因物聯網(Internet of Things; IoT)設備的操作功能相當單一，使得物聯網容易遭受到惡意程式的攻擊。為了了解物聯網惡意程式的行為以減緩攻擊，使用靜態分析惡意程式的原始碼是一種可行的方法。但是，目前使用opcode或是控制流程圖的研究都沒有考慮到多種CPU架構，而且消耗非常多運算資源。本文使用從ELF檔案的入口點開始提取二進制特徵，做出了一種有效的檢測與分類的機器學習方法。由於位元序列代表程式主要的動作，因此很容易區分惡意程式與良性的程式。我們的實驗資料集總共有七種CPU架構，其中包含11萬個良性程式、12萬個惡意程式。實驗結果表明，此方法辨識良性與惡意程式的準確率達到99.9%，且辨識8個惡意程式的家族的準確率達到98.4%。此外，若在同一個CPU架構下，我們可以使用更少的特徵，但依舊可以維持高效能。

The simple implementation and monotonous operation features make Internet of Thing (IoT) vulnerable to malware attack. In order to understand the behavior of IoT malware for further mitigation, static analysis on source code of IoT malware is a feasible approach. However, current analysis approaches based on opcode or call-graph do not consider the diverse CPU architectures and are resource-consuming. In this paper, we propose an efficient detection and classification machine learning method based on the static binary features extracted from entry point of ELF files. It is easy to differentiate the byte sequences from entry point of malware between that of benignware since they represent the primary actions of the software. 111K benignware and 124K malware with seven CPU architectures from real-world are considered in our experiment. Our experiment results show that the proposed method can achieve accuracy of 99.9% for detection and 98.4% accuracy for classification of eight malware families. Additionally, SVM maintains high performance by considering much less features in the same CPU architecture.

[1] M. Hung, “Leading the IoT,” 2017.
[2] G. D. Maayan, “The IoT rundown for 2020: Stats, risks, and solution,” https: //securitytoday.com/articles/2020/01/13/the-iot-rundown-for-2020.aspx, Ac- cessed: 2020-07-14.
[3] S.-M. Cheng, P.-Y. Chen, C.-C. Lin, and H.-C. Hsiao, “Traffic-aware patching for cyber security in mobile IoT,” IEEE Commun. Mag., vol. 55, no. 7, pp. 29–35, Jul. 2017.
[4] J. Granjal, E. Monteiro, and J. S. Silva, “Security for the Internet of Things: A survey of existing protocols and open research issues,” IEEE Communications Surveys Tutorials, vol. 17, no. 3, pp. 1294–1312, thirdquarter 2015.
[5] “Attack Landscape H2 2019,” https://blog-assets.f-secure.com/wp-content/ uploads/2020/03/04101313/attack-landscape-h22019-final.pdf, Accessed: 2020-07-14.
[6] Anna-senpai, “Mirai source code.” [Online]. Available: https://github.com/ jgamblin/Mirai-Source-Code/
[7] Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, “A survey on security and privacy issues in Internet-of-Things,” IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1250–1258, Apr. 2017.
[8] A. Costin and J. Zaddach, “IoT malware: Comprehensive survey, analysis framework and case studies,” in Blackhat USA 2018, Aug. 2018.
[9] Q.-D. Ngo, H.-T. Nguyen, L.-C. Nguyen, and D.-H. Nguyen, “A survey of IoT malware and detection methods based on static features,” ICT Express, Apr. 2020.
[10] A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust malware detec- tion for Internet of (Battlefield) Things devices using deep eigenspace learning,” IEEE transactions on sustainable computing, vol. 4, no. 1, pp. 88–95, Feb. 2018.
[11] H. HaddadPajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “A deep recurrent neural network based approach for Internet of Things malware threat hunting,” Future Generation Computer Systems, vol. 85, pp. 88–96, Mar. 2018.
[12] H. Darabian, A. Dehghantanha, S. Hashemi, S. Homayoun, and K.-K. R. Choo, “An opcode-based technique for polymorphic Internet of Things malware detec- tion,” Concurrency and Computation: Practice and Experience, vol. 32, no. 6, p. e5173, Feb. 2020.
[13] “Virustotal,” https://www.virustotal.com.
