAT. In Contributions Presented at the International Conference on Computing, Communication, Cybersecurity and AI, July 3–4, 2024, London, UK; Naik, N., Jenkins, P., Prajapat, S., Grace, P., Eds.; Springer Nature: Cham, Switzerland, 2024; Volume 884, pp. 147–157. [Google Scholar] [CrossRef]
  145. Warren, T. Microsoft Is Finally Making Custom Chips—And They’re All About AI. 2023. Available online: https://www.theverge.com/2023/11/15/23960345/microsoft-cpu-gpu-ai-chips-azure-maia-cobalt-specifications-cloud-infrastructure (accessed on 16 November 2023).
  146. AMD. Accelerating the Future with Open, Proven, and Ready AI Solutions. 2023. Available online: https://www.amd.com/en/partner/articles/ai-ready-solutions.html (accessed on 16 November 2023).
  147. Turning Cars into Data Centers on Wheels. 2021. Available online: https://www.avnet.com/wps/portal/us/resources/article/turning-cars-into-data-centers-on-wheels/ (accessed on 16 November 2023).
  148. Rathore, R.S.; Hewage, C.; Kaiwartya, O.; Lloret, J. In-Vehicle Communication Cyber Security: Challenges and Solutions. Sensors 2022, 22, 6679. [Google Scholar] [CrossRef]
  149. Othman, N.A.; Zainodin, M.R.; Anuar, N.; Damanhuri, N.S. Remote Monitoring System Development via Raspberry-Pi for Small Scale Standalone PV Plant. In Proceedings of the 2017 7th IEEE International Conference on Control System, Computing and Engineering (ICCSCE), Penang, Malaysia, 24–26 November 2017; pp. 360–365. [Google Scholar] [CrossRef]
  150. Pi, R. Raspberry Pi AI Kit. 2024. Available online: https://www.raspberrypi.com/products/ai-kit/ (accessed on 11 June 2024).
  151. Besimi, N.; Çiço, B.; Besimi, A.; Shehu, V. Using Distributed Raspberry PIs to Enable Low-Cost Energy-Efficient Machine Learning Algorithms for Scientific Articles Recommendation. Microprocess. Microsyst. 2020, 78, 103252. [Google Scholar] [CrossRef]
  152. Hill, A. Raspberry Pi 5 Industrial PC Brings the Heat with Integrated NVMe SSD. 2023. Available online: https://www.tomshardware.com/news/raspberry-pi-5-edatec-industrial-pc-with-nvme (accessed on 22 December 2023).
  153. Schaller, R. Moore’s Law: Past, Present and Future. IEEE Spectr. 1997, 34, 52–59. [Google Scholar] [CrossRef]
  154. Karunaratna, S.; Maduranga, P. Artificial Intelligence on Single Board Computers: An Experiment on Sound Event Classification. In Proceedings of the 2021 5th SLAAI International Conference on Artificial Intelligence (SLAAI-ICAI), Colombo, Sri Lanka, 6–7 December 2021; pp. 1–5. [Google Scholar] [CrossRef]
  155. Wu, H.; Zhang, Z.; Guan, C.; Wolter, K.; Xu, M. Collaborate Edge and Cloud Computing With Distributed Deep Learning for Smart City Internet of Things. IEEE Internet Things J. 2020, 7, 8099–8110. [Google Scholar] [CrossRef]
  156. Mao, Y.; You, C.; Zhang, J.; Huang, K.; Letaief, K.B. A Survey on Mobile Edge Computing: The Communication Perspective. IEEE Commun. Surv. Tutor. 2017, 19, 2322–2358. [Google Scholar] [CrossRef]
  157. Electronic360. Teardown: Google Nest Hub (2nd Gen)|Electronics360. 2021. Available online: https://electronics360.globalspec.com/article/17053/teardown-google-nest-hub-2nd-gen (accessed on 20 February 2024).
