Micro-Auditing for Ransomware Detection in Resource-Constrained Industrial IoT Networks

The threat of ransomware on severely constrained industrial Internet of Things (IoT) deployments is real and difficult to defend against, especially because resource-constrained devices can be compromised and used to propagate malicious payloads with minimal observability. To support the development of ransomware detection and prevention countermeasures, this paper proposes a lightweight micro-auditing mechanism that captures diagnostic metrics derived from process scheduling, as well as from resource and network utilization patterns. The proposed mechanism minimizes computational, memory, and energy overhead through adaptive metric sampling, ensuring resource-efficient operation. We have developed this micro-auditing mechanism using the Contiki-NG operating system for IoT devices, and we use our implementation to derive memory and code footprint statistics as evidence of its lightweight nature. Using the Cooja simulator and an existing ransomware prototype, we examine the feasibility of our micro-auditing mechanism through a host of experiments on topologies of different densities, to quantify the speed and subtle nature of ransomware propagation. Our results highlight the fact that, due to its subtlety, this threat can elude traditional traffic- and power-based anomaly detectors. The micro-auditing mechanism not only enables device-level security auditing but also underpins our ongoing work on the development of countermeasures using a scalable framework for integrating machine learning classifiers, which could further refine threat discrimination and reduce false positives.