Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection

Afsah Anwar; Hisham Alasmary; Jeman Park; An Wang; Songqing Chen; David Mohaisen

doi:10.1007/978-3-030-61078-4_25

Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection

Afsah Anwar, Hisham Alasmary, Jeman Park, An Wang, Songqing Chen, David Mohaisen

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

11 Citations (Scopus)

Abstract

Software vulnerabilities in emerging systems, such as the Internet of Things (IoT), allow for multiple attack vectors that are exploited by adversaries for malicious intents. One of such vectors is malware, where limited efforts have been dedicated to IoT malware analysis, characterization, and understanding. In this paper, we analyze recent IoT malware through the lenses of static analysis. Towards this, we reverse-engineer and perform a detailed analysis of almost 2,900 IoT malware samples of eight different architectures across multiple analysis directions. We conduct string analysis, unveiling operation, unique textual characteristics, and network dependencies. Through the control flow graph analysis, we unveil unique graph-theoretic features. Through the function analysis, we address obfuscation by function approximation. We then pursue two applications based on our analysis: 1) Combining various analysis aspects, we reconstruct the infection lifecycle of various prominent malware families, and 2) using multiple classes of features obtained from our static analysis, we design a machine learning-based detection model with features that are robust and an average detection rate of 99.8%.

Original language	English
Title of host publication	Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings
Editors	Weizhi Meng, Dieter Gollmann, Christian D. Jensen, Jianying Zhou
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	443-461
Number of pages	19
ISBN (Print)	9783030610777
DOIs	https://doi.org/10.1007/978-3-030-61078-4_25
Publication status	Published - 2020
Event	22nd International Conference on Information and Communications Security, ICICS 2020 - Copenhagen, Denmark Duration: 24 Aug 2020 → 26 Aug 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12282 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	22nd International Conference on Information and Communications Security, ICICS 2020
Country/Territory	Denmark
City	Copenhagen
Period	24/08/20 → 26/08/20

Bibliographical note

Publisher Copyright:
© 2020, Springer Nature Switzerland AG.

Keywords

Detection
IoT
Lifecycle
Malware
Static analysis

Access to Document

10.1007/978-3-030-61078-4_25

Cite this

Anwar, A., Alasmary, H., Park, J., Wang, A., Chen, S., & Mohaisen, D. (2020). Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection. In W. Meng, D. Gollmann, C. D. Jensen, & J. Zhou (Eds.), Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings (pp. 443-461). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12282 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-61078-4_25

Anwar, Afsah ; Alasmary, Hisham ; Park, Jeman et al. / Statically Dissecting Internet of Things Malware : Analysis, Characterization, and Detection. Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings. editor / Weizhi Meng ; Dieter Gollmann ; Christian D. Jensen ; Jianying Zhou. Springer Science and Business Media Deutschland GmbH, 2020. pp. 443-461 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{b19d9b44576b47758f8ea0a74902ccb9,

title = "Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection",

abstract = "Software vulnerabilities in emerging systems, such as the Internet of Things (IoT), allow for multiple attack vectors that are exploited by adversaries for malicious intents. One of such vectors is malware, where limited efforts have been dedicated to IoT malware analysis, characterization, and understanding. In this paper, we analyze recent IoT malware through the lenses of static analysis. Towards this, we reverse-engineer and perform a detailed analysis of almost 2,900 IoT malware samples of eight different architectures across multiple analysis directions. We conduct string analysis, unveiling operation, unique textual characteristics, and network dependencies. Through the control flow graph analysis, we unveil unique graph-theoretic features. Through the function analysis, we address obfuscation by function approximation. We then pursue two applications based on our analysis: 1) Combining various analysis aspects, we reconstruct the infection lifecycle of various prominent malware families, and 2) using multiple classes of features obtained from our static analysis, we design a machine learning-based detection model with features that are robust and an average detection rate of 99.8%.",

keywords = "Detection, IoT, Lifecycle, Malware, Static analysis",

author = "Afsah Anwar and Hisham Alasmary and Jeman Park and An Wang and Songqing Chen and David Mohaisen",

note = "Publisher Copyright: {\textcopyright} 2020, Springer Nature Switzerland AG.; 22nd International Conference on Information and Communications Security, ICICS 2020 ; Conference date: 24-08-2020 Through 26-08-2020",