  158. Lin, K.Y.; Huang, W.R. Using Federated Learning on Malware Classification. In Proceedings of the 2020 22nd International Conference on Advanced Communication Technology (ICACT), Pyeongchang, Republic of Korea, 16–19 February 2020; pp. 585–589. [Google Scholar] [CrossRef]
  159. Nguyen, D.C.; Ding, M.; Pathirana, P.N.; Seneviratne, A.; Li, J.; Vincent Poor, H. Federated Learning for Internet of Things: A Comprehensive Survey. IEEE Commun. Surv. Tutor. 2021, 23, 1622–1658. [Google Scholar] [CrossRef]
  160. Porambage, P.; Okwuibe, J.; Liyanage, M.; Ylianttila, M.; Taleb, T. Survey on Multi-Access Edge Computing for Internet of Things Realization. IEEE Commun. Surv. Tutor. 2018, 20, 2961–2991. [Google Scholar] [CrossRef]
  161. Pant, D.; Bista, R. Image-Based Malware Classification Using Deep Convolutional Neural Network and Transfer Learning. In Proceedings of the 3rd International Conference on Advanced Information Science and System, Sanya, China, 26–28 November 2021; pp. 1–6. [Google Scholar] [CrossRef]
  162. Essam, D. Transfer-Learning-on-Cifar-100. 2023. Available online: https://kaggle.com/code/diaaessam/transfer-learning-on-cifar-100 (accessed on 31 March 2024).
Futureinternet 18 00046 g001
Figure 1. Methodology of research for this paper.
Figure 1. Methodology of research for this paper.
Futureinternet 18 00046 g001
Futureinternet 18 00046 g002
Figure 2. Strategic literature review process.
Figure 2. Strategic literature review process.
Futureinternet 18 00046 g002
Futureinternet 18 00046 g003
Figure 3. Papers per year.
Figure 3. Papers per year.
Futureinternet 18 00046 g003
Futureinternet 18 00046 g004
Figure 4. Pi Chart, Publication types.
Figure 4. Pi Chart, Publication types.
Futureinternet 18 00046 g004
Futureinternet 18 00046 g005
Figure 5. Types of malware and cyber threats.
Figure 5. Types of malware and cyber threats.
Futureinternet 18 00046 g005
Futureinternet 18 00046 g006
Figure 6. Malware detection methods.
Figure 6. Malware detection methods.
Futureinternet 18 00046 g006
Futureinternet 18 00046 g007
Figure 7. Range of AI.
Figure 7. Range of AI.
Futureinternet 18 00046 g007
Futureinternet 18 00046 g008
Figure 8. Global IoT market forecast [53].
Figure 8. Global IoT market forecast [53].
Futureinternet 18 00046 g008
Futureinternet 18 00046 g009
Figure 9. IoT compromise.
Figure 9. IoT compromise.
Futureinternet 18 00046 g009
Futureinternet 18 00046 g010
Figure 10. Cloud service models [65].
Figure 10. Cloud service models [65].
Futureinternet 18 00046 g010
Futureinternet 18 00046 g011
Figure 11. IoT compound of risks.
Figure 11. IoT compound of risks.
Futureinternet 18 00046 g011
Futureinternet 18 00046 g012
Figure 12. Types of botnet architectures.
Figure 12. Types of botnet architectures.
Futureinternet 18 00046 g012
Futureinternet 18 00046 g013
Figure 13. Hub and Spoke topologies of Botnets.
Figure 13. Hub and Spoke topologies of Botnets.
Futureinternet 18 00046 g013
Futureinternet 18 00046 g014
Figure 14. Mesh topologies of Botnets.
Figure 14. Mesh topologies of Botnets.
Futureinternet 18 00046 g014
Futureinternet 18 00046 g015
Figure 15. Hybrid topologies of Botnets.
Figure 15. Hybrid topologies of Botnets.
Futureinternet 18 00046 g015
Futureinternet 18 00046 g016
Figure 16. Methods of DNS hijacking.
Figure 16. Methods of DNS hijacking.
Futureinternet 18 00046 g016
Futureinternet 18 00046 g017
Figure 17. Framework of identifying malware.
Figure 17. Framework of identifying malware.
