MDABP: A Novel Approach to Detect Cross-Architecture IoT Malware Based on PaaS
Abstract
:1. Introduction
- (1)
- A novel cross-architecture dynamic analysis method named MDABP is proposed. MDABP is the first cross-architecture dynamic analysis method using a single system call set. This method uses system calls from an Ubuntu OS based on a single CPU architecture as dynamic features to detect IoT malware from multiple CPU architectures.
- (2)
- We comprehensively evaluate the performance of MDABP through experiments and compare it with existing analysis methods to establish its efficiency.
2. Related Works
2.1. Static Feature-Based Methods
2.2. Dynamic Feature-Based Methods
2.3. Hybrid Feature-Based Methods
2.4. Vmi Detection-Based Features
3. Methodology
3.1. Overview
3.2. Paas Model Building
3.3. Feature Extraction
3.4. Feature Selection
3.5. Classification Model Building
4. Experimental Evaluation
4.1. Dataset and Experiment Setting
4.2. Evaluation Metrics
4.3. Evaluation of Performance on a Single Architecture Sample Set
4.4. Evaluation of Performance on Cross-Architectural Samples
4.5. Evaluation of Mixed Samples of Cross-Architecture
5. Conclusions
6. Discussion and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Statista. Number of Internet of Things (IoT) Connected Devices Worldwide from 2019 to 2021, with Forecasts from 2022 to 2030. Available online: https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/ (accessed on 30 July 2022).
- Grammatikis, P.I.R.; Sarigiannidis, P.G.; Moscholios, I.D. Securing the Internet of Things: Challenges, threats and solutions. Internet Things 2019, 5, 41–70. [Google Scholar] [CrossRef]
- Ngo, Q.-D.; Nguyen, H.-T.; Le, V.-H.; Nguyen, D.-H. A survey of IoT malware and detection methods based on static features. ICT Express 2020, 6, 280–286. [Google Scholar] [CrossRef]
- Akabane, S.; Okamoto, T. Identification of library functions statically linked to Linux malware without symbols. Procedia Comput. Sci. 2020, 176, 3436–3445. [Google Scholar] [CrossRef]
- Hu, X.; Sun, R.; Xu, K.; Zhang, Y.; Chang, P. Exploit internal structural information for IoT malware detection based on hierarchical transformer model. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 29 December 2020–1 January 2021; pp. 927–934. [Google Scholar]
- Niu, W.; Zhang, X.; Du, X.; Hu, T.; Xie, X.; Guizani, N. Detecting malware on X86-based IoT devices in autonomous driving. IEEE Wirel. Commun. 2019, 26, 80–87. [Google Scholar] [CrossRef]
- Lee, Y.-T.; Ban, T.; Wan, T.-L.; Cheng, S.-M.; Isawa, R.; Takahashi, T.; Inoue, D. Cross platform IoT-malware family classification based on printable strings. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 29 December 2020–1 January 2021; pp. 775–784. [Google Scholar]
- Carrillo-Mondéjar, J.; Martínez, J.L.; Suarez-Tangil, G. Characterizing Linux-based malware: Findings and recent trends. Future Gener. Comput. Syst. 2020, 110, 267–281. [Google Scholar] [CrossRef]
- Pa, Y.M.P.; Suzuki, S.; Yoshioka, K.; Matsumoto, T.; Kasama, T.; Rossow, C. IoTPOT: A novel honeypot for revealing current IoT threats. J. Inf. Process. 2016, 24, 522–533. [Google Scholar] [CrossRef] [Green Version]
- Tian, D.; Ying, Q.; Jia, X.; Ma, R.; Hu, C.; Liu, W. MDCHD: A novel malware detection method in cloud using hardware trace and deep learning. Comput. Netw. 2021, 198, 108394. [Google Scholar] [CrossRef]
