eprintid: 3757
rev_number: 13
eprint_status: archive
userid: 274
dir: disk0/00/00/37/57
datestamp: 2019-12-09 09:15:34
lastmod: 2019-12-09 09:15:34
status_changed: 2019-12-09 09:15:34
type: article
metadata_visibility: show
creators_name: Tran, Nghi Phu
creators_name: Hoang, Dang Kien
creators_name: Ngo, Quoc Dung
creators_name: Nguyen, Dai Tho
creators_name: Nguyen, Ngoc Binh
creators_id: tnphvan@gmail.com
creators_id: 15021363@vnu.edu.vn
creators_id: quocdung.ngo@gmail.com
creators_id: nguyendaitho@vnu.edu.vn
creators_id: nnbinh@vnu.edu.vn
corp_creators: VNU University of Engineering and Technology
corp_creators: People’s Security Academy
corp_creators: Posts and Telecommunications Institute of Technology
corp_creators: Kyoto College of Graduate Studies for Informatics
title: A Novel Framework to Classify Malware in MIPS Architecture-based IoT Devices
ispublished: inpress
subjects: IT
subjects: Scopus
subjects: isi
divisions: fac_fit
abstract: Malware on devices connected to the Internet via the Internet of Things (IoT) ) is evolving and is a core component of the fourth industrial revolution. IoT devices use the MIPS architecture with a large proportion running on embedded Linux operating systems, but the automatic analysis of IoT malware has not resolved. We proposed a framework to classify malware in IoT devices by using MIPS-based system behavior (system call - syscall) got from our F-Sandbox passive process and machine learning techniques. The F-Sandbox is a new type for IoT sandbox, automatically created from the real firmware of the specialized IoT devices, inheriting the specialized environment in the real firmware, therefore creating a diverse environment for sandboxing as an important characteristic of IoT sandbox. This framework classifies five families of IoT malware with F1-Weight = 97.44%.
date: 2019
date_type: published
publisher: Hindawi
official_url: https://www.hindawi.com/journals/scn/
full_text_status: public
publication: Security and Communication Networks
refereed: TRUE
issn: 1939-0114
referencetext: [1] The internet of things: How the next evolution of the internet is changing everything. URL
http://www.cisco.com/ [Accessed: 02-May-2019].
[2] Kaspersky IoT Lab Report. New IoT malware grew three fold in H1 2018. [Online]. Available: https://www.kaspersky.com/about/press-releases/2018 new-iot-malware-grew-three-fold-in-h1-
2018. [Accessed: 02-May-2019].
[3] Kishore Angrishi, Turning Internet of Things into Internet of Vulnerabilities: IoT Botnets,
ArXiv170203681v1 CsNI, February 2017, p. 13-19.
[4] Andrei Costin and Jonas Zaddach. IoT Malware: Comprehensive Survey, Analysis Framework and
Case Studies. BlackHat USA, 2018.
[5] Internet of Things Top 10 Project. www.owasp.org/ [Accessed: 05-May-2019].
[6] Andrei Costin, Jonas Zaddach, Aur´elien Francillon, and Davide Balzarotti, A large-scale analysis
of the security of embedded firmwares, in Proceedings of the 23rd USENIX Security Symposium,
2014, p.95-110 [Online].Available: https://www.usenix.org/conference/usenixsecurity14/ techincalsessions/presentation/costin.
[7] Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. FIE on Firmware: Finding
Vulnerabilities in Embedded Systems Using Symbolic Execution. 22nd Security Symposium (USENIX),
2013, p.463-478.
[8] Akshay Kapoor and Sunita Dhavale. Control Flow Graph Based Multiclass Malware detection using
Bi-normal Separation, Defence Science Journal, DESIDOC, vol.66, no.2, p.138-145, 2016.
[9] Mohannad Alhanahnah, Qicheng Lin, and Qiben Yan, Efficient Signature Generation for Classifying
Cross-Architecture IoT Malware, IEEE Conference on Communications and Network Security (CNS),
2018, p.1-9.
[10] Yan Shoshitaishvili, Wang Ruoyu, Hauser Christophe, Kruegel Christopher and Vigna Giovanni,
Firmalice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware, NDSS,
2015.
[11] Ensieh Modiri Dovom, Amin Azmoodeh, Ali Dehghantanha, David Ellis Newton, Reza M. Parizi,
and Hadis Karimipour. Fuzzy Pattern Tree for Edge Malware Detection and Categorization in IoT.
