IoMT Malware Detection Approaches: Analysis and Research Challenges

The advancement in Information and Communications Technology (ICT) has changed the entire paradigm of computing. Because of such advancement, we have new types of computing and communication environments, for example, Internet of Things (IoT) that is a collection of smart IoT devices. The Internet of Medical Things (IoMT) is a specific type of IoT communication environment which deals with communication through the smart healthcare (medical) devices. Though IoT communication environment facilitates and supports our day-to-day activities, but at the same time it has also certain drawbacks as it suffers from several security and privacy issues, such as replay, man-in-the-middle, impersonation, privileged-insider, remote hijacking, password guessing and denial of service (DoS) attacks, and malware attacks. Among these attacks, the attacks which are performed through the malware botnet (i.e., Mirai) are the malignant attacks. The existence of malware botnets leads to attacks on confidentiality, integrity, authenticity and availability of the data and other resources of the system. In presence of such attacks, the sensitive data of IoT communication may be disclosed, altered or even may not be available to the authorized users. Therefore, it becomes essential to protect the IoT/IoMT environment from malware attacks. In this review paper, we first perform the study of various types of malware attacks, and their symptoms. We also discuss some architectures of IoT environment along with their applications. Next, a taxonomy of security protocols in IoT environment is provided. Moreover, we conduct a comparative study on various existing schemes for malware detection and prevention in IoT environment. Finally, some future research challenges and directions of malware detection in IoT/IoMT environment are highlighted.


I. INTRODUCTION
The Internet of Things (IoT) is a network of physical objects such as smart machines, smart home appliances and many more.They have a uniquely assigned Internet address (IP) through which they can communicate to The associate editor coordinating the review of this manuscript and approving it for publication was Victor Hugo Albuquerque .the external entities (i.e., user of a smart home) of the network.These devices use sensors and application programming interface (API) to connect and exchange the data over the Internet [1]- [3].IoT device is a kind of micro-computer which is very domain-specific unlike the traditional function-specific embedded devices.According to ''Gartner report'', the number of connected devices across all technical domains will reach up to 1.0 trillion by 2025.The progress information of IoT device deployment as per the decades is provided in Table 1.
Internet of Medical Things (IoMT) is an another form of IoT communication environment.It consists of medical devices, such as smart healthcare and monitoring devices (i.e., smart pacemaker, smart blood glucose meter, etc.) and applications which connect them to the healthcare IoT systems through the Internet.Medical devices are also equipped with some wireless communication technology (i.e., bluetooth, Wi-Fi) that allow the machine-to-machine communication which is a foundation for IoMT communication environment.In IoMT, the smart healthcare devices sense (monitor) the health related information of the patient and send the data to some server (for example, cloud server).Some cloud platforms, such as Amazon Web Services (AWS), may be used to store the health data and analyze the data for further decision making and health prescriptions [5]- [8].
The security issues in the IoT devices are going to increase day by day because of rapid development and deployment of IoT systems.This opens the possibility to launch various types of attacks in the IoT environment using the Internet.It becomes very serious issue in case of of IoMT that deals with the communication and controlling of smart medical devices.For example, if an attacker successfully gets the remote control over a smart medical device, he/she can threat the life of the patient (i.e., a smart pacemaker can give shock to a patient which may become the reason of his/her death).Different variations of IoT malware are constantly emerging.These emerging malwares can also affect the communication of IoMT and they can be used to control the smart medical devices.
The existing mechanisms are not sufficient for the IoT/IoMT malware detection and analysis.As we have seen recently the attacks performed by Mirai and Brickerbot botnets.These attacks produce distributed denial-of-service (DDoS) attacks in IoT environments because of the lack of strong security monitoring and protection techniques.Hence, it becomes essential to provide some strong security mechanism to detect and defend such kind of threatening attacks in IoT (especially in IoMT) [9]- [11].
The main motivation behind this survey work is as follows.These days IoT devices (i.e., smart home appliances and smart healthcare devices) become the integral part of our day to day life as they facilitate and support our activities.As we know a user of IoT device accesses the data remotely by using the Internet [3], [12], [13].Different entities, such as IoT devices, servers and users, communicate through the Internet.However, IoT/IoMT communication environment has some security and privacy issues.Various types of attacks, such as replay, man-in-the-middle (MITM), impersonation, password guessing and denial of service (DoS) attacks, are possible in this environment.Most of the time, the hackers may use malwares to target the IoT devices to get illegal access to these devices and to control them remotely.To spread malware in IoT environment, the hackers use network of attacker systems (i.e., botnet) (for example, Mirai, Reaper, Echobot, Emotet, Gamut and Necurs are very famous these days).These types of botnet attacks are also possible in IoMT environment and can be used to hijack (control) a smart medical device remotely.This can create other life threatening situations for the people (i.e., a smart pacemaker can give shock to a patient which may become the reason of his/her death).Hence, people working in the IoT security domain come up with new ideas to protect the IoT/IoMT communication environment against these attacks.Therefore, in this work we provide a detailed study of different types of malware programs, active IoT/IoMT malwares and the available solution for these attacks.
The research contributions of this review work are given below.
• We provide a study on recent malware attacks (i.e., Mirai, Reaper, Echobot, Emotet, Gamut and Necurs) which may happen in IoT communication environment.Such kind of malware attacks are also possible in IoMT environment.
• A taxonomy of security schemes in IoT/IoMT environment is also added which contains several security protocols, such as key management, user/device authentication, access control and intrusion detection protocols.
• Furthermore, we provide the details of various malware detection schemes in IoT communication environment.
A comparative study to provide the information about the performance of the existing schemes is also added.
• Some of the future research challenges and directions on this area are also highlighted.
The rest of the paper is organised as follows.Various architectures of IoT environment along with their applications are provided in Section II.The security requirements in IoT/IoMT communication environment are highlighted in Section III.Different categories of malwares, symptoms of their existence and types are discussed in Section IV.The case study of recent malware attacks in IoT communication environment is provided in Section V. A taxonomy of security schemes in IoT/IoMT environment is also highlighted in Section VI.The details of malware detection schemes in IoT communication environment along with their comparative study are given in Section VII.Furthermore, future research challenges of malware detection in IoT/IoMT environment are provided in Section VIII.Finally, the work in concluded in Section IX.