- Chen, C.-Y.; Hsiao, S.-W. IoT malware dynamic analysis profiling system and family behavior analysis. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data), Los Angeles, CA, USA, 9–12 December 2019; pp. 6013–6015. [Google Scholar]
- Raju, A.D.; Abualhaol, I.Y.; Giagone, R.S.; Zhou, Y.; Huang, S. A survey on cross-architectural IoT malware threat hunting. IEEE Access 2021, 9, 91686–91709. [Google Scholar] [CrossRef]
- Alhanahnah, M.; Lin, Q.; Yan, Q.; Zhang, N.; Chen, Z. Efficient signature generation for classifying cross-architecture IoT malware. In Proceedings of the 2018 IEEE Conference on Communications and Network Security (CNS), Beijing, China, 30 May–1 June 2018; pp. 1–9. [Google Scholar]
- Hwang, C.; Hwang, J.; Kwak, J.; Lee, T. Platform-independent malware analysis applicable to windows and linux environments. Electronics 2020, 9, 793. [Google Scholar] [CrossRef]
- Nguyen, H.-T.; Ngo, Q.-D.; Le, V.-H. A novel graph-based approach for IoT botnet detection. Int. J. Inf. Secur. 2020, 19, 567–577. [Google Scholar] [CrossRef]
- Torabi, S.; Dib, M.; Bou-Harb, E.; Assi, C.; Debbabi, M. A strings-based similarity analysis approach for characterizing IoT malware and inferring their underlying relationships. IEEE Netw. Lett. 2021, 3, 161–165. [Google Scholar] [CrossRef]
- Alasmary, H.; Anwar, A.; Abusnaina, A.; Alabduljabbar, A.; Abuhamad, M.; Wang, A.; Nyang, D.; Awad, A.; Mohaisen, D. SHELLCORE: Automating malicious IoT software detection using shell commands representation. IEEE Internet Things J. 2021, 9, 2485–2496. [Google Scholar] [CrossRef]
- Wan, T.-L.; Ban, T.; Cheng, S.-M.; Lee, Y.-T.; Sun, B.; Isawa, R.; Takahashi, T.; Inoue, D. Efficient detection and classification of internet-of-things malware based on byte sequences from executable files. IEEE Open J. Comput. Soc. 2020, 1, 262–275. [Google Scholar] [CrossRef]
- Chaganti, R.; Ravi, V.; Pham, T.D. Deep learning based cross architecture internet of things malware detection and classification. Comput. Secur. 2022, 120, 102779. [Google Scholar] [CrossRef]
- Wan, T.-L.; Ban, T.; Lee, Y.-T.; Cheng, S.-M.; Isawa, R.; Takahashi, T.; Inoue, D. IoT-malware detection based on byte sequences of executable files. In Proceedings of the 2020 15th Asia Joint Conference on Information Security (AsiaJCIS), Taipei, Taiwan, 20–21 August 2020; pp. 143–150. [Google Scholar]
- Alasmary, H.; Khormali, A.; Anwar, A.; Park, J.; Choi, J.; Abusnaina, A.; Awad, A.; Nyang, D.; Mohaisen, A. Analyzing and detecting emerging Internet of Things malware: A graph-based approach. IEEE Internet Things J. 2019, 6, 8977–8988. [Google Scholar] [CrossRef]
- Lai, J.; Hu, D.; Yin, A.; Lu, L. Edge Intelligence (EI)-Enabled Malware Internet of Things (IoT) Detection System. In Proceedings of the 2021 IEEE 4th International Conference on Computer and Communication Engineering Technology (CCET), Beijing, China, 13–15 August 2021; pp. 199–202. [Google Scholar]
- Su, J.; Vasconcellos, D.V.; Prasad, S.; Sgandurra, D.; Feng, Y.; Sakurai, K. Lightweight classification of IoT malware based on image recognition. In Proceedings of the 2018 IEEE 42Nd Annual Computer Software and Applications Conference (COMPSAC), Tokyo, Japan, 23–27 July 2018; pp. 664–669. [Google Scholar]
- Li, Q.; Mi, J.; Li, W.; Wang, J.; Cheng, M. CNN-based malware variants detection method for internet of things. IEEE Internet Things J. 2021, 8, 16946–16962. [Google Scholar] [CrossRef]
