Advertisement

Graph-Based Comparison of IoT and Android Malware

  • Hisham Alasmary
  • Afsah Anwar
  • Jeman Park
  • Jinchun Choi
  • Daehun NyangEmail author
  • Aziz MohaisenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11280)

Abstract

The growth in the number of android and Internet of Things (IoT) devices has witnessed a parallel increase in the number of malicious software (malware) that can run on both, affecting their ecosystems. Thus, it is essential to understand those malware towards their detection. In this work, we look into a comparative study of android and IoT malware through the lenses of graph measures: we construct abstract structures, using the control flow graph (CFG) to represent malware binaries. Using those structures, we conduct an in-depth analysis of malicious graphs extracted from the android and IoT malware. By reversing 2,874 and 201 malware binaries corresponding to the IoT and android platforms, respectively, extract their CFGs, and analyze them across both general characteristics, such as the number of nodes and edges, as well as graph algorithmic constructs, such as average shortest path, betweenness, closeness, density, etc. Using the CFG as an abstract structure, we emphasize various interesting findings, such as the prevalence of unreachable code in android malware, noted by the multiple components in their CFGs, the high density, strong closeness and betweenness, and larger number of nodes in the android malware, compared to the IoT malware, highlighting its higher order of complexity. We note that the number of edges in android malware is larger than that in IoT malware, highlighting a richer flow structure of those malware samples, despite their structural simplicity (number of nodes). We note that most of those graph-based properties can be used as discriminative features for classification.

Keywords

Malware Android IoT Graph analysis 

References

  1. 1.
    Gerber, A.: Connecting all the things in the Internet of Things. https://ibm.co/2qMx97a. Accessed 2017
  2. 2.
    Harrison, L.: The Internet of Things (IoT) Vision. https://blog.equinix.com/blog/2015/03/12/the-internet-of-things-iot-vision/. Accessed 2015
  3. 3.
    Mohaisen, A., Alrawi, O., Mohaisen, M.: AMAL: high-fidelity, behavior-based automated malware analysis and classification. Comput. Secur. 52, 251–266 (2015)CrossRefGoogle Scholar
  4. 4.
    Mohaisen, A., Alrawi, O.: AV-Meter: an evaluation of antivirus scans and labels. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 112–131. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08509-8_7CrossRefGoogle Scholar
  5. 5.
    Shang, S., Zheng, N., Xu, J., Xu, M., Zhang, H.: Detecting malware variants via function-call graph similarity. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software, MALWARE, pp. 113–120 (2010)Google Scholar
  6. 6.
    Mohaisen, A., Alrawi, O.: Unveiling Zeus: automated classification of malware samples. In: Proceedings of the 22nd International World Wide Web Conference, WWW, pp. 829–832 (2013)Google Scholar
  7. 7.
    Hu, X., Chiueh, T., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS, pp. 611–620 (2009)Google Scholar
  8. 8.
    Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (2003)Google Scholar
  9. 9.
    Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 129–143. Springer, Heidelberg (2006).  https://doi.org/10.1007/11790754_8CrossRefGoogle Scholar
  10. 10.
    Tamersoy, A., Roundy, K.A., Chau, D.H.: Guilt by association: large scale malware detection by mining file-relation graphs. In: Proceedings of the the 20th ACM International Conference on Knowledge Discovery and Data Mining, KDD, pp. 1524–1533 (2014)Google Scholar
  11. 11.
    Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, SP, pp. 590–604 (2014)Google Scholar
  12. 12.
    Caselden, D., Bazhanyuk, A., Payer, M., McCamant, S., Song, D.: HI-CFG: construction by binary analysis and application to attack polymorphism. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 164–181. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40203-6_10CrossRefGoogle Scholar
  13. 13.
    Wüchner, T., Ochoa, M., Pretschner, A.: Robust and effective malware detection through quantitative data flow graph metrics. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 98–118. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-20550-2_6CrossRefGoogle Scholar
  14. 14.
    Jang, J.-W., Woo, J., Mohaisen, A., Yun, J., Kim, H.K.: Mal-Netminer: malware classification approach based on social network analysis of system call graph. In: Mathematical Problems in Engineering (2015)Google Scholar
  15. 15.
    Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: Proceedings of the ACM Workshop on Artificial Intelligence and Security, AISec, pp. 45–54 (2013)Google Scholar
  16. 16.
    Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS, pp. 1105–1116 (2014)Google Scholar
  17. 17.
    Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: a novel honeypot for revealing current IoT threats. J. Inf. Process. JIP 24, 522–533 (2016)Google Scholar
  18. 18.
    Shen, F., Vecchio, J.D., Mohaisen, A., Ko, S.Y., Ziarek, L.: Android malware detection using complex-flows. In: Proceedings of the 37th IEEE International Conference on Distributed Computing Systems, ICDCS, pp. 2430–2437 (2017)Google Scholar
  19. 19.
    Developers: Radare2. https://www.radare.org/r/. Accessed 2018
  20. 20.
    Developers: VirusTotal. https://www.virustotal.com. Accessed 2018
  21. 21.
    Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-45719-2_11CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.University of Central FloridaOrlandoUSA
  2. 2.Inha UniversityIncheonRepublic of Korea

Personalised recommendations