II. OVERVIEW OF IOT COMMUNICATION ENVIRONMENT
In this section, we discuss various architectures of IoT communication environment (for example, IoT generic architecture and fog/edge based IoT architecture).Apart from that we have also discussed some of the applications of the IoT environment.

A. ARCHITECTURES OF IOT COMMUNICATION ENVIRONMENT
In the following, we have provided the details of the architectures of IoT communication environment.These architectures can be drawn on the basis of organisation and arrangement of the communicating entities.

1) GENERIC IOT ARCHITECTURE
The generic architecture of an IoT communication environment is given in Fig. 1.In this architecture, various scenarios, for example, scenario of smart home, scenario of transportation and scenario of community are provided.These scenarios consist of various smart devices, such as smart AC controller, smart TV controller, smart healthcare devices (i.e., smart pacemaker), and smart vehicles.These smart devices have unique IP addresses, and they can monitor and send the data to the servers for further processing using the gateways.Apart form that, this architecture also contains different types of users, such as a doctor who tries to access the data of smart healthcare devices using a smartphone, and a smart home user who tries to access the data of smart home appliances using the smartphone.To communicate in a secure way, a smart device and a user need to establish a session key by the help of certain number of exchanged messages which can be computed using some cryptographic operations [1], [3], [14]- [16].

2) FOG BASED IOT ARCHITECTURE
Another widely-used architecture of IoT communication environment is fog based IoT environment, in which various servers (i.e., fog servers and cloud servers) are used.The scenario of fog based IoT architecture is provided in Fig. 2. The entire architecture is divided into three layers: a) ''cloud layer'' where cloud servers are located, b) ''fog layer'' where fog servers are deployed and c) the bottom layer is ''end devices and user'' where all smart IoT devices (for example, smart pacemaker, smart vehicles, etc.) and different types of users (i.e., doctor, smart home user, etc.) are located.As we know the data produced by the smart devices is going to increase day-by-day.Therefore, the Internet infrastructure is not able to handle it properly.The combination of IoT and cloud computing was proposed to overcome this situation, but it was not sufficient to resolve the security issues.Therefore, CISCO came up with the new idea of ''Fog Computing'' FIGURE 2. Fog based IoT architecture (adapted from [7], [17], [18]). in 2012.Fog computing facilitates the work of cloud servers, and processes and manages the data near to IoT devices like a proxy that further reduces the end to end delay, saves the bandwidth of the network, and hence, it improves the performance.In this communication environment, the simple computing works are done by the fog nodes (servers), and the complex and computationally heavy works are done by the cloud servers.In fog based IoT environment, data analysis is performed near to the IoT devices which may be considered as a real time scenario of data analysis and is more vulnerable to various attacks and other breaches.Therefore, in such circumstances, the fog nodes confab with the adjacent nodes and then their combined accomplishment is used to find out the attacker systems by analysing the ongoing behaviour [17]- [19].Furthermore, note that both ''generic IoT architecture'' in Fig. 1 and ''fog based IoT architecture'' in Fig. 2 can also be utilized for IoMT communication environment.

B. APPLICATIONS OF IOT/IOMT COMMUNICATION ENVIRONMENT
Various applications of IoT/IoMT communication environment are given below.
• Wearable devices: Health monitoring using the wearable devices is one of the hallmark applications of IoMT.Wearable devices such as ''Fit Bits'', ''heart rate monitors'' and smart-watches are very popular these days.There are also some other kind of wearable devices, such as Guardian glucose monitoring system, which was developed to treat the people suffering from diabetes.It monitors the level of glucose in the body of a patient by the help of a tiny electrode called as ''glucose sensor'' which is placed under the skin of the patient.It transmits the collected information through radio frequency to the associated monitoring device [4], [20]- [22].
• Smart home applications: Smart home is also one of great applications of IoT networks.A smart home is equipped with lighting, heating, cooling and other electronic devices which can be controlled remotely by using the smartphone or computing device.One of the best example of this kind of application is ''Jarvis'', which is an artificial intelligence (AI) based smart home automation system [3], [4], [15].
• Healthcare IoT applications: The reactive medicalbased systems can be converted into proactive wellness-based systems with the help of IoT.In such a system, there are certain smart healthcare devices monitor and send the health data to the nearby node (i.e., cloud server).If a user (i.e. a doctor or a relative of a patient) is interested in the real-time access, it can be also performed by the help of IoT environment.Thus, IoT facilitates the access, processing and analysis of the valuable health data in real-time [14], [20], [22].
• Smart cities: These days most of the governments in many countries are working to convert their cities into smart cities.A smart city consists of components, such as smart housing facility, smart traffic management, and many more.Each smart city has its own problems.For example, the problems that we have in Hong Kong city is much different than the New York city.Different cities have different issues (for example, limited amount of clean drinking water, increasing urban density and declined air quality index) that happen with different intensities in various cities.Therefore, these factors affect each city in a different way.Hence, the concerned organizations can use IoT environment for the analysis of these complex factors of township planning according to a specific city.The use of IoT applications can help to facilitate different challenging areas, such as drinking water management, waste water control, other waste control, housing planning, and other types of emergencies [23]- [26].
• Smart agriculture: The world population is going to increase day-by-day and it will reach around 10 billion in 2050.Therefore, in 2050 it will be very difficult to provide sufficient food to everybody.Hence, we need to improve our agriculture methods.We can utilize the new technologies such as ''Smart Greenhouse''.The greenhouse farming method improves the yield of the crops by controlling the environmental parameters which can harm the crops.Although the manual handling results in the production loss and energy loss, high labour cost further makes the entire process less effective.The greenhouse method utilizes the smart embedded devices which make monitoring easy and help us to control the environmental factors (i.e., temperature, humidity level, heat, etc.) inside the crop area [27]- [30].
• Industrial Internet of Things: The industrial Internet of Things (IIoT) is the combination of connecting machines and devices in industries (for example, electricity production, coal mining, oil, gas packaging and many more).In such kind of environment, the unplanned downtime and the system failures can cause human causality.A system embedded with the IoT aims to include smart devices, such as devices for monitoring the level of hazardous gases in a coal mining plant.These devices raise the alarm in case of any emergency situation which further helps to save the lives of the people working inside the plant [31], [32].
• Smart retail: The retailers have started use of IoT based solutions to make their job easy.The embedded IoT devices are used to improve the performance of overall production which further helps to increase the purchases, reduce the theft events, enable the inventory management and improve the overall consumer's shopping experience [33]- [35].
• Smart supply chain: The deployment of IoT devices helps in an effective management of supply chains.It provides effective supports for solving the complex problems such as tracking of goods while they are on the road or in transit.It also helps the supplier to exchange the inventory information among the intended entities.
The factory equipment contains embedded sensors in the IoT enabled system which can transfer information according to the parameters (for example, pressure, temperature, and level of heat and utilization of the machinery).The deployed IoT system can also process work flow and change the equipment settings to optimize overall performance of the production and delivery [36]- [38].