Futureinternet 18 00046 g017
Futureinternet 18 00046 g018
Figure 18. Malware attack lifecycle.
Figure 18. Malware attack lifecycle.
Futureinternet 18 00046 g018
Futureinternet 18 00046 g019
Figure 19. Multi-layered defence against IoT Malware.
Figure 19. Multi-layered defence against IoT Malware.
Futureinternet 18 00046 g019
Futureinternet 18 00046 g020
Figure 20. Control Flow Graph (CFG) example.
Figure 20. Control Flow Graph (CFG) example.
Futureinternet 18 00046 g020
Futureinternet 18 00046 g021
Figure 21. Future of IoT Malware Defense.
Figure 21. Future of IoT Malware Defense.
Futureinternet 18 00046 g021
Futureinternet 18 00046 g022
Figure 22. TTL evasion technique.
Figure 22. TTL evasion technique.
Futureinternet 18 00046 g022
Futureinternet 18 00046 g023
Figure 23. Wireguard screenshot showing a TTL of 64.
Figure 23. Wireguard screenshot showing a TTL of 64.
Futureinternet 18 00046 g023
Futureinternet 18 00046 g024
Figure 24. Examples from the MNIST dataset [105].
Figure 24. Examples from the MNIST dataset [105].
Futureinternet 18 00046 g024
Futureinternet 18 00046 g025
Figure 25. Sigmoid and ReLU activation functions.
Figure 25. Sigmoid and ReLU activation functions.
Futureinternet 18 00046 g025
Futureinternet 18 00046 g026
Figure 26. Convolution operation example [110].
Figure 26. Convolution operation example [110].
Futureinternet 18 00046 g026
Futureinternet 18 00046 g027
Figure 27. VGG-19 model architecture [114].
Figure 27. VGG-19 model architecture [114].
Futureinternet 18 00046 g027
Futureinternet 18 00046 g028
Figure 28. Malware classification as greyscale images.
Figure 28. Malware classification as greyscale images.
Futureinternet 18 00046 g028
Futureinternet 18 00046 g029
Figure 29. Three hidden layers—deep neural network.
Figure 29. Three hidden layers—deep neural network.
Futureinternet 18 00046 g029
Futureinternet 18 00046 g030
Figure 30. IoT Ecosystem.
Figure 30. IoT Ecosystem.
Futureinternet 18 00046 g030
Futureinternet 18 00046 g031
Figure 31. Raspberry Pi used for small maker projects [150].
Figure 31. Raspberry Pi used for small maker projects [150].
Futureinternet 18 00046 g031
Futureinternet 18 00046 g032
Figure 32. Raspberry Pi Lab.
Figure 32. Raspberry Pi Lab.
Futureinternet 18 00046 g032
Futureinternet 18 00046 g033
Figure 33. Industrial Raspberry Pi 5 [152].
Figure 33. Industrial Raspberry Pi 5 [152].
Futureinternet 18 00046 g033
Futureinternet 18 00046 g034
Figure 34. Conceptual model to train AI on bigger servers and issue to Raspberry Pis.
Figure 34. Conceptual model to train AI on bigger servers and issue to Raspberry Pis.
Futureinternet 18 00046 g034
Futureinternet 18 00046 g035
Figure 35. Jupyter Notebook environment used for initial script execution and debugging.
Figure 35. Jupyter Notebook environment used for initial script execution and debugging.
Futureinternet 18 00046 g035
Futureinternet 18 00046 g036
Figure 36. htop export showing the RAM maxing out at 3.90 GB on Raspberry Pi 4B.
Figure 36. htop export showing the RAM maxing out at 3.90 GB on Raspberry Pi 4B.
Futureinternet 18 00046 g036
Table 1. Reference sources.
Table 1. Reference sources.
Publication TypeCount
Journal Article40
Website29
arXiv Paper9
Conference Proceeding19
Book Chapter2
Book1
Report2
Other5
Table 2. Comprehensive table of AI-based malware detection methods.
Table 2. Comprehensive table of AI-based malware detection methods.
