IoT-Home-Guard – A Tool For Malicious Behavior Detection In IoT Devices

IoT-Home-Guard - A Tool For Malicious Behavior Detection In IoT Devices

IoT-Home-Guard is a mission to assist folks uncover malware in sensible dwelling units.

For customers the mission might help to detect compromised sensible dwelling units. For safety researchers it’s also helpful in community evaluation and malicious hehaviors detection.

In July 2018 we had accomplished the primary model. We will full the second model by October 2018 with enchancment of person expertise and elevated variety of identifiable units.

The first era is a {hardware} machine based mostly on Raspberry Pi with wi-fi community interface controllers. We will customise new {hardware} within the second era. The system may be arrange with software program half in laptops after important surroundings configuration. Software half is offered in software_tools/.

Proof of precept
Our strategy is predicated on the detection of malicious community visitors. A machine implanted malwares will talk with distant server, set off a distant shell or ship audios/movies to server.
The chart beneath reveals the community visitors of a tool which implanted snooping malwares.
Red line : visitors between units and a distant spy server.
Green line : regular visitors of units.
Black line : Sum of TCP visitors.


  1. AP module and Data move catcher: Catch community visitors.
  2. Traffic analying engine: Extract traits from community visitors and examine them with device fingerprint database.
  3. Device fingerprint database: Normal community behaviors of every units, based mostly on whitelist. Call APIs of 360 threat intelligence database (
  4. Web server: There could also be an online server within the second era.


                                           ___________________       ___________________
                                          |                   |     |                   |
                                          | data_flow_catcher |<----| units linked |
                                          |___________________|     |___________________|
 ____________________________              ____↓________________  
|                            |            |                     |
| device_fingerprint_databse |<---------> | flow_analyze_engine |
|____________________________|       ¦    |_____________________|
                                     ¦         ↑
                                     ¦         ¦
 __________________________________  ¦     ____↓_______              _________________
|                                  | ¦    |            |            |                 |
| 360 risk intelligence database |<-    | web_server |<-----------| person interfaces |
|__________________________________|      |____________|            |_________________|

The instrument works as an Access Point, linked manually by units below check, sends community visitors to visitors analyzing engine for attribute extraction. Traffic analyzing engine compares traits with entries in machine fingerprint database to acknowledge machine kind and suspicious community connection. Device fingerprint database is a gather of regular behaviors of every machine based mostly on whitelist. Additionally, traits will likely be searched on risk intelligence database of Qihoo 360 to determine malicious behaviors. A net server is about up as person interfaces.

In our analysis, we have now succcessfully implanted Trojans in eight units together with sensible audio system, cameras, driving recorders and cellular translators with IoT-Implant-Toolkit.
A demo video beneath:

We collected traits of these units and ran IoT-Home-Guard. All units implanted Trojans have been detected. We imagine that malicious behaviors of extra units may be recognized with excessive accuracy after complement of fingerprint database.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.