III. SECURITY REQUIREMENTS IN IOT/IOMT COMMUNICATION ENVIRONMENT
In this section, we discuss different security requirements in IoT/IoMT communication environment including the general security requirements as required by other networks (i.e., smart grid and wireless sensor networks) [39]- [41]: • Authentication: Authentication mechanism validates the identity of the communicating parties (identity authentication) or messages during the communication (message authentication).Before starting the secure communication, both sender and receiver mutually verify the identities.In an IoT communication environment, it involves different entities such as smart devices (i.e., IoT devices), different servers (i.e., cloud/fog servers), different users (i.e., mobile/static users), cloud service providers and gateways which require authentication among each other depending on the IoT applications.
• Integrity: Integrity refers to a method of ensuring that data is real and accurate.It means that the content of the received message does not contain false insertion, unauthorised deletion and modification during communication.We need to safeguard the data against any kind of unauthorized modification.
• Confidentiality: Confidentiality assures protection of information from being accessed by unauthorized parties.Sometimes, it is also called as ''privacy'' which assures that the exchanged messages in the channel should be protected against any kind of information disclosure attack.
• Non-repudiation: Non-repudiation assures that someone cannot deny the validity of something (i.e., message).It is widely used ''information security service'' which provides proof of the origin of message and the integrity of the data in that message.It makes very difficult to successfully deny who or where a message came from as well as the authenticity of that message.Digital signature mechanism offers non-repudiation (for example, in case of online transactions, it is decisive to ensure that a party to a contract (or a communication) can not deny the authenticity of his/her signature on a document).Non-repudiation can be further divided into the following two categories: -Non-repudiation of origin: It assures the genuineness of the sender, that is, the message was transmitted by the original party.
-Non-repudiation of destination: It assures the genuineness of the receiver, that is, the message was received by the original party.
• Authorization: It is another security mechanism which is used to determine a user or device privileges (access levels) for system resources (for example, files, services, and other data applications).It is normally preceded by authentication mechanism for the identity verification of the user or device.The access rules are typically set by an authority (i.e., system administrator) which cover all the system and user resources.
• Freshness: It assures the freshness of information so that the previously exchanged messages should not be re-transmitted by an authorised party.
• Availability: Availability property assures that the information is only accessible to the authorized parties.If an attacker is not able to compromise confidentiality and the integrity of the ongoing communication, he/she may try to launch other types of attacks (for example, a denial-of-service against a web server to make the website unavailable to the legitimate users).
• Forward secrecy: If a device (i.e., smart IoT device) leaves an IoT communication environment, it must no longer have access to the future messages.
• Backward secrecy: When a new device (i.e., smart IoT device) is deployed in an IoT communication environment, it must not have any access to the messages which were already exchanged in the past.

IV. DIFFERENT CATEGORIES OF MALWARE
Malware (in short known as ''malicious software'') is a code or program file that is typically delivered over a network.It steals, infects or conducts some other malicious operations that an attacker wants to do.As per their functionality features, malware can be divided into different categories.Usually, they work to achieve following objectives [42]- [47]: • It provides remote control to the attacker to use an infected system.
• It sends other malwares from the infected system to other targeted systems.
• It investigates the local network of the infected users' system to launch further malware attacks.
• It is used to steal the sensitive data (i.e., credit card information) from an infected system (i.e., IoT device and android phone)

A. SYMPTOMS OF MALWARE
The symptoms of malware program existence are as follows [44], [48]- [51]: • We may get the appearance of strange programs, icons or files on the home screen of the devices.
• The programs run without permissions and out of control, re-configuring themselves.Sometimes malware reconfigure or turn off anti-virus or the deployed firewall(s).
• We may observe strange system behaviors (for example, the emails or messages being sent automatically and without someone's knowledge).
• In case of IoMT, we may also observe the malfunctioning of smart medical devices (for example, unwanted secretion of insulin from an implanted blood glucose monitoring system).

