Research on IoT Anti-malware Technology beyond CPU Architectures

• Project/Area Number: 22K12038
• Research Category: Grant-in-Aid for Scientific Research (C)
• Allocation Type: Multi-year Fund
• Section: 一般
• Review Section: Basic Section 60070:Information security-related
• Research Institution: National Institute of Information and Communications Technology
• Principal Investigator: 班 涛 国立研究開発法人情報通信研究機構, サイバーセキュリティ研究所, 主任研究員 (80462878)
• Project Period (FY): 2022-04-01 – 2025-03-31
• Project Status: Granted (Fiscal Year 2023)
• Budget Amount: ¥4,160,000 (Direct Cost: ¥3,200,000、Indirect Cost: ¥960,000); Fiscal Year 2024: ¥650,000 (Direct Cost: ¥500,000、Indirect Cost: ¥150,000); Fiscal Year 2023: ¥650,000 (Direct Cost: ¥500,000、Indirect Cost: ¥150,000); Fiscal Year 2022: ¥2,860,000 (Direct Cost: ¥2,200,000、Indirect Cost: ¥660,000)
• Keywords: IoT malware analysis / IoT security / static analysis / packer / explainable AI / machine learning / graph embedding / Explainable AI / function call graph / Malware anlaysis / IoT malware / CPU architecture / Static analysis

Outline of Research at the Start

CPU architecture diversity and resource constraints on IoT devices render conventional protection schemes impractical, hindering malware precautions and countermeasures. In this proposal, we propose integrating advanced machine learning methods with security domain knowledge to implement a practical IoT malware detection and prevention scheme that meets the eligibility requirements on accuracy, computational and resource-efficiency, adaptivity to various application scenarios, and robustness against new attacks.

Outline of Annual Research Achievements

In FY 2023, we advanced research on compatible malware protection across CPU architectures and resilience against cyberattacks. Here are the expanded details:
(1) Our research on employing explainable AI to identify unique characteristics in malware families was successfully concluded. We proposed the Color-coded Attribute Graph for intuitive and accurate malware analysis, which garnered significant attention in the cybersecurity community.
(2) Our exploration into detecting IoT malware in packed samples has provided valuable insights. Through an analysis of trends in packed malware on VirusTotal and overcoming challenges with reverse engineering tools, we have developed a robust solution. This solution involves feature selection and automated malware classification, shedding light on accurately and efficiently detecting packed IoT malware. It is poised to significantly enhance the overall security of IoT devices.
(3) With a keen focus on efficiency in resource-constrained devices and cross-platform compatibility, we delved deeper into methods for analyzing IoT malware using printable strings extracted from binary files. Our extensive validation process confirmed the effectiveness of these methods, paving the way for more robust malware detection techniques in the future.

Current Status of Research Progress

2: Research has progressed on the whole more than it was originally planned.

Reason

In this FY, our primary objective of analyzing IoT malware across CPU architectures has yielded expected results: 1 conference paper accepted, 2 in preparation. Side research on packed malware faced slight delays; 1 paper withdrawn due to data insufficiency, prompting further investigation.
(1) Research on XAI for IoT malware analysis is successfully concluded, resulting in 1 international conference paper.
(2) Work on printable string-based malware detection is ongoing, utilizing effective suffix tree-based string processing methods, with 2 papers be in preparation.
(3) New research started on reinterpreting opcodes as system calls for malware samples without symbolic tables, aiming for compatible CPU architecture analysis through a transition from opcode to system call-level analysis.

Strategy for Future Research Activity

In the concluding year of this research project, our goal is to craft a pragmatic and precise malware detection system tailored for widespread IoT devices by integrating accumulated findings. Specifically, we aim to:
(1) Enhance malware detection through printable strings, refining classification accuracy and lessening reliance on system resources.
(2) Conclude our investigation into text processing methods grounded in suffix trees, fine-tuning parameters for effective analysis of IoT-related malware.
(3) Finalize our exploration of reinterpreting opcodes as system calls, enhancing malware analysis and ensuring compatibility across platforms.
(4) Persist in monitoring the evolving trends of packed programs within IoT malware, ensuring proactive measures against forthcoming threats.

Research Products

• [Int'l Joint Research] Taiwan Information Security Center/National Taiwan Uni. of Sci. and Tech.(その他の国・地域)
• [Int'l Joint Research] Taiwan Information Security Center/National Taiwan Uni. of Sci. and Tech.(中国)
• [Journal Article] IoT malware classification based on reinterpreted function-call graphs (2023)
  • Author(s): Wu Chia-Yi、Ban Tao、Cheng Shin-Ming、Takahashi Takeshi、Inoue Daisuke
  • Journal Title: Computers & Security Volume: 125 Pages: 103060-103060
  • DOI: 10.1016/j.cose.2022.103060
  • Peer Reviewed / Int'l Joint Research
• [Presentation] Color-coded Attribute Graph: Visual Exploration of Distinctive Traits of IoT-Malware Families (2023)
  • Author(s): Jiaxing Zhou, Tao Ban, Tomohiro Morikawa, Takeshi Takahashi, Daisuke Inoue
  • Organizer: 2023 IEEE Symposium on Computers and Communications (ISCC)
  • Int'l Joint Research
• [Presentation] Research on IoT Anti-malware Technology beyond CPU Architectures (2022)
  • Author(s): Tao Ban
  • Organizer: Malware & Reverse Engineering Conference 2023
  • Int'l Joint Research