A hybrid method for analysis and detection of malicious executables in IoT network

Abstract

In 2020, 639 million IoT devices were breached, but the number has almost doubled to 1.51 billion breached devices in just the first half of 2021. The limited computing capacity of IoT devices makes them highly vulnerable, and large-scale malware attacks have been conducted using them, as evidenced by the Mirai 2016 botnet, which infected 15 million IoT devices. This stresses the need for enhancements in IoT security, especially in the domain of IoT malware detection. The majority of the research on IoT malware detection is focused on static analysis methods which do not take packers and obfuscation techniques into account. A moderate amount of research is done on the dynamic analysis methods, but such methods fail when the sample’s architecture is not supported. Hybrid analysis methods are also not widely explored even though they are capable of learning more meaningful features than just static or dynamic analysis methods alone. To this end, we have proposed a new sandbox and a novel hybrid detection model that is cross-architectural and capable of dealing with obfuscated and packed samples. Our proposed hybrid model works well even when one of the analysis methods, static or dynamic analysis, fails. We have trained our hybrid model on a dataset of 3145 samples with 2210 malware samples and 935 benign samples. Our model achieves an accuracy of 99.18% with an MCC score of 0.98.