Efficient Signature Generation for Classifying Cross-Architecture IoT Malware

Internet-of-Things (IoT) devices are increasingly targeted by adversaries due to their unique characteristics such as constant online connection, lack of protection, and full integration in people's daily life. As attackers shift their targets towards IoT devices, malware has been developed to compromise IoT devices equipped with different CPU architectures. While malware detection has been a well-studied area for desktop PCs, heterogeneous processor architecture in IoT devices brings in unique challenges. Existing approaches utilize static or dynamic binary analysis for identifying malware characteristics, but they all fall short when dealing with IoT malware compiled for different architectures. In this paper, we propose an efficient signature generation method for IoT malware, which generates distinguishable signatures based on high-level structural, statistical and string feature vectors, as high-level features are more robust against code variations across different architectures. The generated signatures for each malware family can be used for developing lightweight malware detection tools to secure IoT devices. Extensive experiments with two datasets of 5,150 recent IoT malware samples show that our scheme can achieve 95.5% detection rate with 0% false positive rate. Moreover, the proposed scheme can achieve 85.2% detection rate in detecting novel IoT malware.