Journal of Systems Architecture, 2019. https://doi.org/10.1016/j.sysarc.2019.01.017
[12] Pavel Celeda, Radek Krejci, and Vojtech Krmicek, Revealing and analysing modem malware, 2012
IEEE International Conference on Communications (ICC), Ottawa, ON, 2012, p. 971-975.
[13] Colin Tankard, The security issues of the internet of things, Computer Fraud&Security (9), 2015, p.
11-14.
[14] Raymond Canzanese. Detection and Classification of Malicious Processes Using System Call Analysis. Doctor of Philosophy, Drexel University, 2015.
https://pdfs.semanticscholar.org/8060/eae74c98a66cfcc736f4fca61d46f4dbc1d4.pdf. [Accessed:
02-May-2019].
[15] Rieck, Konrad, Philipp Trinius, Carsten Willems, and Thorsten Holz aff2n3. Automatic Analysis
of Malware Behavior Using Machine Learning. Journal of Computer Security (JCS), 2011, 19 (4),
p.639–668.
[16] Pa Yin Min Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and
Christian Rossow. IoTPOT: A Novel Honeypot for Revealing Current IoT Threats. Journal of Information Processing, vol 24, no. 3 (2016), p.522-33. Doi:10.2197/ipsjjip.24.522.
[17] Shifu Hou, Aaron Saas, Lifei Chen, and Yanfang Ye. Deep4MalDroid: A Deep Learning Framework
for Android Malware Detection Based on Linux Kernel System Call Graphs. 2016 IEEE/WIC/ACM
International Conference on Web Intelligence Workshops (WIW). Doi:10.1109/wiw.2016.040
[18] Alejadro Martin, Rausl Lara-Cabrera, and David Camacho. Android malware detection through hybrid features fusion and ensemble classifiers: the AndroPyTool framework and the OmniDroid dataset.
Information Fusion, 2018, p.128-142. Doi:10.1016/j.inffus.2018.12.006
[19] Cuckoo Sandbox - Automated Malware Analysis [Online]. Available https://www.cuckoosandbox.org/
[Accessed: 02-May-2019].
[20] Detux [Online]. Available https://github.com/detuxsandbox/detux [Accessed: 02-May-2019].
[21] David Brash. Recent Additions to the ARMv7-A Architecture. In 2010 IEEE International Conference
on Computer Design, 2010. Doi:10.1109/ICCD.2010.5647549.
[22] Huy Trung Nguyen, Quoc Dung Ngo, and Van Hoang Le. IoT Botnet Detection Approach Based on PSI Graph and DGCNN Classifier. In 2018 IEEE International Conference
on Information Communication and Signal Processing (ICICSP), Singapore, 2018, p. 18-122.
Doi:10.1109/ICICSP.2018.8549713.
[23] Virus Total [Online]. Available http://virustotal.com [Accessed: 02-May-2019].
[24] QEMU [Online]. Available http://wiki.qemu.org [Accessed: 02-May-2019].
[25] Daming D.Chen, Manuel Egele, Maverick Woo and David Brumley, Towards Automated Dynamic
Analysis for Linux-based Embedded Firmware, Carnegie Mellon University, 2015.
[26] Carsten Willems, Thorsten Holz, and Felix Freiling. Toward Automated Dynamic Malware Analysis
Using CWSandbox. IEEE Security Privacy 5, no. 2 (March 2007): p.32-39. Doi:10.1109/MSP.2007.45.
[27] Ulrich Bayer, Andreas Moser, Christopher Kruegel, and Engin Kirda. Dynamic analysis of malicious
code. Journal in Computer Virology, 2006, vol. 2(no.1), p.67-77.
[28] Suspected Mass Exploit Against Linksys E1000 / E1200 Routers, Available at:
https://isc.sans.edu/forums/diary/Suspected+Mass+Exploit+Against+Linksys+E1000+E1200+Routers/17621/.
[Accessed: 02-May-2019]
[29] Ahmad Darki, Chun-Yu Chuang, Michalis Faloutsos, Zhiyun Qian and Heng Yin. RARE: A Systematic Augmented Router Emulation for Malware Analysis. In Passive and Active Measurement, edited
by Robert Beverly, Georgios Smaragdakis, and Anja Feldmann, p.60-72. Lecture Notes in Computer
Science. Springer International Publishing, 2018.