B. MALWARE TYPES
Different varieties of malware are possible, which are described below [42]- [45].
• Spyware: It is a type of malware which works by spying the user activity without their consent.The malicious activities like collecting keystrokes, activity monitoring, harvesting of data i.e., account's credentials, financial data-credit card numbers, are possible in the network.It may also modify the security settings of the software.It exploits through software vulnerabilities, and attaches itself with some normal program.
• Keylogger: It is a malicious piece of code which is used by a hacker to track the keystrokes of the users.
Everything that a user types through the keyboard (for example, their login information, ID and passwords) have been recorded.A key logger attack is more powerful than brute force or dictionary attack.This malicious program first tries to get into a user's device by tricking into downloading it by clicking on a link in an email.It is one of the dangerous malwares as strong password does not provide much protection against it.Therefore, it is suggested to use multi-factor authentication (MFA) (i.e., combination of username, password, smart card as well as biometrics data).
• Trojan Horse: This malware masquerades itself as a normal program to trick users into downloading and installing it.It helps the hacker to get an authorized remote access to an infected system.Once the hacker gets the access to the infected system, he/she can steal the sensitive data (for instance, financial data-account number and credit card number).It can further install other malicious programs in the system to perform other malicious activities.
• Virus: This malicious program is capable of copying itself and spreading to other the systems.It spreads to other systems by attaching itself to different programs and then executing the code if a user starts one of these infected programs.It can be used to steal information, harm the host system and build botnets.
• Worm: It spreads over a network by finding out the weaknesses in the operating system.It causes harm to their host networks through bandwidth consumption and overloading of web servers.It may contain the payload to damage a host system.The hackers commonly use this to steal sensitive data, delete files or create a botnet.Worms are self-replicated in nature and they spread independently whereas viruses need some human involvement to spread (for example, execution of malicious a program and opening of a infected file).Worms spread through emails which contain the infected attachments.
• Adware: It is also called as advertising-supported program (software).It automatically delivers advertisements as per its functionality.One of the common examples of adware is pop-up advertisement on websites.
• Ransomware: It is a different kind of malware which essentially holds a machine (i.e., IoT device) and asks its owner to pay some money (ransom).It restricts user access to the machine (i.e., android phone) through encryption on the files of the hard drive or by locking the system.It then displays messages to force the user to pay the ransom to the owner of the malware.After that ransomware's owner provides the key to decrypt the encrypted files on the hard drive.It typically spreads through the downloaded files or through some other vulnerabilities in the system or networking software.
• Rootkit: It is one of the malignant kinds of malicious malwares.Hackers can use rootkit to remotely access (control) a machine (i.e., IoT device) without being detected by its user or the deployed security appliances.Once it is successfully installed in the system, the hacker can remotely execute files, steal the sensitive data, modify system configurations and alter the functionality of the security software.Its detection and prevention are very difficult because of its stealthy character.A rootkit always tries to hide its presence, and then the security appliances are not that effective for its detection and removal.Therefore, its detection depends on manual methods (for example, behaviour of the machine (behaviour based detection)), signature scanning and static analysis).We should always try to patch the existing vulnerabilities in the operating system of the machines (i.e., IoT devices).The details of various types of malware attacks in IoT/IoMT communication environment is also provided in Fig. 3.In this figure, we highlight different types of IoT malwares such as spyware which can attack on the confidentiality, integrity and authenticity of the data or system resources, keylogger which can attack on confidentiality, integrity and authenticity of the data or system resources.Moreover, the trojan horse can attack on confidentiality, availability of the data or the system resources whereas a virus can attack on integrity and availability of the data or system resources.Furthermore, worm can attack on availability of the data or system resources, ransomware can attack on availability of the data or system resources.However, rootkit seems the malignant one as it may attack on confidentiality, integrity, authenticity and availability of the data or system resources [44], [48]- [51].The summary of these malware attacks is also provided in Table 2.

V. CASE STUDY: RECENT MALWARE ATTACKS IN IOT COMMUNICATION ENVIRONMENT
Some of the active botnets which can launch various malware attacks in IoT environment are discussed below.

A. MIRAI
Attacks by Mirai botnet are still going on.Mirai is a kind of malware which provides the control of Linux operating system based network device to the remote bots.These devices can be again used as a part of botnet to perform other malicious attacks with a broader coverage.It primarily targets smart IoT devices, such as the Internet-connected consumer devices (for example, IP cameras and other smart home appliances).According to the report of Fortinet, Mirai was one of the most active botnets in 2018.Furthermore, Mirai botnets came up with some extended features and were able to turn the infected IoT devices into the ''swarms of malware proxies''.Based on the report of Fortinet, Mirai targeted the devices for both known and unknown vulnerabilities.Cryptomining shows up as a significant change in the botnet world.A hacker can use the hardware as well as electricity of victim's system to earn the cryptocurrencies by using this malware.These malicious minds are experimenting how to use IoT botnets to make money [52]- [56].

B. REAPER
Reaper is also called as IoTroop.In the fall of 2017, information security researchers discovered a new botnet (IoTroop) with improved functionality features.It can compromise smart IoT device very quickly as compared to the Mirai botnet.It has other severe effects as it can bring down the entire infrastructure very quickly.Mirai infectes the smart IoT devices which use default usernames and passwords.However, reaper is more severe which targets nine different vulnerabilities in the devices of different makers, such as D-Link, Netgear and Linksys.Using this botnet, the attacker could also change the malware code to make it more devastating.As per the information provided by ''Recorded Future'', it was also used to attack on some EU banks (for example, ABN Amro) [56]- [58].

C. ECHOBOT
It was discovered in the beginning of the year 2019.It is a variation of Mirai which uses twenty six malicious scripts to spread itself.Similar to other botnets, it takes the advantage of unpatched smart IoT devices and then uses these vulnerabilities to harm other applications of the enterprise (for example, weblogic of oracle).It was discovered by ''Palo Alto Networks'', and designed to create a larger botnet to execute more devastating DDoS attacks [56], [59].