- Ullah, F.; Naeem, H.; Jabbar, S.; Khalid, S.; Latif, M.A.; Al-Turjman, F.; Mostarda, L. Cyber security threats detection in internet of things using deep learning approach. IEEE Access 2019, 7, 124379–124389. [Google Scholar] [CrossRef]
- Yuan, B.; Wang, J.; Wu, P.; Qing, X. IoT malware classification based on lightweight convolutional neural networks. IEEE Internet Things J. 2021, 9, 3770–3783. [Google Scholar] [CrossRef]
- Phu, T.N.; Hoang, L.H.; Toan, N.N.; Tho, N.D.; Binh, N.N. CFDVex: A novel feature extraction method for detecting cross-architecture IoT malware. In Proceedings of the 10th International Symposium on Information and Communication Technology, Ha Long Bay, Vietnam, 4–6 December 2019; pp. 248–254. [Google Scholar]
- Vasan, D.; Alazab, M.; Venkatraman, S.; Akram, J.; Qin, Z. MTHAEL: Cross-architecture IoT malware detection based on neural network advanced ensemble learning. IEEE Trans. Comput. 2020, 69, 1654–1667. [Google Scholar] [CrossRef]
- Darabian, H.; Dehghantanha, A.; Hashemi, S.; Homayoun, S.; Choo, K.K.R. An opcode-based technique for polymorphic Internet of Things malware detection. Concurr. Comput. Pract. Exp. 2020, 32, e5173. [Google Scholar] [CrossRef]
- Haddadpajouh, H.; Mohtadi, A.; Dehghantanaha, A.; Karimipour, H.; Lin, X.; Choo, K.-K.R. A multikernel and metaheuristic feature selection approach for IoT malware threat hunting in the edge layer. IEEE Internet Things J. 2020, 8, 4540–4547. [Google Scholar] [CrossRef]
- Park, D.; Powers, H.; Prashker, B.; Liu, L.; Yener, B. Towards Obfuscated Malware Detection for Low Powered IoT Devices. In Proceedings of the 2020 19th IEEE International Conference on Machine Learning and Applications (ICMLA), Miami, FL, USA, 14–17 December 2020; pp. 1073–1080. [Google Scholar]
- Venkatraman, S.; Alazab, M. Classification of malware using visualisation of similarity matrices. In Proceedings of the 2017 Cybersecurity and Cyberforensics Conference (CCC), London, UK, 21–23 November 2017; pp. 3–8. [Google Scholar]
- Dovom, E.M.; Azmoodeh, A.; Dehghantanha, A.; Newton, D.E.; Parizi, R.M.; Karimipour, H. Fuzzy pattern tree for edge malware detection and categorization in IoT. J. Syst. Archit. 2019, 97, 1–7. [Google Scholar] [CrossRef]
- Yang, S.; Cheng, L.; Zeng, Y.; Lang, Z.; Zhu, H.; Shi, Z. Asteria: Deep learning-based AST-encoding for cross-platform binary code similarity detection. In Proceedings of the 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Taipei, Taiwan, 21–24 June 2021; pp. 224–236. [Google Scholar]
- Hamad, S.A.; Sheng, Q.Z.; Zhang, W.E. BERTDeep-Ware: A Cross-architecture Malware Detection Solution for IoT Systems. In Proceedings of the 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Shenyang, China, 20–22 October 2021; pp. 927–934. [Google Scholar]
- Li, C.; Shen, G.; Sun, W. Cross-architecture Intemet-of-Things malware detection based on graph neural network. In Proceedings of the 2021 International Joint Conference on Neural Networks (IJCNN), Shenzhen, China, 18–22 July 2021; pp. 1–7. [Google Scholar]
- Song, Q.; Zhang, Y.; Wang, B.; Chen, Y. Inter-BIN: Interaction-Based Cross-Architecture IoT Binary Similarity Comparison. IEEE Internet Things J. 2022, 9, 20018–20033. [Google Scholar] [CrossRef]