year = "2020",

doi = "10.1007/978-3-030-61078-4_25",

language = "English",

isbn = "9783030610777",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "443--461",

editor = "Weizhi Meng and Dieter Gollmann and Jensen, {Christian D.} and Jianying Zhou",

booktitle = "Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings",

address = "Germany",

}

Anwar, A, Alasmary, H, Park, J, Wang, A, Chen, S & Mohaisen, D 2020, Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection. in W Meng, D Gollmann, CD Jensen & J Zhou (eds), Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12282 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 443-461, 22nd International Conference on Information and Communications Security, ICICS 2020, Copenhagen, Denmark, 24/08/20. https://doi.org/10.1007/978-3-030-61078-4_25

Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection. / Anwar, Afsah; Alasmary, Hisham; Park, Jeman et al.
Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings. ed. / Weizhi Meng; Dieter Gollmann; Christian D. Jensen; Jianying Zhou. Springer Science and Business Media Deutschland GmbH, 2020. p. 443-461 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12282 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Statically Dissecting Internet of Things Malware

T2 - 22nd International Conference on Information and Communications Security, ICICS 2020

AU - Anwar, Afsah

AU - Alasmary, Hisham

AU - Park, Jeman

AU - Wang, An

AU - Chen, Songqing

AU - Mohaisen, David

PY - 2020

Y1 - 2020

N2 - Software vulnerabilities in emerging systems, such as the Internet of Things (IoT), allow for multiple attack vectors that are exploited by adversaries for malicious intents. One of such vectors is malware, where limited efforts have been dedicated to IoT malware analysis, characterization, and understanding. In this paper, we analyze recent IoT malware through the lenses of static analysis. Towards this, we reverse-engineer and perform a detailed analysis of almost 2,900 IoT malware samples of eight different architectures across multiple analysis directions. We conduct string analysis, unveiling operation, unique textual characteristics, and network dependencies. Through the control flow graph analysis, we unveil unique graph-theoretic features. Through the function analysis, we address obfuscation by function approximation. We then pursue two applications based on our analysis: 1) Combining various analysis aspects, we reconstruct the infection lifecycle of various prominent malware families, and 2) using multiple classes of features obtained from our static analysis, we design a machine learning-based detection model with features that are robust and an average detection rate of 99.8%.

AB - Software vulnerabilities in emerging systems, such as the Internet of Things (IoT), allow for multiple attack vectors that are exploited by adversaries for malicious intents. One of such vectors is malware, where limited efforts have been dedicated to IoT malware analysis, characterization, and understanding. In this paper, we analyze recent IoT malware through the lenses of static analysis. Towards this, we reverse-engineer and perform a detailed analysis of almost 2,900 IoT malware samples of eight different architectures across multiple analysis directions. We conduct string analysis, unveiling operation, unique textual characteristics, and network dependencies. Through the control flow graph analysis, we unveil unique graph-theoretic features. Through the function analysis, we address obfuscation by function approximation. We then pursue two applications based on our analysis: 1) Combining various analysis aspects, we reconstruct the infection lifecycle of various prominent malware families, and 2) using multiple classes of features obtained from our static analysis, we design a machine learning-based detection model with features that are robust and an average detection rate of 99.8%.

KW - Detection

KW - IoT

KW - Lifecycle

KW - Malware

KW - Static analysis

UR - http://www.scopus.com/inward/record.url?scp=85097645849&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-61078-4_25

DO - 10.1007/978-3-030-61078-4_25

M3 - Conference contribution

AN - SCOPUS:85097645849

SN - 9783030610777

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 443

EP - 461

BT - Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings

A2 - Meng, Weizhi

A2 - Gollmann, Dieter

A2 - Jensen, Christian D.

A2 - Zhou, Jianying

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 24 August 2020 through 26 August 2020

ER -

Anwar A, Alasmary H, Park J, Wang A, Chen S, Mohaisen D. Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection. In Meng W, Gollmann D, Jensen CD, Zhou J, editors, Information and Communications Security - 22nd International Conference, ICICS 2020, Proceedings. Springer Science and Business Media Deutschland GmbH. 2020. p. 443-461. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-61078-4_25

Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this