D. OTHER POTENTIAL ATTACKS
Emotet, Gamut and Necurs are other existing botnets which are used to launch malware attacks in IoT communication environment.The motive behind these botnets is to discharge spam in an enormous amount to deliver the required payload.It is also used to get victims to perform some other malicious tasks.
Emotet: It is used for stealing emails from the mailboxes of the target.It can allow the attackers to craft the malicious messages to fool the recipients.Hackers can also launch this attack to abduct the credentials of SMTP, which will be helpful to take control over the email accounts of target.
Gamut: It is also specialized in spam emails and it first tries to establish a relationship with the target machine (victim).It can perform this through dating or some other kind of job offer.
Necurs: This is used to launch ransomware attack and also some other forms of digital extortions.As per the report of Cisco, it is still in the operation mode and can launch devastating attacks [56], [60].
The summary of malware attacks is provided in Table 3.Furthermore, it is noted that malware attacks discussed in Section V are also possible in IoMT environment.

VI. TAXONOMY OF SECURITY PROTOCOLS IN IOT ENVIRONMENT
In this section, we provide the details of security protocols used in IoT communication environment which provide security to the exchanged data well as to the stored data.A taxonomy of security protocols in IoT communication environment is given in Fig. 4.These security protocols are also applicable to provide the security in IoMT.

A. KEY MANAGEMENT
A key management protocol deals with the management, distribution and establishment of cryptographic keys among communicating entities of IoT/IoMT environment.The entire procedure is divided into several phases such as key generation, key exchange, key usage and key revocation as per the requirement.The key management mechanism uses a ''cryptographic procedure'' which provides the details of the key servers (i.e., trusted entity of the system), different types of users (i.e., mobile or static) and different devices (i.e., IoT devices).We should have a robust key management procedure to perform a secure communication [17], [62]- [65].
Most of the time, a key management scheme typically contains following phases: • Pre-deployment phase: In this phase, a trusted party also called as trusted authority (TA) define various parameters for different network entities.It also does the registration of communicating entities, in an IoT environment it may include the registration of IoT devices, various types of users and other involved parties and devices.
After performing the registration, the generated and registered data is stored in the memories of the devices and then the devices will be deployed in the different locations of the network.
• Key generation and distribution: In this phase, the trusted party of the network TA generates the different cryptographic keys (i.e., secret key) for various network entities.It can be further divided as per ''symmetric key cryptography'' and ''public key cryptography'' mechanisms.In a ''symmetric key cryptography'' technique, the entities who or which are going to start the communication should have to share a secret key which they must exchange in advance.After the successful key exchange they can start the secure communication.Most of the time the neighbor devices use their pre-loaded secrets (i.e., credentials) to establish the secret pairwise keys among them as suggested in some key pre-distribution schemes [66]- [79]).However in a ''public key cryptography'' technique, the key distribution of public keys is done by a trusted authority also called as public key server.In this mechanism, a communicating party generates a pair of keys and then it holds one key privately and announces the other key publicly.Most of the time TA generates the pair of public and private keys for a particular entity and then stores the private key in the memory of that device, make the announcement of the other key publicly so that the communicating parties can use it to communicate in a secure way.
• Key establishment phase: After the successful registration and deployment of various network entities (i.e., IoT device) the entities can start the process of key establishment.For this purpose first the devices compute some parameters and then they exchange these parameters with the other parties by the help of message exchange.
After the receiving of these messages a communicating party computes the secret key (i.e., session key) and then hide this inside some other message and sends to the other party.After receiving these messages, the other party also computes the secret key (i.e., session key) using the received parameters and verifies it by the help of the received messages.After the successful mutual agreement both parties establish this key for their secure communication which will happen in the future [17].
• Key revocation and dynamic device addition phase: It is very often in an hostile (i.e., unattended) environment for example, a war zone that some of network devices (for example, IoT sensors) may be physically captured by an enemy (physical adversary).After performing this malicious event the adversary can extract the secrets for example, private key stored in that device by the help of power analysis attacks [80].Under these circumstances, TA has to deploy new devices in the deployment area.
To perform this task TA again generates a new pair of keys (public and private) and then stores the required parameters in the memory of that device and installs that in the network.TA also announces the information of dynamic device addition to the other parties of the network.So that other parties can start their secure communication with this newly installed device [81].

