Iot Botnet Detection Using System Call Graphs and One-Class CNN Classification

With the rapid development of IoT devices, security risks become clearer in smart houses with the emergence of more types of IoT Botnet. With the development of machine learning technology applied to dynamic analysis methods, the automatic detection of variations of IoT Botnet has many achievements. However, there are still some difficulties such as building Sandbox suitable for IoT Botnet with specific chip architectures, collecting full of malicious behavior, imbalance in dataset,... affecting the accuracy of the learning model. In this paper, the authors introduce method of detecting IoT Botnet through system call of executable file to address some difficulties mentioned above. We edit sandbox environment based on QEMU to collect more monitoring data and focus to system calls behavior of malware. By using the CNN network architecture combined with One-class classification and features extracted from the system call graph, the authors have built a IoT Botnet detection model with an accuracy of up to 97% and F-measure 98.33%

[1]  P. Laskov,et al.  Intrusion Detection in Unlabeled Data with Quarter-sphere Support Vector Machines , 2004, Prax. Inf.verarb. Kommun..

[2]  Shie Mannor,et al.  A Tutorial on the Cross-Entropy Method , 2005, Ann. Oper. Res..

[3]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[5]  Hiroki Takakura,et al.  Unsupervised Anomaly Detection Based on Clustering and Multiple One-Class SVM , 2009, IEICE Trans. Commun..

[6]  Shehroz S. Khan,et al.  A Survey of Recent Trends in One Class Classification , 2009, AICS.

[7]  Jan Vykopal,et al.  Embedded Malware - An Analysis of the Chuck Norris Botnet , 2010, 2010 European Conference on Computer Network Defense.

[8]  Ronghua Tian,et al.  An integrated malware detection and classification system , 2011 .

[9]  Dave Evans,et al.  How the Next Evolution of the Internet Is Changing Everything , 2011 .

[10]  Latifur Khan,et al.  A Machine Learning Approach to Android Malware Detection , 2012, 2012 European Intelligence and Security Informatics Conference.

[11]  Pavel Celeda,et al.  Revealing and analysing modem malware , 2012, 2012 IEEE International Conference on Communications (ICC).

[12]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[13]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[14]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[15]  Qiguang Miao,et al.  Malware detection using bilayer behavior abstraction and improved one-class support vector machines , 2015, International Journal of Information Security.

[16]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[17]  Tsutomu Matsumoto,et al.  IoTPOT: A Novel Honeypot for Revealing Current IoT Threats , 2016, J. Inf. Process..

[18]  Evgeny Burnaev,et al.  One-Class SVM with Privileged Information and Its Application to Malware Detection , 2016, 2016 IEEE 16th International Conference on Data Mining Workshops (ICDMW).

[19]  Kishore Angrishi,et al.  Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets , 2017, ArXiv.

[20]  Elisa Bertino,et al.  Botnets and Internet of Things Security , 2017, Computer.

[21]  Vishal M. Patel,et al.  Learning Deep Features for One-Class Classification , 2018, IEEE Transactions on Image Processing.