EVaDe: Efficient and Lightweight Mirai Variants Detection via Approximate Largest Submatrix Search

Abstract

The Mirai botnet, notorious for launching significant Distributed Denial of Service (DDoS) attacks and crippling portions of internet services in late 2016, has emerged as a significant threat. Its threat is magnified by the open-source nature of the original Mirai code, which enables a propagation and evolution rate that surpasses traditional malware and frequently defies common sense. As the primary targets of Mirai attacks, Internet of Things (IoT) devices must promptly adapt to the evolving variations of the Mirai threat scenario. In practice, however, IoT devices are frequently constrained by insufficient security detection resources. Therefore, there is an urgent need for a lightweight framework capable of handling Mirai variants and dynamically updating its rule set in order to effectively counter the threat. In response to these challenges, we present Efficient and lightweight Mirai Variants Detection (EVaDe), a novel, lightweight framework for detecting Mirai. EVaDe unleashes the power of sample function mining to efficiently automate the generation of detection rules, requiring limited hardware resources while maintaining effectiveness against Mirai and its numerous variants. In addition, to improve the efficacy of rule generation, we propose a sophisticated algorithm designed to optimize the maximum submatrix problem, thereby facilitating the efficient and rapid extraction of malicious rules from the sample group. We validated the experiments on actual IoT devices with significantly compressed performance overheads. An average sample detection time of 5 ms to make sure the system can be deployed in real production. According to the result, the approach has an average detection rate of 95% for Mirai and its variants, which beats every other well-known piece of commercial antivirus software on the market by 3% to 56%.