YearRef.MethodologyCategoryKey AspectsComplexityAdvantagesDrawbacksResults
2001[13]Naive Bayes, RIPPERMLAnalysis of DLL calls, strings and
byte sequences		LowPioneering work in automated
malware detection		Limited feature set, simplistic approach97.76% detection rate
2004[14]Decision trees,
SVM, Boosting		MLn-gram analysis of binary contentMediumEffective with limited features, interpretableLimited to
static analysis		95–98% accuracy using boosted decision trees
2005[15]Template-based matchingHeuristicControl flow
graph analysis		MediumResilient to certain obfuscation techniquesLimited to known malware patterns87.3% detection rate
2008[16]Behavioural profilingDynamicDynamic analysis through sandboxingHighEffective against obfuscated malwareHigh resource requirements88% classification
accuracy
2007[17]Hierarchical clusteringML (Unsupervised)Behaviour-based classificationHighAutomated classification of unknown malwareRequires controlled execution environmentClustered 3698 samples into 403 distinct behaviours
2011[18]SVMMLBehavioural analysis and clusteringHighDetects zero-
day threats		Resource intensive, time-consuming93% detection rate
2013[19]SVM, k-NN, Bayesian networksMLOpcode sequence analysisMediumEffective against packed malwareHigh computational overhead85–95% accuracy depending on classifier
2015[20]Deep Neural NetworksDLBinary visualisation and entropy analysisHighReduced feature engineeringRequires large datasets95% detection accuracy
2016[21]CNN + LSTMHybrid (DL)Hybrid static–
dynamic analysis		Very HighCaptures both spatial and temporal patternsComplex architecture, high training time89.4% detection accuracy
2017[22]Extremely Randomized TreesMLRaw byte analysisMediumEffective with
minimal preprocessing		Scalability issues94.6% accuracy on Windows PE files
2018[23]LightGBMMLEMBER dataset with engineered featuresHighOpen benchmark dataset,
robust classifier		Limited to PE files97.3% accuracy on test set
2020[24]CNN with transfer learningDLImage-based representation
of binaries		Very HighImproved generalisationDomain adaptation challenges98.4% detection rate
2020[25]LSTMDLStatic analysis of
PE headers		MediumLightweight analysis, efficient processingNot effective against advanced obfuscation94.7% detection accuracy
2021[26]Auto-encoder with SVMHybridDimensionality reduction and anomaly detectionHighEffective at detecting novel malwareTraining complexity96.8% accuracy
2020[27]Deep Learning (VGG-16)DLMalware visualisation as grayscale imagesVery HighAutomatic feature extractionResource-intensive99.03% accuracy
2021[28]Heterogeneous Graph Attention (HAWK)DL (Graph)Models Android apps as heterogeneous networksModerateHigh detection accuracy;
fast detection		May require extensive data preprocessingAchieved highest detection accuracy among baselines
2022[29]Combined ML and DL modelsHybridFlexible solution for malware and ransomwareModerateModular and interchangeable detection modulesComplexity in model integrationDemonstrated improvements in detection performance
2023[30]Evaluation of
ML algorithms		ML SurveyComparative analysis of various
ML algorithms		Low/ModAids in selecting suitable algorithmsMay not cover all emerging techniquesOffers evaluation metrics for different ML algorithms
2024[31]Generative AIGenAICode-aware data generation for
limited samples		HighEnhances detection of emerging malwarePotential for generating
impractical samples		Achieved 90% accuracy on limited samples
2024[32]Lightweight interpretable MLMLRandom forest models trained on single subtypeLowFast processing (5.7 μs); interpretableLimited to specific malware familiesSuccessfully detected 15 malware subtypes
2024[33]Dynamic detection +
Certification		ML FrameworkFocus on accuracy, privacy, and robustnessHighAddresses AI Act requirements; enhances trustImplementation complexityEffective in certifying non-functional properties
2025[34]Explainable AI (XAI)XAITransparency in ML-based detectionMediumHighlights importance of interpretabilitySurvey; no new detection techniqueInsights into integrating XAI in malware detection
Table 3. Ransomware reach.
