TY - GEN
T1 - Investigating behavioral differences between IoT malware via function call sequence graphs
AU - Kawasoe, Reo
AU - Han, Chansu
AU - Isawa, Ryoichi
AU - Takahashi, Takeshi
AU - Takeuchi, Jun'ichi
N1 - Funding Information:
The authors would like to thank the IoTPOT team at Yoshioka Laboratory of Yokohama National University for providing the IoT malware. This work was partially supported by the commissioned research by National Institute of Information and Communications Technology (NICT), JAPAN, and by JSPS KAKENHI Grant Number JP18H03291.
Publisher Copyright:
© 2021 Owner/Author.
PY - 2021/3/22
Y1 - 2021/3/22
N2 - IoT malware that infects IoT devices is rampant. Most IoT malware variants are generated by changing various behaviors such as an attack method based on existing malware families. Nearly all antivirus software only identifies the malware family's name; thus, we cannot acquire further details about differences between malware behaviors. In this paper, we propose a graph-based method for confirming differences in malware behaviors and investigating the actual conditions of malware variants. The proposed method first extracts a sequence of function calls from a binary file of malware and represents the sequence to a directed graph, which we refer to as a function call sequence graph (FCSG). Next, the method automatically checks if the FCSG matches signature-FCSGs, which are manually generated as small-scale FCSGs representing malicious behaviors of known malware such as a function of attacks and network scans. To demonstrate the usability of our proposed method, we applied the proposed method to 24,126 in-the-wild IoT malware specimens and investigated the existence of specimens with mixed behaviors from multiple malware families or were specialized for some attacking behaviors.
AB - IoT malware that infects IoT devices is rampant. Most IoT malware variants are generated by changing various behaviors such as an attack method based on existing malware families. Nearly all antivirus software only identifies the malware family's name; thus, we cannot acquire further details about differences between malware behaviors. In this paper, we propose a graph-based method for confirming differences in malware behaviors and investigating the actual conditions of malware variants. The proposed method first extracts a sequence of function calls from a binary file of malware and represents the sequence to a directed graph, which we refer to as a function call sequence graph (FCSG). Next, the method automatically checks if the FCSG matches signature-FCSGs, which are manually generated as small-scale FCSGs representing malicious behaviors of known malware such as a function of attacks and network scans. To demonstrate the usability of our proposed method, we applied the proposed method to 24,126 in-the-wild IoT malware specimens and investigated the existence of specimens with mixed behaviors from multiple malware families or were specialized for some attacking behaviors.
UR - http://www.scopus.com/inward/record.url?scp=85104971139&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85104971139&partnerID=8YFLogxK
U2 - 10.1145/3412841.3442041
DO - 10.1145/3412841.3442041
M3 - Conference contribution
AN - SCOPUS:85104971139
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1674
EP - 1682
BT - Proceedings of the 36th Annual ACM Symposium on Applied Computing, SAC 2021
PB - Association for Computing Machinery
T2 - 36th Annual ACM Symposium on Applied Computing, SAC 2021
Y2 - 22 March 2021 through 26 March 2021
ER -