CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains

Author

Ziming ZHAO
Zhaoxuan LI
Jiongchi YU, Singapore Management UniversityFollow
Fan ZHANG
Xiaofei XIE, Singapore Management UniversityFollow
Haitao XU
Binbin CHEN

Publication Type

Journal Article

Version

acceptedVersion

Publication Date

5-2024

Abstract

With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextual semantics from cross-source traffic, and previous host-side methods could be adversary-perceived and expose risks for tampering. More importantly, a single perspective cannot comprehensively track the multi-stage lifecycle of IoT malware. In this paper, we present CMD, a co-analyzed IoT malware detection and forensics system by combining hardware and network domains. For the network part, CMD proposes a tailored capsule neural network to capture the contextual semantics from cross-source traffic. For the hardware part, CMD designs an entire file operation recovery process in a side-channel manner by leveraging the Serial Peripheral Interface (SPI) signals from on-chip traces. These traffic provenance and operating logs information could benefit the anti-virus countermeasures for security practitioners. By practical evaluation, we demonstrate that CMD realizes outstanding detection effects (e.g., ∼∼99.88% F1-score) compared with seven state-of-the-art methods, and recovers 96.88%∼∼99.75% operation commands even if against adaptive adversaries (that could kill processes or tamper with operation log files). A by-product benefit of such an external monitor is CMD introduces zero latency on the IoT device, and incurs negligible IoT CPU utilization. Also, since SPI focuses on file operations, the proposed hardware trace forensics does not have the data explosion problem like previous work, e.g., recovered logs of CMD only take up limited extra space overhead (e.g., ∼∼0.2 MB per malware). Furthermore, we provide the model interpretability for the capsule network and develop a case study (Hajime) of the operation logs recovery.

Keywords

Forensic analysis, IoT malware detection, multi-stage lifecycle, SPI bus

Discipline

Information Security

Research Areas

Cybersecurity

Publication

IEEE Transactions on Mobile Computing

Volume

23

Issue

5

First Page

5589

Last Page

5603

ISSN

1536-1233

Identifier

10.1109/TMC.2023.3311012

Publisher

Institute of Electrical and Electronics Engineers

Citation

ZHAO, Ziming; LI, Zhaoxuan; YU, Jiongchi; ZHANG, Fan; XIE, Xiaofei; XU, Haitao; and CHEN, Binbin. CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains. (2024). IEEE Transactions on Mobile Computing. 23, (5), 5589-5603.
Available at: https://ink.library.smu.edu.sg/sis_research/8740

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/TMC.2023.3311012