Enimanal: Augmented cross-architecture IoT malware analysis using graph neural networks

Abstract

IoT malware analysis is crucial for understanding the behavior and purpose of malware samples. While deep learning methods have been applied to IoT malware analysis using sequences or graphs to represent system calls, these approaches have limitations in their semantic representation of system call names. This paper presents Enimanal, a novel cross-architecture IoT malware analysis method based on graph neural networks. Enimanal leverages information from the Linux Programmer Manual to improve the semantic representation of dynamic system call information. By fusing semantic and structural information, Enimanal constructs a unique feature representation called an attributed system call graph (ASCG). We evaluated Enimanal on a dataset of 63k IoT malware samples with 9 CPU architectures and find that it outperforms comparison methods by up to 46% in macro precision and 38% in macro recall, achieving macro precision, macro recall and macro f1-score of over 98%. Furthermore, we verify the robustness of Enimanal against “zero-day” IoT malware.