- Darem, A.; Abawajy, J.; Makkar, A.; Alhashmi, A.; Alanazi, S. Visualization and deep-learning-based malware variant detection using OpCode-level features. Future Gener. Comput. Syst. 2021, 125, 314–323. [Google Scholar] [CrossRef]
- Dinakarrao, S.M.P.; Sayadi, H.; Makrani, H.M.; Nowzari, C.; Rafatirad, S.; Homayoun, H. Lightweight node-level malware detection and network-level malware confinement in iot networks. In Proceedings of the 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), Florence, Italy, 25–29 March 2019; pp. 776–781. [Google Scholar]
- Li, Z.; Perez, B.; Khan, S.A.; Feldhaus, B.; Zhao, D. A New Design of Smart Plug for Real-time IoT Malware Detection. In Proceedings of the 2021 IEEE Microelectronics Design & Test Symposium (MDTS), Albany, NY, USA, 18–21 May 2021; pp. 1–6. [Google Scholar]
- Pham, D.-P.; Marion, D.; Heuser, A. Poster: Obfuscation Revealed-Using Electromagnetic Emanation to Identify and Classify Malware. In Proceedings of the 2021 IEEE European Symposium on Security and Privacy (EuroS&P), Vienna, Austria, 6–10 September 2021; pp. 710–712. [Google Scholar]
- Catuogno, L.; Galdi, C.; Pasquino, N. An effective methodology for measuring software resource usage. IEEE Trans. Instrum. Meas. 2018, 67, 2487–2494. [Google Scholar] [CrossRef]
- Yu, R.; Zhang, X.; Zhang, M. Smart home security analysis system based on the internet of things. In Proceedings of the 2021 IEEE 2nd International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE), Nanchang, China, 26–28 March 2021; pp. 596–599. [Google Scholar]
- Alrubayyi, H.; Goteng, G.; Jaber, M.; Kelly, J. A novel negative and positive selection algorithm to detect unknown malware in the IoT. In Proceedings of the IEEE INFOCOM 2021-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Vancouver, BC, Canada, 10–13 May 2021; pp. 1–6. [Google Scholar]
- Kumar, A.; Lim, T.J. EDIMA: Early detection of IoT malware network activity using machine learning techniques. In Proceedings of the 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), Limerick, Ireland, 15–18 April 2019; pp. 289–294. [Google Scholar]
- Palla, T.G.; Tayeb, S. Intelligent Mirai malware detection in IOT devices. In Proceedings of the 2021 IEEE World AI IoT Congress (AIIoT), Virtual, 10–13 May 2021; pp. 0420–0426. [Google Scholar]
- Bendiab, G.; Shiaeles, S.; Alruban, A.; Kolokotronis, N. IoT malware network traffic classification using visual representation and deep learning. In Proceedings of the 2020 6th IEEE Conference on Network Softwarization (NetSoft), Ghent, Belgium, 29 June–3 July 2020; pp. 444–449. [Google Scholar]
- Guizani, N.; Ghafoor, A. A network function virtualization system for detecting malware in large IoT based networks. IEEE J. Sel. Areas Commun. 2020, 38, 1218–1228. [Google Scholar] [CrossRef]
- Muthanna, M.S.A.; Alkanhel, R.; Muthanna, A.; Rafiq, A.; Abdullah, W.A.M. Towards SDN-Enabled, Intelligent Intrusion Detection System for Internet of Things (IoT). IEEE Access 2022, 10, 22756–22768. [Google Scholar] [CrossRef]
- Praveena, V.; Vijayaraj, A.; Chinnasamy, P.; Ali, I.; Alroobaea, R.; Alyahyan, S.Y.; Raza, M.A. Optimal deep reinforcement learning for intrusion de-tection in uavs. Comput. Mater. Contin. 2022, 70, 2639–2653. [Google Scholar]
- Sudar, K.; Beulah, M.; Deepalakshmi, P.; Nagaraj, P.; Chinnasamy, P. Detection of Distributed Denial of Service Attacks in SDN using Machine learning techniques. In Proceedings of the 2021 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 27–29 January 2021; pp. 1–5. [Google Scholar]
