CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains

CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains

With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextua...

Full description

Saved in:
Bibliographic Details
Main Authors: ZHAO, Ziming, LI, Zhaoxuan, YU, Jiongchi, ZHANG, Fan, XIE, Xiaofei, XU, Haitao, CHEN, Binbin
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2024
Subjects:
Forensic analysis
IoT malware detection
multi-stage lifecycle
SPI bus
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/8740
https://ink.library.smu.edu.sg/context/sis_research/article/9743/viewcontent/CMD_av.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-9743
record_format dspace
spelling sg-smu-ink.sis_research-97432024-10-17T06:06:50Z CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains ZHAO, Ziming LI, Zhaoxuan YU, Jiongchi ZHANG, Fan XIE, Xiaofei XU, Haitao CHEN, Binbin With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextual semantics from cross-source traffic, and previous host-side methods could be adversary-perceived and expose risks for tampering. More importantly, a single perspective cannot comprehensively track the multi-stage lifecycle of IoT malware. In this paper, we present CMD, a co-analyzed IoT malware detection and forensics system by combining hardware and network domains. For the network part, CMD proposes a tailored capsule neural network to capture the contextual semantics from cross-source traffic. For the hardware part, CMD designs an entire file operation recovery process in a side-channel manner by leveraging the Serial Peripheral Interface (SPI) signals from on-chip traces. These traffic provenance and operating logs information could benefit the anti-virus countermeasures for security practitioners. By practical evaluation, we demonstrate that CMD realizes outstanding detection effects (e.g., ∼∼99.88% F1-score) compared with seven state-of-the-art methods, and recovers 96.88%∼∼99.75% operation commands even if against adaptive adversaries (that could kill processes or tamper with operation log files). A by-product benefit of such an external monitor is CMD introduces zero latency on the IoT device, and incurs negligible IoT CPU utilization. Also, since SPI focuses on file operations, the proposed hardware trace forensics does not have the data explosion problem like previous work, e.g., recovered logs of CMD only take up limited extra space overhead (e.g., ∼∼0.2 MB per malware). Furthermore, we provide the model interpretability for the capsule network and develop a case study (Hajime) of the operation logs recovery. 2024-05-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/8740 info:doi/10.1109/TMC.2023.3311012 https://ink.library.smu.edu.sg/context/sis_research/article/9743/viewcontent/CMD_av.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Forensic analysis IoT malware detection multi-stage lifecycle SPI bus Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Forensic analysis
IoT malware detection
multi-stage lifecycle
SPI bus
Information Security
spellingShingle Forensic analysis
IoT malware detection
multi-stage lifecycle
SPI bus
Information Security
ZHAO, Ziming
LI, Zhaoxuan
YU, Jiongchi
ZHANG, Fan
XIE, Xiaofei
XU, Haitao
CHEN, Binbin
CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains
description With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextual semantics from cross-source traffic, and previous host-side methods could be adversary-perceived and expose risks for tampering. More importantly, a single perspective cannot comprehensively track the multi-stage lifecycle of IoT malware. In this paper, we present CMD, a co-analyzed IoT malware detection and forensics system by combining hardware and network domains. For the network part, CMD proposes a tailored capsule neural network to capture the contextual semantics from cross-source traffic. For the hardware part, CMD designs an entire file operation recovery process in a side-channel manner by leveraging the Serial Peripheral Interface (SPI) signals from on-chip traces. These traffic provenance and operating logs information could benefit the anti-virus countermeasures for security practitioners. By practical evaluation, we demonstrate that CMD realizes outstanding detection effects (e.g., ∼∼99.88% F1-score) compared with seven state-of-the-art methods, and recovers 96.88%∼∼99.75% operation commands even if against adaptive adversaries (that could kill processes or tamper with operation log files). A by-product benefit of such an external monitor is CMD introduces zero latency on the IoT device, and incurs negligible IoT CPU utilization. Also, since SPI focuses on file operations, the proposed hardware trace forensics does not have the data explosion problem like previous work, e.g., recovered logs of CMD only take up limited extra space overhead (e.g., ∼∼0.2 MB per malware). Furthermore, we provide the model interpretability for the capsule network and develop a case study (Hajime) of the operation logs recovery.
format text
author ZHAO, Ziming
LI, Zhaoxuan
YU, Jiongchi
ZHANG, Fan
XIE, Xiaofei
XU, Haitao
CHEN, Binbin
author_facet ZHAO, Ziming
LI, Zhaoxuan
YU, Jiongchi
ZHANG, Fan
XIE, Xiaofei
XU, Haitao
CHEN, Binbin
author_sort ZHAO, Ziming
title CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains
title_short CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains
title_full CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains
title_fullStr CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains
title_full_unstemmed CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains
title_sort cmd: co-analyzed iot malware detection and forensics via network and hardware domains
publisher Institutional Knowledge at Singapore Management University
publishDate 2024
url https://ink.library.smu.edu.sg/sis_research/8740
https://ink.library.smu.edu.sg/context/sis_research/article/9743/viewcontent/CMD_av.pdf
_version_ 1814047945603940352

Similar Items