In resource-constrained IoT malware detection, existing remote attestation (RA) and traffic analysis (TA) approaches suffer from low accuracy, poor real-time performance, or high energy overhead. To address these limitations, this paper proposes MADEA, a collaborative detection system. MADEA innovatively integrates lightweight traffic anomaly detection—based on fine-grained device behavioral modeling—with on-demand remote attestation, enabling dynamic, behavior-triggered verification. This closed-loop design jointly identifies suspicious activities and confirms the presence of malicious code. Evaluated against state-of-the-art methods, MADEA achieves a 100% true positive rate, reduces detection latency by 160×, and cuts periodic attestation energy consumption to 1/14. These results demonstrate a significant breakthrough in reconciling the inherent trade-offs among detection certainty, real-time responsiveness, and energy efficiency—previously unattainable with RA- or TA-only solutions.

Internet-of-Things (IoT) devices are vulnerable to malware and require new mitigation techniques due to their limited resources. To that end, previous research has used periodic Remote Attestation (RA) or Traffic Analysis (TA) to detect malware in IoT devices. However, RA is expensive, and TA only raises suspicion without confirming malware presence. To solve this, we design MADEA, the first system that blends RA and TA to offer a comprehensive approach to malware detection for the IoT ecosystem. TA builds profiles of expected packet traces during benign operations of each device and then uses them to detect malware from network traffic in real-time. RA confirms the presence or absence of malware on the device. MADEA achieves 100% true positive rate. It also outperforms other approaches with 160x faster detection time. Finally, without MADEA, effective periodic RA can consume at least ~14x the amount of energy that a device needs in one hour.