B. USER AUTHENTICATION/DEVICE AUTHENTICATION
User authentication is a process of identification and verification of the identities of the communicating parties.Most of the time, the communicating parties (i.e., a user, smart medical device) verify their identities among each other.This process is also called as mutual authentication.
In user or device authentication mechanism, one communicating entity (i.e., device or user) verifies the identity of the other communicating entity (user or device).After performing the successful mutual authentication, the communicating parties establish a session key for their future communication.Device authentication is also performed in the similar way.For the interest of simplification, we provide the details of user authentication procedure here.A user authentication protocol for IoT environment exhibits following phases [3], [31], [81]- [87], [87]: • System setup and pre-deployment phases: In these phases, TA selects some system parameters and also does the registration of different devices (i.e., IoT device), gateway, cloud server) in the offline mode.After the successful registration, the devices are deployed in the targeted area [14].
• User registration phase: In this phase, a user does the registration of himself/herself in a secure way.
The user can access the real-time information from a desired device (i.e., smart medical device).To perform the registration, user first chooses his/her credentials (for identity, password and biometrics information), and then sends these information to the trusted entity i.e., TA using a secure channel (for example, in person or through some other secure channel).After completing these steps successfully, the TA hands over a smart card or other some device (i.e., mobile device) to the legitimate registered user in a secure way after storing the useful data in the memory of the device [3], [81], [88].
• Login phase: In this phase, a registered user provides his/her credentials and biometrics to a specific device or to mobile device (i.e., smartphone).Then the device verifies the authenticity of the user.If he/she is valid user, the device computes a login request message and sends that to next communicating party (for example, a gateway) through the insecure channel.
• Authentication and key agreement phase: After receiving the login request message from the other entity (i.e., user), an entity preforms remaining steps as per the following details.The receiving party first verifies the authenticity of the message.If this occurs successfully, the receiving party calculates an authentication reply message containing the generated session key, and then sends it back to the previous party through the insecure channel.After receiving the message, the same entity computes the session key by the help of secrets (for example, using the short & long-term secrets) which are known and available to the receiving party.After performing successful mutual authentication between the user and the receiver (for example, a smart medical device), the parties establish a session key (secret) to secure their communication in the future.
• Password and biomertic update phase: It is always good to add more and more security and functionality features in a designed user authentication scheme.Therefore, in a secure and user friendly user authentication scheme, it is recommended to provide a password and biometrics update procedure.By performing the steps of this procedure, the original user can change his/her password and biometric information using his/her device (i.e., smart card) with or without communicating with the TA.To reduce the communication and computational overheads, it is desirable to execute this phase locally without involving the TA.
• Dynamic device addition phase: Sometimes the devices (for example, smart medical devices) get fail or may be physically stolen by an adversary because of the lack of physical security.In these circumstances, it is necessary to deploy new device in place of that device.To fulfil this work TA again computes the new credentials for that new device and stores them in its memory.Then that device will be installed in the required area.However, TA has to inform about this addition to the other parties of the network (for example, users) who want to access the real-time data from the added device.These days two factor and three factor user authentication schemes are commonly used.These schemes provide security as per the available factors.The three factors are like user's credentials (username and password), user's smart card and user's biometrics data (i.e., fingerprints).

C. ACCESS CONTROL/USER ACCESS CONTROL
Access control is a process which limits the access of the user/device to the resources of the system or network.In this mechanism, the user/device has been granted access and privileges to different available resources.To improve the lifetime of the IoT/IoMT communication environment, it is needed to add the new devices (i.e., smart devices) in the network.This happens when devices stop their working due to battery depletion or physical capturing of those devices [80].Moreover, an adversary can install his/her malicious device devices in the network [89], [90].Hence, it becomes essential to differentiate between an original device and a malicious device.Therefore, we require to design secure access control schemes to stop the entry of the malicious devices in the IoT/IoMT environment [91]- [94].
The following steps need to be performed in an access control scheme: • Node authentication: When a device/node (for example, smart medical device) is newly installed in the IoT/IoMT communication environment, it must authenticate itself to the other neighbor device.It provides assurance that it is an original device which is allowed to access the information from its neighbor devices.
• Key establishment: When a device/node (for example, smart medical device) is newly installed in the IoT/IoMT communication environment, then it should be able to establish shared secret keys with its neighbor devices to secure the future communication.This can be done properly, if this device authenticates with its neighbor devices successfully.As per the authentication procedure, the access control schemes can be divided into two categories.
• Certificate-based access control: In a ''certificate-based access control scheme'', a digital certificate (for example, X.509 certificate [95]) may be stored in each deployed device by the TA.Then, the pre-loaded certificate is used to prove a node's identity to its neighbor nodes.
• Certificate-less access control: In a ''certificate-less access control scheme'', most of the time the hash-chain based process is followed.Moreover, to provide access right only to the legitimate users for various services, the information and resources available in IoT/IoMT environment, user access control schemes are much needed.

