Investigating behavioral differences between IoT malware via function call sequence graphs

Reo Kawasoe, Chansu Han, Ryoichi Isawa, Takeshi Takahashi, Jun'ichi Takeuchi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

IoT malware that infects IoT devices is rampant. Most IoT malware variants are generated by changing various behaviors such as an attack method based on existing malware families. Nearly all antivirus software only identifies the malware family's name; thus, we cannot acquire further details about differences between malware behaviors. In this paper, we propose a graph-based method for confirming differences in malware behaviors and investigating the actual conditions of malware variants. The proposed method first extracts a sequence of function calls from a binary file of malware and represents the sequence to a directed graph, which we refer to as a function call sequence graph (FCSG). Next, the method automatically checks if the FCSG matches signature-FCSGs, which are manually generated as small-scale FCSGs representing malicious behaviors of known malware such as a function of attacks and network scans. To demonstrate the usability of our proposed method, we applied the proposed method to 24,126 in-the-wild IoT malware specimens and investigated the existence of specimens with mixed behaviors from multiple malware families or were specialized for some attacking behaviors.

Original languageEnglish
Title of host publicationProceedings of the 36th Annual ACM Symposium on Applied Computing, SAC 2021
PublisherAssociation for Computing Machinery
Pages1674-1682
Number of pages9
ISBN (Electronic)9781450381048
DOIs
Publication statusPublished - Mar 22 2021
Event36th Annual ACM Symposium on Applied Computing, SAC 2021 - Virtual, Online, Korea, Republic of
Duration: Mar 22 2021Mar 26 2021

Publication series

NameProceedings of the ACM Symposium on Applied Computing

Conference

Conference36th Annual ACM Symposium on Applied Computing, SAC 2021
Country/TerritoryKorea, Republic of
CityVirtual, Online
Period3/22/213/26/21

All Science Journal Classification (ASJC) codes

  • Software

Fingerprint

Dive into the research topics of 'Investigating behavioral differences between IoT malware via function call sequence graphs'. Together they form a unique fingerprint.

Cite this