Analyzing and Detecting Emerging Internet of Things Malware: A Graph-Based Approach

Alasmary, Hisham; Khormali, Aminollah; Anwar, Afsah; Park, Jeman; Choi, Joon-Seok; Abusnaina, Ahmed; Awad, Amro; Nyang, DaeHun; Mohaisen, Aziz

doi:10.1109/jiot.2019.2925929

Cited by 115 publications

(46 citation statements)

References 40 publications

(5 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, control flow graph (CFG) was another common choice for malware classification. In [31], a CFG-based deep learning model was constructed to identify malware and benignware IoT disassembled samples.…”

Section: Machine Learning Methods On Edge Malware Detection and Categmentioning

confidence: 99%

Categorizing Malware via A Word2Vec-based Temporal Convolutional Network Scheme

et al. 2020

View full text Add to dashboard Cite

As edge computing paradigm achieves great popularity in recent years, there remain some technical challenges that must be addressed to guarantee smart device security in Internet of Things (IoT) environment. Generally, smart devices transmit individual data across the IoT for various purposes nowadays, and it will cause losses and impose a huge threat to users since malware may steal and damage these data. To improve malware detection performance on IoT smart devices, we conduct a malware categorization analysis based on the Kaggle competition of Microsoft Malware Classification Challenge (BIG 2015) dataset in this article. Practically speaking, motivated by temporal convolutional network (TCN) structure, we propose a malware categorization scheme mainly using Word2Vec pre-trained model. Considering that the popular one-hot encoding converts input names from malicious files to high-dimensional vectors since each name is represented as one dimension in one-hot vector space, more compact vectors with fewer dimensions are obtained through the use of Word2Vec pre-training strategy, and then it can lead to fewer parameters and stronger malware feature representation. Moreover, compared with long short-term memory (LSTM), TCN demonstrates better performance with longer effective memory and faster training speed in sequence modeling tasks. The experimental comparisons on this malware dataset reveal better categorization performance with less memory usage and training time. Especially, through the performance comparison between our scheme and the state-of-the-art Word2Vec-based LSTM approach, our scheme shows approximately 1.3% higher predicted accuracy than the latter on this malware categorization task. Additionally, it also demonstrates that our scheme reduces about 90 thousand parameters and more than 1 hour on the model training time in this comparison.

show abstract

Section: Machine Learning Methods On Edge Malware Detection and Categmentioning

confidence: 99%

Categorizing Malware via A Word2Vec-based Temporal Convolutional Network Scheme

et al. 2020

View full text Add to dashboard Cite

show abstract

“…od (octal dump) -Tool for debugging, visualizing executable code, and dumping in octal (default), hex, ASCII formats. openwrt [18] For benign firmwares pyelftools [28] Python library to parse and analyze ELFs and debugging radare2 [32], [34], [41] Binary forensic analysis, reverse engineering, exploiting and debugging tool. Options such as 'afl' can be used to disassemble function lists, get count of functions etc.…”

Section: Elfdump -mentioning

confidence: 99%

A Survey on Cross-Architectural IoT Malware Threat Hunting

et al. 2021

View full text Add to dashboard Cite

In recent years, the increase in non-Windows malware threats had turned the focus of the cybersecurity community. Research works on hunting Windows PE-based malwares are maturing, whereas the developments on Linux malware threat hunting are relatively scarce. With the advent of the Internet of Things (IoT) era, smart devices that are getting integrated into human life have become a hackers' highway for their malicious activities. The IoT devices employ various Unix-based architectures that follow ELF (Executable and Linkable Format) as their standard binary file specification. This study aims at providing a comprehensive survey on the latest developments in cross-architectural IoT malware detection and classification approaches. Aided by a modern taxonomy, we discuss the feature representations, feature extraction techniques, and machine learning models employed in the surveyed works. We further provide more insights on the practical challenges involved in cross-architectural IoT malware threat hunting and discuss various avenues to instill potential future research.

show abstract

“…2) Graph-based features The most popular graph-based feature explored for malware analysis is Control Flow Graph (CFG) -a data structure that represents the order of opcodes execution in a file. Alasmary et al [22] extracted CFGs and characterized the executables by graph features including numbers of nodes and edges, density, centrality, shortest path, etc. Convolutional Neural Network (CNN) was then employed for the analysis and yielded 99.66% accuracy for detection and 99.32% accuracy for malware family classification.…”

Section: B Malware Detection and Malware Family Classificationmentioning

confidence: 99%

Efficient Detection and Classification of Internet-of-Things Malware Based on Byte Sequences from Executable Files

Wan

Ban

Cheng

et al. 2020

IEEE Open J. Comput. Soc.

View full text Add to dashboard Cite

The simple implementation and monotonous operation features make Internet of Things (IoT) vulnerable to malware attacks. In order to understand the behavior of IoT malware for further mitigation and prevention, static analysis on executable files of IoT malware is a feasible approach. However, current analysis approaches based on opcode or call-graph usually do not work well with the diversity in CPU architectures and are often resource demanding. In this paper, we propose an efficient scheme to detect and classify IoT malware programs leveraging machine learning methods. We show that reliable and efficient detection and classification can be implemented by exploring the essential discriminant information stored in the byte sequences at the entry points of executable programs. We demonstrate the performance of the proposed scheme using a large scale dataset composed of 111K benignware and 111K malware programs from 7 CPU architectures. The proposed scheme achieves near optimal generalization performance for malware detection (99.9% in accuracy) and for malware family classification (98.4% in accuracy). Moreover, when the CPU architecture information is considered in the learning, the proposed scheme combined with SVM classifiers can yield even higher generalization performance using fewer bytes from the executable files. The findings in this paper is promising for implementing a lightweight malware protection solution on IoT devices with limited resources.

show abstract

Analyzing and Detecting Emerging Internet of Things Malware: A Graph-Based Approach

Cited by 115 publications

References 40 publications

Categorizing Malware via A Word2Vec-based Temporal Convolutional Network Scheme

Categorizing Malware via A Word2Vec-based Temporal Convolutional Network Scheme

A Survey on Cross-Architectural IoT Malware Threat Hunting

Efficient Detection and Classification of Internet-of-Things Malware Based on Byte Sequences from Executable Files

Contact Info

Product

Resources

About