Table 3. Ransomware reach.
SerVectorExplanation
1Network accessA broader network reach indicates that attackers can potentially encrypt data on a larger number of devices within the network, amplifying the attack’s overall effect.
2Lateral movementRansomware typically employs strategies to navigate laterally within a network, encrypting data on various systems beyond the initial compromise point.
3Data sensitivityThe extent of the reach is also affected by the sensitivity of the data located on impacted systems; highly sensitive information can lead to more significant disruption and greater pressure to meet ransom demands.
4Network architectureWeakly segmented networks can facilitate easier ransomware spread.
5User access controlsInadequate password management or elevated privileges may permit attackers to navigate the network unrestricted.
6Outdated softwareUnpatched vulnerabilities in software can establish access points for attackers.
7Backup practicesInsufficiency of reliable and recent backups can increase the pressure to pay the ransom.
Table 4. Network-based IoT attack cases.
Table 4. Network-based IoT attack cases.
Attack NameYearDevices TargetedNetwork Analysis Techniques UsedOutcome
Mirai Botnet2016Routers, IP cameras, DVRsNetwork flow analysis, traffic monitoring [72].Massive DDoS attacks, internet outages
WannaCry Ransomware2017Windows systems (including some IoT)Network traffic analysis (to understand propagation) [73].Data encryption,
ransom demands, operational disruptions
Stuxnet2010Industrial control systemsSpecialized network analysis for industrial protocols [74].Physical damage to Iranian nuclear facilities
Dyn Cyberattack2016IoT devices infected
with Mirai		Network flow analysis (to trace source of DDoS) [75].Widespread internet service disruptions
Verkada Camera Breach2021Cloud-based video surveillance camerasNetwork analysis (to understand the breach) [76].Compromised access to private information and live feeds
Matrix Botnet2024Various IoT devicesNetwork scanning and traffic analysis [77].Global botnet used for DDoS attacks
Raptor Train Botnet2024SOHO and IoT devicesNetwork analysis to uncover the botnet [78].Compromised over 200,000 devices
AVTECH IP
Camera Exploits		2024AVTECH IP camerasNetwork analysis to detect Mirai malware spread [78].Potential disruption to critical infrastructure
Table 5. Attack vectors of IoT.
Table 5. Attack vectors of IoT.
Attack VectorDescriptionMitigation Strategies
Weak/Default PasswordsEasily guessable or unchanged factory-set credentials.Implement strong, unique passwords and enforce password change policies [72].
Outdated FirmwareSoftware on devices not regularly updated, containing known vulnerabilities.Establish a regular firmware update and patch management process [72].
Insecure Network ServicesUnnecessary or vulnerable services running on the device.Disable unnecessary network services and secure necessary ones [79].
Insecure Ecosystem InterfacesWeaknesses in web, API, cloud, or mobile interfaces.Implement strong authentication and authorisation mechanisms; use encryption [79].
Lack of Secure Update MechanismInability to securely update device firmware or software.Implement secure over-the-air update mechanisms with integrity checks.
Use of Insecure ComponentsUtilising outdated or vulnerable software libraries or
hardware components.		Regularly audit and update software components; ensure secure supply chain.
Poor Vulnerability TestingInsufficient testing during development leads to
undiscovered weaknesses.		Implement thorough vulnerability testing and secure development practices [80].
Lack of Device ManagementInsufficient oversight and control over deployed IoT devices.Maintain a comprehensive device inventory and implement device management tools.
APIs as Entry PointsExploiting vulnerabilities in APIs used by IoT devices.Secure APIs with proper authentication, authorisation, and input validation [80].
Physical TamperingUnauthorised physical access to devices to extract data or
modify functionality.		Implement physical security measures to protect devices from unauthorised access [81].
Table 6. Network analysis techniques for IoT malware detection.
Table 6. Network analysis techniques for IoT malware detection.
TechniqueDescriptionAdvantagesDisadvantages
Traffic Monitoring & AnalysisReal-time observation of network traffic patterns, data volume, and
communication destinations.		Detects unusual behaviour, provides visibility into
device interactions.		Can generate large volumes of data, may require baselining.