[14] A. Marzano, D. Alexander, O. Fonseca, E. Fazzion, C. Hoepers, K. Steding- Jessen, M. H. Chaves, Í. Cunha, D. Guedes, and W. Meira, “The evolution of bashlite and mirai IoT botnets,” in Proc. ISCC 2018, Jun. 2018, pp. 00813– 00 818.
[15] S. Edwards and I. Profetis, “Hajime: Analysis of a decentralized internet worm for IoT devices,” Rapidity Networks, vol. 16, 2016.
[16] S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, “Measurement and analysis of hajime, a peer-to-peer iot botnet,” in Proc. NDSS 2019, Feb. 2019.
[17] M. J. Bohio, “Analyzing a backdoor/bot for the MIPS platform,” 2015.
[18] P. Kalnai and J. Horejsi, “Ddos trojan: A malicious concept that conquered the elf format,” 2015.
[19] T. Micro, “XORDDoS, kaiji botnet malware variants target exposed docker servers,” https://blog.trendmicro.com/trendlabs-security-intelligence/ xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/, Ac- cessed: 2020-07-14.
[20] D. Yuxin and Z. Siyi, “Malware detection based on deep learning algorithm,” Neural Computing and Applications, vol. 31, no. 2, pp. 461–472, Feb. 2019.
[21] B. Kang, S. Y. Yerima, K. McLaughlin, and S. Sezer, “N-opcode analysis for android malware classification and categorization,” in Proc. Cyber Security2016, Jun. 2016, pp. 1–7.
[22] H. Alasmary, A. Khormali, A. Anwar, J. Park, J. Choi, A. Abusnaina, A. Awad, D. Nyang, and A. Mohaisen, “Analyzing and detecting emerging Internet of Things malware: a graph-based approach,” IEEE Internet of Things Journal, vol. 6, no. 5, pp. 8977–8988, Jul. 2019.
[23] H.-T. Nguyen, Q.-D. Ngo, and V.-H. Le, “IoT botnet detection approach based on psi graph and dgcnn classifier,” in Proc. ICICSP 2018, Sep. 2018, pp. 118– 122.
[24] J. Su, V. D. Vasconcellos, S. Prasad, S. Daniele, Y. Feng, and K. Sakurai, “Lightweight classification of IoT malware based on image recognition,” in IEEE COMPSAC 2018, vol. 2, Jul. 2018, pp. 664–669.
[25] F. Shahzad and M. Farooq, “ELF-Miner: Using structural knowledge and data mining methods to detect new (linux) malicious executables,” Knowledge and information systems, vol. 30, no. 3, pp. 589–612, Mar. 2012.
[26] M. G. Schultz, E. Eskin, F. Zadok, and S. J. Stolfo, “Data mining methods for detection of new malicious executables,” in Proc. IEEE S&P 2001, May 2000, pp. 38–49.
[27] B. Li, Y. Zhang, J. Yao, and T. Yin, “MDBA: Detecting malware based on bytes n-gram with association mining,” in Proc. ICT 2019, Apr. 2019, pp. 227–232.
[28] T. Ban, R. Isawa, S. Guo, D. Inoue, and K. Nakao, “Efficient malware packer identification using support vector machines with spectrum kernel,” in Proc. ASIAJCIS 2013, Jul. 2013, pp. 69–76.
[29] E. Foundation, “IoT commercial adoption survey 2019 results,” 2019.
[30] “binwalk,” https://tools.kali.org/forensics/binwalk.
[31] R. Isawa, T. Ban, S. Guo, D. Inoue, and K. Nakao, “An accurate packer identi- fication method using support vector machine,” IEICE Transactions on Funda- mentals of Electronics, Communications and Computer Sciences, vol. 97, no. 1, pp. 253–263, Jan. 2014.
[32] “Radare2,” https://github.com/radareorg/radare2.
[33] “pwntools,” hhttps://github.com/Gallopsled/pwntools.
[34] F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay, “Scikit-learn: Ma- chine learning in Python,” Journal of Machine Learning Research, vol. 12, pp. 2825–2830, 2011.
[35] L. McInnes, J. Healy, N. Saul, and L. Grossberger, “UMAP: Uniform manifold approximation and projection,” The Journal of Open Source Software, vol. 3, no. 29, p. 861, Sep. 2018.