- Cozzi, E.; Graziano, M.; Fratantonio, Y.; Balzarotti, D. Understanding linux malware. In Proceedings of the 2018 IEEE symposium on security and privacy (SP), San Francisco, CA, USA, 21–23 May 2018; pp. 161–175. [Google Scholar]
- Ban, T.; Isawa, R.; Yoshioka, K.; Inoue, D. A cross-platform study on IoT malware. In Proceedings of the 2018 Eleventh International Conference on Mobile Computing and Ubiquitous Network (ICMU), Auckland, New Zealand, 5–8 October 2018; pp. 1–2. [Google Scholar]
- Li, B.; Li, J.; Wo, T.; Hu, C.; Zhong, L. A VMM-based system call interposition framework for program monitoring. In Proceedings of the 2010 IEEE 16th International Conference on Parallel and Distributed Systems, Washington, DC, USA, 8–10 December 2010; pp. 706–711. [Google Scholar]
- Mishra, P.; Verma, I.; Gupta, S. KVMInspector: KVM Based introspection approach to detect malware in cloud environment. J. Inf. Secur. Appl. 2020, 51, 102460. [Google Scholar] [CrossRef]
- Cheng, S.-M.; Ban, T.; Huang, J.-W.; Hong, B.-K.; Inoue, D. ELF analyzer demo: Online identification for IoT malwares with multiple hardware architectures. In Proceedings of the 2020 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 21 May 2020; p. 126. [Google Scholar]
- Jeon, J.; Park, J.H.; Jeong, Y.-S. Dynamic analysis for IoT malware detection with convolution neural network model. IEEE Access 2020, 8, 96899–96911. [Google Scholar] [CrossRef]
- Chen, T.; Liu, H. Research on the Construction of Cloud Computing Platform Project Based on IaaS and PaaS. In Proceedings of the 2021 7th Annual International Conference on Network and Information Systems for Computers (ICNISC), Guiyang, China, 23–25 July 2021; pp. 506–510. [Google Scholar]
- Ubantu Manuals. Syscalls—Linux System Calls. Available online: https://manpages.ubuntu.com/manpages/impish/man2/syscalls.2.html (accessed on 1 February 2023).
- VirusTotal. Available online: https://www.virustotal.com (accessed on 1 February 2023).
ARM | X86-32 | Total | |
---|---|---|---|
malware | 723 | 554 | 1277 |
benign | 223 | 219 | 442 |
Algorithm | Architecture | Detection Model | Accuracy (%) | Recall (%) |
---|---|---|---|---|
Hu et al. [5] | ARM | HTM | 94.67 | 99.12 |
MDABP | ARM | KNN | 98.34 | 99.86 |
Niu et al. [6] | X86 | XGboost | 94.60 | 94.70 |
MDABP | X86-32 | KNN | 97.62 | 99.34 |
IoT Dataset | Accuracy (%) | Recall (%) | F1 (%) | |
---|---|---|---|---|
Trained by | Evaluated by | |||
ARM | X86-32 | 83.50 | 100 | 89.71 |
X86-32 | ARM | 93.90 | 94.32 | 95.98 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Zhao, Y.; Kuerban, A. MDABP: A Novel Approach to Detect Cross-Architecture IoT Malware Based on PaaS. Sensors 2023, 23, 3060. https://doi.org/10.3390/s23063060
Zhao Y, Kuerban A. MDABP: A Novel Approach to Detect Cross-Architecture IoT Malware Based on PaaS. Sensors. 2023; 23(6):3060. https://doi.org/10.3390/s23063060
Chicago/Turabian StyleZhao, Yang, and Alifu Kuerban. 2023. "MDABP: A Novel Approach to Detect Cross-Architecture IoT Malware Based on PaaS" Sensors 23, no. 6: 3060. https://doi.org/10.3390/s23063060
APA StyleZhao, Y., & Kuerban, A. (2023). MDABP: A Novel Approach to Detect Cross-Architecture IoT Malware Based on PaaS. Sensors, 23(6), 3060. https://doi.org/10.3390/s23063060