Deep Packet Inspection (DPI)Examination of the content (header and payload) of network packets.Identifies known malware signatures and
malicious payloads.		Resource-intensive, privacy concerns, challenges with encrypted traffic.
Network Flow AnalysisAnalysis of network communication metadata (IP addresses, ports, protocols, traffic volume).Lightweight, can reveal command and control activity and lateral movement.Does not inspect packet content, may miss sophisticated malware.
Anomaly DetectionIdentification of deviations from normal network behaviour using statistical or machine learning models.Detects novel and zero-day attacks, identifies
unusual activity.		Can produce false positives, requires adaptation to evolving behaviour.
Table 7. Comparison of common CNN architectures on ImageNet benchmark.
Table 7. Comparison of common CNN architectures on ImageNet benchmark.
ModelTop-1
Accuracy (%)		Parameters
(Millions)		Depth
(Layers)		Computational
Cost (GFLOPS)
AlexNet57.16181.5
VGG-1671.51381615.5
GoogLeNet69.87221.6
ResNet-5075.225.6504.1
Inception-V377.923.8485.7
DenseNet-20177.3202014.3
MobileNetV271.83.5530.3
Table 8. Performance and resource analysis of various CNN models [115].
Table 8. Performance and resource analysis of various CNN models [115].
CNN ModelNo. of LayersStorage Req. (MB)Total Params (Millions)Non-Trainable ParamsTrainable ParamsTotal Exec. Time (s)Avg Time per Malware (s)Reduced Training Params (%)
VGG1616515138137,897,600102,40066000.706599.92
AlexNet82776160,897,600102,40023400.250599.83
DarkNet535315541.641,574,40025,60049800.533199.93
DenseNet-2012011672019,952,00048,00081600.873699.76
InceptionV3488923.923,848,80051,20064200.687399.78
Places365-GoogleNet222776,974,40025,60022200.237799.63
ResNet50509625.625,548,80051,20034200.366199.80
MobileNetV253133.53,468,00032,00033600.359799.09
Table 9. Imagery to detect Malware comparison.
Table 9. Imagery to detect Malware comparison.
Author(s)TitleKey PointsStrategy%
Saridou et al., 2023 [123]Image-Based Malware Detection Using a-Cuts and Binary VisualisationCNNs and vision transformersRGB image recognition with feature extraction against ResNet50 dataset93.6%
Djenna et al., 2022 [10]Artificial Intelligence-Based Malware Detection, Analysis, and MitigationCombines static deep learning with heuristicsLacks details on the specific image processing techniques used.97 to 100% Against different families
Yuan et al., 2021 [124]IoT Malware Classification Based on Lightweight Convolutional Neural NetworksLCNNUsing a lightweight CNN with a 1MB saved model against grey scale imagery99.356%
Li et al., 2021 [125]CNN-Based Malware Variants Detection Method for Internet of ThingsEnhanced CNN using SPP-NetRGB imagery against several CNN algorithms98.57%
Sharma et al., 2020 [126]A Deep Learning Approach to Image-Based Malware AnalysisCNN & SVCA research paper investigating using CNN and SVC against the Malimg set97%
Francesco et al., 2020 [127]Deep learning for image-based mobile malware detectionCNNDetection, Family Identification, variant identification of malware on Android using greyscale imagery95.8%
Bakour et al., 2020 [128]Android malware classification based on local and global image features, bag of visual words and machine learning techniquesRandom Forest, K-nearest neighbour, Decision trees, Bagging, AdaBoost and Gradient Boost classifiersExtracting features out of malware images using SIFT, SURF, ORB and KAZE92.77%
Jaing et al., 2019 [129]A Novel Image-Based Malware Classification Model Using Deep LearningCNNMalVecNet is a simpler and has faster convergence tested against Microsoft malware classification challenge dataset99.49%
Su et al., 2018 [130]Lightweight Classification of IoT Malware Based on Image RecognitionCNN+MLP+GRUResearch based on IoT and limited malware converted in to images.94%