[30] Kai-Chi Chang, Raylin Tso, Min-Chun Tsai, IoT sandbox: to analysis IoT malware Zollard, International Conference on Internet of things and Cloud Computing, 2017, p.4-12.
[31] MIPS Wikipedia [Online]. Available https://vi.wikipedia.org/wiki/MIPS. [Accessed: 02-May-2019].
[32] Canzanese, Raymond, Spiros Mancoridis, and Moshe Kam. Run-Time Classification of Malicious
Processes Using System Call Analysis. 10th International Conference on Malicious and Unwanted
Software (MALWARE), 2015, p.21-28. Doi:10.1109/MALWARE.2015.7413681.
[33] Sanya Chaba, Rahul Kumar, Rohan Pant and Mayank Dave. Malware Detection Approach for Android Systems Using System Call Logs. ArXiv,1709.08805, 2017.
[34] K A Asmitha and P Vinod. A Machine Learning Approach for Linux Malware Detection. In 2014
International Conference on Issues and Challenges in Intelligent Computing Techniques (ICICT),
2014, p.825-830. Doi: 10.1109/ICICICT.2014.6781387.
[35] Virus share [Online]. Available https://virusshare.com/ [Accessed: 02-May-2019].
[36] Strace tool [Online]. Available http://sourceforge.net/projects/strace/ [Accessed: 02-May-2019].
[37] InetSim [Online]. Available https://www.inetsim.org/ [Accessed: 02-May-2019].
[38] PyNetsim [Online]. Available https://github.com/jjo-sec/pynetsim [Accessed: 02-May-2019].
[39] J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti. Avatar: A framework to support dynamic
security analysis of embedded systems firmwares. In Proceedings of the 2014 Network and Distributed
System Security Symposium. The Internet Society, 2014, p. 23–26.
[40] Sikorski, Michael, and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. 1st ed. San Francisco, CA, USA: No Starch Press, 2012.
[41] Yiming Yang, and Jan O. Pedersen. A Comparative Study on Feature Selection in Text Categorization. In Proceedings of the Fourteenth International Conference on Machine Learning, 412-420.
ICML, San Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 1997.
[42] B. Chandra, Manish Gupta. An efficient statistical feature selection approach for classification of
gene expression data. Journal of Biomedical Informatics. Volume 44, Issue 4, August 2011, p.529-535.
[43] Alireza Souri and Rahil Hosseini. A State-of-the-Art Survey of Malware Detection Approaches Using
Data Mining Techniques Human-Centric Computing and Information Sciences 8, no. 1 (January 12,
2018): 3. Doi: 10.1186/s13673-018-0125-x.
[44] Shang, Fengjun, Yalin Li, Xiaolin Deng, and Dexiang He. Android Malware Detection Method
Based on Naive Bayes and Permission Correlation Algorithm. Cluster Computing, June 17, 2017.
Doi: 10.1007/s10586-017-0981-6.
[45] Ding Yuxin, Wei Dai, Shengli Yan, and Yumei Zhang. Control Flow-Based Opcode Behavior Analysis for Malware Detection. Computers & Security 44 (July 1, 2014): p.65-74. Doi:
10.1016/j.cose.2014.04.003.
[46] Perdisci, Roberto, Davide Ariu, Prahlad Fogla, Giorgio Giacinto, and Wenke Lee. McPAD: A Multiple Classifier System for Accurate Payload-Based Anomaly Detection. Comput. Netw. 53, no. 6 (April
2009): p. 864-881. Doi: 10.1016/j.comnet.2008.11.011.
[47] Gareth James, Daniela Witten, Trevor Hastie, and Robert Tibshirani. An Introduction to Statistical
Learning: with Applications in R. Springer, 1st edition. 2013, page: 181.
[48] Y. Bengio and Y. Grandvalet. No unbiased estimator of the variance of k-fold cross-validation.
Journal of machine learning research 5 (Sep) (2004) p.1089– 1105
citation:   Tran, Nghi Phu and Hoang, Dang Kien and Ngo, Quoc Dung and Nguyen, Dai Tho and Nguyen, Ngoc Binh  (2019) A Novel Framework to Classify Malware in MIPS Architecture-based IoT Devices.  Security and Communication Networks .    ISSN 1939-0114    (In Press)  
document_url: https://eprints.uet.vnu.edu.vn/eprints/id/eprint/3757/1/A%20Novel%20Framework%20to%20Classify%20Malware%20in%20MIPS%20Architecture-based%20IoT%20Devices_V3.pdf