有別於既有防毒產業採用對作業系統侵入式監測並基於 YARA 等靜態特徵掃瞄的 方案，我們提出了一種架設於物聯網路由或者閘道器上的新型態保護概念。憑著 較為優勢的算力，此系統得以監視網路流量、並以內置的規則實時阻斷惡意程式 從此閘道器感染入內部網路中的物聯網設備。
本文對時下流行的蠕蟲程式原始碼與連線流量進行了研究，為物聯網需求提出 了一種新型能即時對抗蠕蟲感染的主動防禦系統。特別之處在於:能主動從連線 流量中識別可疑的執行文件傳遞行為、並將其基於時下最流行的 Qiling 模擬引擎 實時仿真出組合語言指令序列。並基於了對惡意程式逆向工程的經驗理解，我們 能正確的從指令序列中取出有意義的特徵，並後續應用 Asm2Vec 神經網路模型用 於判斷執行指令序列與已知惡意程式行為的相似性。
在我們的實驗中表明，經由極少量的樣本訓練神經網路即可正確地捕捉到各指 令之間在惡意程式上所具有的潛在語義，將此模型用於惡意程式上識別準確性方 面優於了現有的方法。因此，此方法能用以部署於物聯網閘道或路由器之上有效 阻止已知惡意程式與其變種感染入內網設備。

Instead of directly applying antivirus or YARA approaches to IoT end device, cur- rent secure protection is typically achieved at IoT intermediate nodes like IoT gate- way or router. With much more powerful computation and storage capability, IoT gateway could monitor inbound and outbound traffic as well as block malicious traf- fic with predefined signatures so that IoT end devices inside local network can be protected. The paper proposes an active protection system for IoT malware at IoT gateway by analyzing both malicious traffic and malware payload. In particular, the suspicious command is identified and malware is downloaded to a process-level Qiling-based emulation environment to be performed, so that assembly scripts can be retrieved. Based on experience in reverse engineering, we select representative fea- tures from assembly scripts and apply Asm2Vec to determine the malware similarity. The experimental results show that the learned semantic relationship outperforms the existing methods in terms of identification accuracy. As a result, the malicious traffic containing malware variants can be efficiently blocked at IoT gateway so that the internal IoT devices can be protected.

[1] G. Kambourakis, C. Kolias, and A. Stavrou, “The mirai botnet and the iot zombie armies,” in Proc. MILCOM 2017, Oct 2017, pp. 267–272.
[2] S. H. Ding, B. C. Fung, and P. Charland, “Asm2vec: Boosting static represen- tation robustness for binary clone search against code obfuscation and compiler optimization,” in Proc. SP 2019, May 2019, pp. 472–489.
[3] Z. Zhang, M. C. Y. Cho, C. Wang, C. Hsu, C. Chen, and S. Shieh, “Iot security: Ongoing challenges and research opportunities,” in Proc. SOCA 2014, Nov 2014, pp. 230–234.
[4] Anna-senpai, “Mirai source code.” [Online]. Available: https://github.com/ jgamblin/Mirai-Source-Code/
[5] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the mirai botnet,” in Proc. USENIX 2017. Vancouver, BC: USENIX Association, Aug. 2017, pp. 1093–1110. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity17/technical-sessions/presentation/antonakakis
[6] A. Sforzin, F. G. Mármol, M. Conti, and J.-M. Bohli, “Rpids: Raspberry pi ids —a fruitful intrusion detection system for iot,” in Proc. UIC/ATC/ScalCom/ CBDCom/IoP/SmartWorld 2016, July 2016, pp. 440–448.
[7] E. Hodo, X. Bellekens, A. Hamilton, P.-L. Dubouilh, E. Iorkyase, C. Tachtatzis, and R. Atkinson, “Threat analysis of iot networks using artificial neural network intrusion detection system,” in ISNCC 2016. IEEE, May 2016, pp. 1–6.
[8] H. Sinanović and S. Mrdovic, “Analysis of mirai malicious software,” in Proc. SoftCOM 2017, Sept 2017, pp. 1–5.
[9] “Qiling,” http://qiling.io/.
27
[10] N. A. Quynh and D. H. Vu, “Unicorn: Next generation cpu emulator frame- work,” BlackHat USA, August 2015.
[11] Y. Hu, Y. Zhang, J. Li, and D. Gu, “Binary code clone detection across archi- tectures and compiling configurations,” in 2017 IEEE/ACM 25th International Conference on Program Comprehension (ICPC), June 2017, pp. 88–98.
[12] “VirusTotal,” https://www.virustotal.com.
[13] S.-M. Cheng, “Flag.” [Online]. Available: https://lmgtfy.com/?q=smcheng
[14] G. Myles and C. Collberg, “K-gram based software birthmarks,” in Proc. ACM 2005, March 2005, pp. 314–318.
[15] A. Saebjornsen, Detecting fine-grained similarity in binaries. University of California, Davis, 2014.
[16] W. M. Khoo, A. Mycroft, and R. Anderson, “Rendezvous: A search engine for binary code,” in Proc. MSR 2013. IEEE, May 2013, pp. 329–338.
[17] M. R. Farhadi, B. C. Fung, P. Charland, and M. Debbabi, “Binclone: Detecting code clones in malware,” in Proc. SERE 2014. IEEE, June 2014, pp. 78–87.
[18] J. Jang, M. Woo, and D. Brumley, “Towards automatic software lineage in- ference,” in 22nd {USENIX} Security Symposium ({USENIX} Security 13), August 2013, pp. 81–96.
[19] H. Huang, A. M. Youssef, and M. Debbabi, “Binsequence: fast, accurate and scalable binary code reuse detection,” in Proc. ACM 2017, April 2017, pp. 155–166.
[20] Y. David and E. Yahav, “Tracelet-based code search in executables,” Acm Sigplan Notices, vol. 49, no. 6, pp. 349–360, 2014.
[21] S. Eschweiler, K. Yakdan, and E. Gerhards-Padilla, “discovre: Efficient cross- architecture identification of bugs in binary code.” in NDSS, 2016.
28

[22] Q. Feng, R. Zhou, C. Xu, Y. Cheng, B. Testa, and H. Yin, “Scalable graph- based bug search for firmware images,” in Proc. SIGSAC 2016, Oct 2016, pp. 480–491.
[23] E. L. Goodman, C. Zimmerman, and C. Hudson, “Packet2vec: Utiliz- ing word2vec for feature extraction in packet data,” arXiv preprint arXiv: 2004.14477, 2020.
[24] Y. Goldberg and O. Levy, “word2vec explained: deriving mikolov et al.’s negative-sampling word-embedding method,” arXiv preprint arXiv:1402.3722, 2014.
[25] B. Cakir and E. Dogdu, “Malware classification using deep learning methods,” in Proc. ACMSE 2018, March 2018, pp. 1–5.
[26] “IDA Pro,” https://www.hex-rays.com/products/ida/.
[27] T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficient estimation of word
representations in vector space,” arXiv preprint arXiv:1301.3781, Jan 2013.