Unmasking the lurking: Malicious behavior detection for IoT malware with multi-label classification

Author

Ruitao FENG, Singapore Management UniversityFollow
Sen LI
Sen CHEN
Mengmeng GE
Xuewei LI
Xiaohong LI

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

6-2024

Abstract

Current methods for classifying IoT malware predominantly utilize binary and family classifications. However, these outcomes lack the detailed granularity to describe malicious behavior comprehensively. This limitation poses challenges for security analysts, failing to support further analysis and timely preventive actions. To achieve fine-grained malicious behavior identification in the lurking stage of IoT malware, we propose MaGraMal. This approach, leveraging masked graph representation, supplements traditional classification methodology, empowering analysts with critical insights for rapid responses. Through the empirical study, which took three person-months, we identify and summarize four fine-grained malicious behaviors during the lurking stage, constructing an annotated dataset. Our evaluation of 224 algorithm combinations results in an optimized model for IoT malware, achieving an accuracy of 75.83%. The maximum improvement brought by the hybrid features and graph masking achieves 5% and 4.16%, respectively. The runtime overhead analysis showcases MaGraMal’s superiority over the existing dynamic analysis-based detection tool (12x faster). This pioneering work combines machine learning and static features for malicious behavior profiling.

Keywords

IoT malware, Malicious behavior detection, Masked Graph Embedding, Multi-label classification

Discipline

Information Security

Areas of Excellence

Digital transformation

Publication

LCTES 2024: Proceedings of the 25th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES ’24), June 24, Copenhagen

First Page

95

Last Page

106

ISBN

9798400706165

Identifier

10.1145/3652032.3657577

Publisher

Association for Computing Machinery

City or Country

Copenhagen

Citation

FENG, Ruitao; LI, Sen; CHEN, Sen; GE, Mengmeng; LI, Xuewei; and LI, Xiaohong. Unmasking the lurking: Malicious behavior detection for IoT malware with multi-label classification. (2024). LCTES 2024: Proceedings of the 25th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES ’24), June 24, Copenhagen. 95-106.
Available at: https://ink.library.smu.edu.sg/sis_research/8974

Creative Commons License

This work is licensed under a Creative Commons Attribution 3.0 License.

Additional URL

https://doi.org/10.1145/3652032.3657577