Agarap et al., 2017 [131]Towards Building an Intelligent Anti-Malware System: A Deep Learning Approach using Support Vector Machine (SVM) for Malware ClassificationCNN-SVM GRU-SVM MLP-SVMUsed three models to find the best algorithm against the Malimg dataset84.92% GRU-SVM
Tobiyama et al., 2016 [132]Malware Detection with Deep Neural Network Using Process BehaviorRecurrent neural networks (RNNs) and Convolutional Neural Network (CNN)Using RNN for feature extraction converted to images, then passing images to CNN for classification96%
Pascanu et al., 2015 [133]Malware classification with recurrent networksEcho state networks (ESNs) and recurrent neural networks (RNNs)Research to mirror Behavioural language model98.3%
El-Ghamry et al., 2023 [134]Optimized and Efficient Image-Based IoT Malware Detection MethodAnt colony optimizer (ACO) and SVMNetwork traffic captured, converted to images and passed with SVM95.56%
Ding et al., 2020 [135]Android malware detection method based on bytecode imageCNNResearching CNN against android malware compared with SVM results95.1%
Bakır & Elmabruk 2023 [136]DroidEncoder: Malware detection using auto-encoder based feature extractor and machine learning algorithmsCNN & VGG19 SVMUsing VGG19 to extract features then run it through a number of ML’s. VGG19-Encoder-SVM98.56%
Shaukat et al., 2023 [137]A novel deep learning-based approach for malware detectionMultiple CNN’s and MLRegNetY320 as the feature extractor and SVM as the final detector99.06%
Ahmed et al., 2022 [138]An inception V3 approach for malware classification using machine learning and transfer learningInception V3Testing Inception v3 against other models98.76%
Zhu et al., 2023 [139]An effective end-to-end android malware detection methodRGB and MADRF-CNNUsing Dex features with MADRF-CNN96.9%
Table 10. Cloud vs. Edge [156].
Table 10. Cloud vs. Edge [156].
Technical AspectEdgeCloud
DeploymentSmall ScaleLarge Scale
Distance to IoTLowHigh
LatencyLowHigh
Delay JitterLowHigh
Computational PowerLimitedHigh
StorageLimitedHigh
UsageInfrequentFrequent
ApplicationsLatency Critical, AR, Self Driving.Latency-tolerant, Social networking, commerce, health.
Table 11. Comparison of CNN model complexity and resource requirements for SBC deployment.
Table 11. Comparison of CNN model complexity and resource requirements for SBC deployment.
CNN ModelLayersStorage (MB)Params (M)Optimization Suitability
VGG1616515138Poor for SBCs; High overhead
AlexNet827761Moderate; High memory use
DarkNet535315541.6Moderate; Complex depth
ResNet50509625.6Good; Balanced efficiency
Inception V3488923.9Moderate; High latency
MobileNetV253133.5Excellent; Designed for edge
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Steadman, P.; Jenkins, P.; Rathore, R.S.; Hewage, C. Low-Cost Malware Detection with Artificial Intelligence on Single Board Computers. Future Internet 2026, 18, 46. https://doi.org/10.3390/fi18010046

AMA Style

Steadman P, Jenkins P, Rathore RS, Hewage C. Low-Cost Malware Detection with Artificial Intelligence on Single Board Computers. Future Internet. 2026; 18(1):46. https://doi.org/10.3390/fi18010046

Chicago/Turabian Style

Steadman, Phil, Paul Jenkins, Rajkumar Singh Rathore, and Chaminda Hewage. 2026. "Low-Cost Malware Detection with Artificial Intelligence on Single Board Computers" Future Internet 18, no. 1: 46. https://doi.org/10.3390/fi18010046

APA Style

Steadman, P., Jenkins, P., Rathore, R. S., & Hewage, C. (2026). Low-Cost Malware Detection with Artificial Intelligence on Single Board Computers. Future Internet, 18(1), 46. https://doi.org/10.3390/fi18010046

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop