2022 Fiscal Year Research-status Report
Research on IoT Anti-malware Technology beyond CPU Architectures
| Project/Area Number |
22K12038
|
|---|
| Research Institution | National Institute of Information and Communications Technology |
|---|
Principal Investigator |
班 涛 国立研究開発法人情報通信研究機構, サイバーセキュリティ研究所, 主任研究員 (80462878)
|
|---|
| Project Period (FY) |
2022-04-01 – 2025-03-31
|
| Keywords | IoT malware analysis / static analysis / graph embedding / Explainable AI / machine learning / function call graph |
|---|
| Outline of Annual Research Achievements |
In order to enhance the security of IoT devices, we conducted research on malware protection schemes that could effectively and efficiently safeguard these devices, while also being independent of the CPU architecture and robust to cyberattacks. We got the following research results in FY 2022.
(1) We investigated using graph2vec to encode function call graphs from static analysis of IoT malware for malware family classification. We proposed two methods to improve feature representation: reinterpret opcode sequences for unified user-defined function names and integrate literal information in the embedding. Tested on a large-scale dataset of over 108K malware binaries, the proposed method showed higher accuracy under various architectures, leading to superior overall performance.
(2) We explored the use of Explainable Artificial Intelligence (XAI) to identify unique features that distinguish malware families. We propose Color-coded Attribute Graph (CAG), which utilizes feature importance scores from classifier models to create a visual representation of malware samples. Results show the CAG is effective in interpreting machine learning-based methods for IoT malware classification, leading to more accurate analyses.
|
| Current Status of Research Progress |
Current Status of Research Progress
1: Research has progressed more than it was originally planned.
Reason
In FY2022, we successfully executed our planned research projects, which included benchmark dataset collection, research on embedding methods, and research on static strings. Our team achieved impressive research output, publishing one top journal paper, submitting one international conference paper, and delivering one research presentation.
Additionally, we have ongoing research in progress, which we are currently summarizing for publication. One area of research focuses on the efficient implementation of string kernels for IoT malware analysis. We designed an efficient algorithm based on suffix tree data structure for fast searching of similar components in different malware samples. This work aims to accelerate the malware analysis process, which is crucial in detecting and mitigating malware attacks on IoT devices.
Furthermore, we are conducting research on detecting IoT malware in packed samples, which presents unique challenges in malware analysis. Our proposed solution involves using feature selection to address the ambiguous Opcode generated in unpacking failure cases. We aim to enhance the accuracy and efficiency of malware detection in packed samples, contributing to the overall security of IoT devices.
|
| Strategy for Future Research Activity |
For FY 2023, our team aims to enhance the effectiveness and efficiency of our IoT malware protection scheme by applying cutting-edge learning algorithms. We will leverage Word2Vec, Doc2Vec, and FastText to preprocess high-dimensional vectors and evaluate their performance using deep neural networks, including Convolutional Neural Networks and Recurrent Neural Networks. We will compare these new algorithms against conventional methods, such as Random Forest, Support Vector Machine, and Neural Networks, which we previously examined. Our objective is to achieve a high level of generalization performance for the protection scheme.
In addition, we are conducting research on detecting IoT malware in packed samples, which poses unique challenges in malware analysis. To address the ambiguous Opcode generated in unpacking failure cases, our proposed solution involves using feature selection. Our aim is to enhance the accuracy and efficiency of malware detection in packed samples, thereby improving the overall security of IoT devices.
Looking ahead to FY 2024, we plan to adopt adversarial learning to enhance the model's resilience against obfuscation techniques. We will use Generative Adversarial Networks, a type of generative deep learning algorithm, to create attacking data instances that will improve the models' robustness. After verifying performance on benchmark datasets, we plan to develop a prototype of the protection scheme and test it on popular IoT devices.
|
| Causes of Carryover |
The timing of funding utilization was adjusted for several reasons. Due to supply and demand dynamics, the planned purchase of a computing server faced severe delivery delays, leading to a decision to leverage existing computing resources for preliminary data analysis instead. As a result, the procurement was postponed to FY2023, and the presentation at an overseas conference was rescheduled due to the impact of the COVID-19 pandemic. These adjustments demonstrate adaptability and efficient resource allocation in the research project, benefiting from the advantages offered by the new Kikin policy.
In FY 2023, we will invest in a comprehensive analysis platform for IoT malware, utilizing both static and dynamic analysis techniques on over 400K malware and benign-ware samples collected from various CPU architectures. We plan to purchase a high-performance server equipped with a GPU for numerical analysis of the logs and reliable model development for malware detection and classification. Additionally, we will acquire adequate storage to maintain the data collection.
|