D. INTRUSION DETECTION
An Intrusion Detection System (IDS) is used to monitor and analyze malicious activities inside a network or in a system.It detects and defends various devices (for example, smart medical devices) from the possible attacks.The deployed IDS in an IoT/IoMT environment monitors and verifies all traffic (normal and malicious), and then detects the possibility of malicious signs.If it discovers any malicious activity, the associated component takes the proper action (for example, send information to the administrators or block the of malicious IP address of that source).In IoT/IoMT environment, there are chances that an adversary may physically capture some of the devices (i.e, IoT devices).The adversary can then try to extract the sensitive information from that device by the application of power analysis attacks [80].After that the adversary may deploy his/her malicious devices by storing the extracted information in that malicious device.These malicious devices may have some inbuilt features to launch other devastating attacks, such as some kind of routing attacks (for example, blackhole, wormhole, misdirection and sinkhole attacks) [89], [90], [96], [97].Under the influence these attacks, the exchanged data packets may be disclosed, modified, dropped or delayed before forwarding them to the destination.This results in the severe degradation in the performance of the ongoing communication.For example, it may have increment in ''end-to-end delay'', and reduction in ''network throughput'' and ''packet delivery ratio'' [89], [97].Furthermore, IoT environment can also be attacked through the use of the botnets in which the attacker systems may try to install malware (malicious programs) in the memory or the operating system of the IoT devices.This results in malfunctioning of the IoT/IoMT devices.Under the influence of such an attack, the devices may stop their working or they may work in an inappropriate way.Such kinds of cases are severe under some particular circumstances (for example, an implanted smart pacemaker can give shock to a patient which may become the reason of his/her death).Therefore, it becomes essential to protect the IoT communication environment from intrusion.The deep study of intrusion detection protocols in IoT environment is thus necessary [9]- [11], [14], [43], [44], [56], [98].
The functioning of an IDS is based on the following [99], [100]: • It identifies the sign of an intruder.
• It provides information about the location (i.e., suspected IP address) of the intruder.
• It logs the information of ongoing activities.
• It tries to stop the malicious activities, if they are detected.
• It then reports the information of malicious activities to the administrator (i.e., intrusion behaviour that is either active attack or passive attack).
• It also provides information about types of the intrusion (for example, which types of attack-mirai or echobot).
On the basis of the deployment, an IDS can be divided into two classes: a) ''network based intrusion detection system (NIDS)'' which detects intrusions over a network (i.e., snort) and b) ''host based intrusion detection system (HIDS)'' which detects intrusions inside a system (i.e., malware infection in a operating system of a IoT device).Furthermore, an IDS mechanism can be divided into three categories: a) anomaly based detection, b) misuse based detection, and c) specification based detection [99], [100].These mechanisms can be briefed as follows.
• Anomaly based detection: This detection mechanism works on the basis of certain statistical behavior methods.It tries to identity two different types of flows (i.e., the network traffic flow), normal flow and abnormal flow (flow under attack).If it detects any deviation from the normal behavior, it will raise an alarm.It also has certain drawback as we have to update the normal behavior database as per the changes happen in the network on regular basis.However, it has some benefits as it can detect the anomalies accurately and consistently with low false negatives and positives.Hence, it is very useful for the detection of unknown attacks.This type of detection mechanism is always very useful for the detection of new kinds of malwares in IoT environment.
• Misuse based detection: Sometimes it is also called the rule based or signature based detection.Signature is something that is closely associated with an anomaly (i.e., virus) and this will be generated when such an anomaly affects the system.The signatures of known attacks are used to detect such types of attacks in the future.The benefits of this mechanism are that it can detect the known anomalies accurately and efficiently along with a low false positive rate.Most of the anti-viruses (or anti-malware) installed in the systems come under the category of misuse based detection.
• Specification based detection: The specifications and constraints to describe the correctness of the detection process are needed to define in this mechanism.After that the behavior of the system or network as per the specifications and constraints is monitored and analyzed.It is also capable to detect the unknown attacks.It utilises the advantages of both anomaly and misuse based detection mechanisms by the help of manually defined specifications and constraints to diagnose the abnormal behavior.On the basis of its working, this mechanism seems like an anomaly based detection as it detects the attacks on the basis of deviation from the normal behaviour.At the same time, it works on the basis of manually defined set of constraints and specifications.It further induces low false positive rate as compared to the anomaly based detection mechanism.However, this mechanism has some drawbacks (for example, high time consumption because we need to define and develop the set of specifications and constraints which requires some time).The researchers working in the domain of ''malware detection'' (specially zero-day malware attack) try to propose their methods by making the use of specification based detection mechanisms as it performs their detection in an effective and efficient way along with less number of false positives and false negatives.

VII. MALWARE DETECTION SCHEMES IN IOT/IOMT COMMUNICATION ENVIRONMENT
In this section, we summarize different malware detection schemes in IoT/IoMT communication environment.Furthermore, we also provide a comparative study on malware detection schemes which can be utilized to malware detection in IoT communication environment.

A. EXISTING MALWARE DETECTION SCHEMES IN IOT/IOMT COMMUNICATION ENVIRONMENT
Various schemes of malware detection in IoT/IoMT environment are discussed below.Kumar et al. [2] proposed a ''blockchain and machine learning based malware detection'' mechanism for IoT devices.The mechanism of machine learning automatically extracts the malware information using the clustering and classification algorithms and then stores the information in the blockchain.The proposed framework uses the blockchain to store the genuine information of the extracted features in a ''distributed malware database'' to improve the performance of run-time malware detection with high speed and accuracy.
Lei et al. [101] proposed an IoT malware detection technique named as ''EveDroid''.It is a scalable and event-aware malware detection mechanism for smart IoT devices that captures high level semantics of Android applications in IoT environment.In their mechanism, the authors introduced the concept of function clustering which automatically transforms the application programming interface calls to feature vector on the basis of semantics.This made the detection system more strong against such a malware.
Nguyen et al. [102] proposed a ''graph-based convolution neural network (CNN)'' mechanism for the detection of IoT botnets, which can launch malware attacks.During their experimentation, it was observed that their proposed method reliably classified the benign and IoT malware with an improved accuracy.
Dinakarrao et al. [103] proposed a ''HaRM malware detector'' which used the low computational cost machine learning classifier for the best utilization of the IoT resource to detect the IoT malware.They also achieved a good detection accuracy.The outcomes of the HaRM detector could be utilized to generate the estimation of infection state, which can be further used to control the spreading of malware.
Shen et al. [19] proposed a method for malware detection in the fog-cloud-based IoT communication environment.They selected all smart objects which could be deployed with the IDS agents (monitoring nodes).The working of monitoring nodes is to receive and forward the audit data via the border routers to the corresponding fog node.In their approach, the intrusion detection was performed by calling the IDS service provided by a cloud platform.
Su et al. [104] proposed a method for the detection of distributed denial-of-service (DDoS) malware in IoT environment.They extracted the malware images (for example, a one-channel gray-scale image converted from a binary code of malware) and then used a light-weight ''convolutional neural network (CNN)'' for the classification of their families.Their proposed mechanism achieved around 94.0% accuracy for the classification of goodware.
Further, note that some malware detection schemes which were discussed in this section can be also applied for the  detection of the IoMT malware.For that purpose, we need to do certain amendments in the detection mechanisms.

