Cross-Architecture Intemet-of-Things Malware Detection Based on Graph Neural Network

Abstract

The number of Internet of Things (IoT) devices has exploded in recent years. Due to the simple implementation and difficult-to-patch firmware, IoT devices are vulnerable to malware attacks. Static analysis is a feasible way to understand the behavior of IoT malware for detection and mitigation. However, unlike traditional malware on personal computers or smartphones, the diversity of processor architecture on IoT devices brings a variety of challenges for researchers. Current malware detection methods based on operation code or byte code cannot address the multi-architecture issue well. In this paper, we propose a cross-architecture IoT malware detection method based on graph neural network(GNN). We represent each binary file as a function call graph(FCG), since FCG is a higher-level architecture-independent feature. Natural language processing model is used to extract semantic information from operation code in our method. Enable semantic information as node feature and then we use GNN to extract structural information from FCG. Our method takes both semantic and structural information into account to identify malware. We also create a dataset that covers 5 different processor architectures to evaluate our method. The experiment we conduct over the dataset shows that our method performs better than other methods and is capable to detect unknown malware.