Directed-System-Call-Graph Feature for IoT Botnet Detection

Abstract

Nowadays, the number and types of IoT devices are increasing rapidly, which leads to an expansion in the attack surface of this kind of device. Besides, the number of Botnet malware on IoT devices also grows with a lot of new variants. This context leads to an urgent demand for an effective solution in detecting new variants of IoT Botnet malware. There have been many studies focusing on IoT Botnet malware detection using static and dynamic analysis. In particular, the combination of the dynamic method with machine learning has shown outstanding advantages to detect IoT Botnet variants. However, the preprocessing of behavioral data originated from malware is still complicated, and the number of input vector dimensions of the machine learning model is still huge. In addition, these models also consume a lot of resources and have limited detection capabilities. Besides, dynamic analysis studies based on system calls mostly use call frequency characteristics and have not effectively exploited IoT Botnet malware’s life cycle characteristics. In this paper, we propose the Directed System Call Graph (DSCG) feature to sequentially structure the system calls. This DSCG graph will be vectorized and used as an input for building a malware analysis model based on popular machine learning classifiers such as KNN, SVM, Decision Tree, etc. Experiments on the datasets demonstrate that the features extracted from this graph have low complexity but still ensure high accuracy in detecting IoT Botnets, especially with newly emerged IoT Botnet families. The proposed model was evaluated with ACC = 98.01 % , TPR = 97.93 % , FPR = 1.5 % , AUC = 0.9961 on a dataset of 5023 IoT Botnets and 3888 benign samples.