B. COMPARATIVE STUDY OF MALWARE DETECTION SCHEMES IN IOT/IOMT COMMUNICATION ENVIRONMENT
In this section, we perform a comparative analysis on the performance of various existing IoT/IoMT malware detection schemes.In these schemes, various performance parameters such as precision, recall, accuracy and F1-score are used which are explained below in Eqs.(1), ( 2), ( 3) and (4).All these parameters are computed on the basis of true positive (TP), false positive (FP), true negative (TN) and false negative (FN).If a normal program is detected as a normal program by malware detection scheme, it is called as ''true negative (TN)''; whereas if a normal program is detected as a malicious program by malware detection scheme, it is called as ''false positive (FP)''.Similarly, if a malicious program is detected as a malicious program by malware detection scheme, it is called as ''true positive (TP)''; whereas if a malicious program is detected as a normal program by malware detection scheme, it is called as ''false negative (FN)'' [2], [19], [89], [90], [96], [97], [101]- [104].
• Precision: It is also called as positive predicted value.
It is the fraction of the correctly identified intrusion cases to the all predicted positive cases of intrusions.The formulation of precision is given by Precision = TP TP + FP .
• Recall: It is also called as true positive rate or detection rate or sensitivity.It is a fraction of correctly identified intrusion cases to the all real positive cases of intrusions.This is estimated by the following formula: • Accuracy: It is one of the most important parameters which is measured as the all correctly identified cases.Thus, it is important to use it when all the classes are equally important.This is mathematically expressed as follows Accuracy = TP + TN TP + FP + TN + FN .

VIII. FUTURE RESEARCH CHALLENGES AND DIRECTIONS OF MALWARE DETECTION IN IOT/IOMT ENVIRONMENT
In this section, we discuss some of the future research challenges and directions of malware detection in IoT/IoMT environment.

A. FOOLPROOF SECURITY
The malware detection and prevention techniques proposed in the literature do not provide full proof security against various types of malware attacks.Moreover, some of them are attack specific and do not work for other types of attacks at the same time.Therefore, we need to design such kind of malware detection techniques for IoT/IoMT security which should be robust against multiple malware attacks at the same time.Hence, designing of such kind of techniques can be a challenging problem.

B. EFFICIENT MALWARE DETECTION TECHNIQUES
IoT/IoMT communication environment consists of resource constrained devices, such as smart IoT devices which have less computation power and storage capacity along with short battery life.Therefore, we can not use them to perform computation, communication and storage intensive operations as it requires more resources.Hence, we can not use heavy deep learning algorithms for the malware detection for IoT/IoMT devices.Therefore, we need to design malware detection and prevention mechanisms in such a way that the proposed mechanisms should exhibit less computation cost, communication cost and storage cost without compromising the security needs.

C. SCALABILITY OF MALWARE DETECTION SCHEME
IoT is a kind of large scale heterogeneous network of different communication paradigms and applications, which have their own capabilities and requirements.In that way, malware detection for IoT communication environment could be a challenging job.In such a environment, we can have the ''Electronic Health Records (EHRs)'' of certain users which are stored in an IoT-enabled cloud server for further processing.The different devices inside the ''Body Area Network (BANs)'' produce data and send that to the cloud server.Therefore, it constructs a heterogeneous network of different communicating devices.We need a specific type of malware detection mechanism which can protect all types of devices of such kind of communication environment.Hence, more deep research study is needed in this direction.

D. HETEROGENEITY OF IOT COMMUNICATION ENVIRONMENT
IoT communication environment is very different in nature as we have various of types of devices range starting from full-edged laptop systems, desktop systems, personal digital assistants end up to low powered sensing devices and RFID tags.Moreover, these devices work as per the principles of various types of communication protocols.It is also crucial to notice that these devices are different in terms of their storage capacity, computation power, communication range and underlying operating system.Henceforth, we need to design a malware detection mechanism in such a way that it can support and protect all different types of devices and underlying technologies.

E. CROSS-PLATFORM MALWARE DETECTION
The heterogeneity of IoT networks creates a problem when we plan to deploy a malware detection mechanism.This property facilitates the interconnection of various application domains.However, it also creates challenges for designing an effective malware detection mechanism.For instance, when a smart home application requires to access the data from a healthcare monitoring device, the malware detection mechanism should be compatible and strong so that application can access the data from the target network without any problem.At the same time, it is also important to notice that the data stored over the cloud requires effective malware detection and prevention mechanisms.Henceforth, in such kind of applications we need to design strong and efficient malware detection mechanism to provide an uninterrupted connectivity across different IoT platforms.

F. USE OF BLOCKCHAIN IN MALWARE DETECTION
The operations of blockchain can be used to secure various communication environments.It is because the blockchain operations are decentralized, efficient and transparent.Blockchain operations can also be utilized in efficient detection of the malware in IoT/IoMT environment.In such kind of detection method, we can create a block containing the information about the malicious programs (i.e., malware) to add in the blockchain.Since the blockchain is available to all authorized parties, these parties can have access to the information of the existing malware attacks on the system.Thus, malware detection can be performed in an effective way.Till today, very few blockchain-based malware detection schemes are proposed in the literature.Therefore, designing of blockchain based malware detection scheme can also be a future research challenge [2], [105].

IX. CONCLUSION
IoT/IoMT based applications facilitate our everyday life.However, there is also a dark side of this, because it suffers from various security and privacy issues.We have noticed that malware attacks launched by Mirai, Reaper, Echobot, Emotet, Gamut and Necurs botnets are active these days.Therefore, it becomes crucial to provide effective and efficient solutions for malware attacks occur in IoT/IoMT environment.In this review work, we have done a study of various types of malware, and their symptoms.We have also discussed some of the architectures of IoT/IoMT environment along with their applications.A taxonomy of security schemes in IoT/IoMT environment is also highlighted.Moreover, we have provided a comparative study of various existing schemes for malware detection and prevention in IoT/IoMT communication environment.Some of the future research challenges and directions of malware detection in IoT/IoMT environment are also highlighted.

FIGURE 3 .
FIGURE 3. Different types of malware attacks in IoT/IoMT environment.

TABLE 2 .
Types of malware.

TABLE 3 .
Summary of malware attacks in IoT/IoMT environment.

TABLE 4 .
Comparison of performance of existing schemes.