IoT Malware Analysis and New Pattern Discovery Through Sequence Analysis Using Meta-Feature Information

Chun-Jung WU  Shin-Ying HUANG  Katsunari YOSHIOKA  Tsutomu MATSUMOTO  

IEICE TRANSACTIONS on Communications   Vol.E103-B   No.1   pp.32-42
Publication Date: 2020/01/01
Publicized: 2019/08/05
Online ISSN: 1745-1345
DOI: 10.1587/transcom.2019CPP0009
Type of Manuscript: Special Section PAPER (Special Section on Internet Architecture, Applications and Operation Technologies for a Cyber-Physical System)
Category: Fundamental Theories for Communications
IoT malware,  botnet,  denial of service,  text mining,  N-gram,  classification,  clustering,  

Full Text: PDF(3.6MB)>>
Buy this Article

A drastic increase in cyberattacks targeting Internet of Things (IoT) devices using telnet protocols has been observed. IoT malware continues to evolve, and the diversity of OS and environments increases the difficulty of executing malware samples in an observation setting. To address this problem, we sought to develop an alternative means of investigation by using the telnet logs of IoT honeypots and analyzing malware without executing it. In this paper, we present a malware classification method based on malware binaries, command sequences, and meta-features. We employ both unsupervised or supervised learning algorithms and text-mining algorithms for handling unstructured data. Clustering analysis is applied for finding malware family members and revealing their inherent features for better explanation. First, the malware binaries are grouped using similarity analysis. Then, we extract key patterns of interaction behavior using an N-gram model. We also train a multiclass classifier to identify IoT malware categories based on common infection behavior. For misclassified subclasses, second-stage sub-training is performed using a file meta-feature. Our results demonstrate 96.70% accuracy, with high precision and recall. The clustering results reveal variant attack vectors and one denial of service (DoS) attack that used pure Linux commands.