With the increasing use of resource-constrained IoT devices, the number of IoT Botnets has exploded with many variations and ways of penetration. Nowadays, studies based on machine learning and deep learning have focused on dealing with IoT Botnet with many successes, and these studies have required relevant data during malware execution. For this, the sandbox environment and behavior collection tools play an essential role. However, the existing sandboxes do not provide adequate behavior data of IoT botnet such as the C&C server communication, shared libraries requirements. Moreover, these sandboxes do not support a wide range of CPU architectures, data is not exhaustively collected during executable file runtime. In this paper, we present a new practical sandbox, named V-Sandbox, for dynamic analysis of the IoT Botnet. This sandbox is an ideal environment for IoT Botnet samples that exhibit all of their malicious behavior. It supports the C&C servers connection, shared libraries for dynamic files, and a wide range of CPU architectures. Experimental results on the 6141 IoT Botnet samples in our dataset have demonstrated the effectiveness of the proposed sandbox, compared to existing ones. The contribution of this paper is specific to the development of a usable, efficient sandbox for dynamic analysis of resource-constrained IoT devices.
With the rapid development of IoT devices, security risks become clearer in smart houses with the emergence of more types of IoT Botnet. With the development of machine learning technology applied to dynamic analysis methods, the automatic detection of variations of IoT Botnet has many achievements. However, there are still some difficulties such as building Sandbox suitable for IoT Botnet with specific chip architectures, collecting full of malicious behavior, imbalance in dataset,... affecting the accuracy of the learning model. In this paper, the authors introduce method of detecting IoT Botnet through system call of executable file to address some difficulties mentioned above. We edit sandbox environment based on QEMU to collect more monitoring data and focus to system calls behavior of malware. By using the CNN network architecture combined with One-class classification and features extracted from the system call graph, the authors have built a IoT Botnet detection model with an accuracy of up to 97% and F-measure 98.33%
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.