Graph-based comparison of IoT and android malware

Hisham Alasmary; Afsah Anwar; Jeman Park; Jinchun Choi; Daehun Nyang; Aziz Mohaisen

doi:10.1007/978-3-030-04648-4_22

Graph-based comparison of IoT and android malware

Hisham Alasmary, Afsah Anwar, Jeman Park, Jinchun Choi, Daehun Nyang, Aziz Mohaisen

Department of Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

42 Scopus citations

Abstract

The growth in the number of android and Internet of Things (IoT) devices has witnessed a parallel increase in the number of malicious software (malware) that can run on both, affecting their ecosystems. Thus, it is essential to understand those malware towards their detection. In this work, we look into a comparative study of android and IoT malware through the lenses of graph measures: we construct abstract structures, using the control flow graph (CFG) to represent malware binaries. Using those structures, we conduct an in-depth analysis of malicious graphs extracted from the android and IoT malware. By reversing 2,874 and 201 malware binaries corresponding to the IoT and android platforms, respectively, extract their CFGs, and analyze them across both general characteristics, such as the number of nodes and edges, as well as graph algorithmic constructs, such as average shortest path, betweenness, closeness, density, etc. Using the CFG as an abstract structure, we emphasize various interesting findings, such as the prevalence of unreachable code in android malware, noted by the multiple components in their CFGs, the high density, strong closeness and betweenness, and larger number of nodes in the android malware, compared to the IoT malware, highlighting its higher order of complexity. We note that the number of edges in android malware is larger than that in IoT malware, highlighting a richer flow structure of those malware samples, despite their structural simplicity (number of nodes). We note that most of those graph-based properties can be used as discriminative features for classification.

Original language	English
Title of host publication	Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings
Editors	My T. Thai, Xuemin Chen, Wei Wayne Li, Arunabha Sen
Publisher	Springer Verlag
Pages	259-272
Number of pages	14
ISBN (Print)	9783030046477
DOIs	https://doi.org/10.1007/978-3-030-04648-4_22
State	Published - 2018
Event	7th International Conference on Computational Data and Social Networks, CSoNet 2018 - Shanghai, China Duration: 18 Dec 2018 → 20 Dec 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11280 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	7th International Conference on Computational Data and Social Networks, CSoNet 2018
Country/Territory	China
City	Shanghai
Period	18/12/18 → 20/12/18

Bibliographical note

Funding Information:
This work is supported by the NSF grant CNS-1809000, NRF grant 2016K1A1A2912757, Florida Center for Cybersecurity (FC2) seed grant, and support by the Air Force Research Lab. This work would not have been possible without the support of Ernest J. Gemeinhart.

Publisher Copyright:
© Springer Nature Switzerland AG 2018.

Keywords

Android
Graph analysis
IoT
Malware

Access to Document

10.1007/978-3-030-04648-4_22

Cite this

Alasmary, H., Anwar, A., Park, J., Choi, J., Nyang, D., & Mohaisen, A. (2018). Graph-based comparison of IoT and android malware. In M. T. Thai, X. Chen, W. W. Li, & A. Sen (Eds.), Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings (pp. 259-272). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11280 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-04648-4_22

Alasmary, Hisham ; Anwar, Afsah ; Park, Jeman et al. / Graph-based comparison of IoT and android malware. Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings. editor / My T. Thai ; Xuemin Chen ; Wei Wayne Li ; Arunabha Sen. Springer Verlag, 2018. pp. 259-272 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f78509c6ceca4a4087808e4daa1bd41d,

title = "Graph-based comparison of IoT and android malware",

abstract = "The growth in the number of android and Internet of Things (IoT) devices has witnessed a parallel increase in the number of malicious software (malware) that can run on both, affecting their ecosystems. Thus, it is essential to understand those malware towards their detection. In this work, we look into a comparative study of android and IoT malware through the lenses of graph measures: we construct abstract structures, using the control flow graph (CFG) to represent malware binaries. Using those structures, we conduct an in-depth analysis of malicious graphs extracted from the android and IoT malware. By reversing 2,874 and 201 malware binaries corresponding to the IoT and android platforms, respectively, extract their CFGs, and analyze them across both general characteristics, such as the number of nodes and edges, as well as graph algorithmic constructs, such as average shortest path, betweenness, closeness, density, etc. Using the CFG as an abstract structure, we emphasize various interesting findings, such as the prevalence of unreachable code in android malware, noted by the multiple components in their CFGs, the high density, strong closeness and betweenness, and larger number of nodes in the android malware, compared to the IoT malware, highlighting its higher order of complexity. We note that the number of edges in android malware is larger than that in IoT malware, highlighting a richer flow structure of those malware samples, despite their structural simplicity (number of nodes). We note that most of those graph-based properties can be used as discriminative features for classification.",

keywords = "Android, Graph analysis, IoT, Malware",

author = "Hisham Alasmary and Afsah Anwar and Jeman Park and Jinchun Choi and Daehun Nyang and Aziz Mohaisen",

note = "Funding Information: This work is supported by the NSF grant CNS-1809000, NRF grant 2016K1A1A2912757, Florida Center for Cybersecurity (FC2) seed grant, and support by the Air Force Research Lab. This work would not have been possible without the support of Ernest J. Gemeinhart. Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG 2018.; 7th International Conference on Computational Data and Social Networks, CSoNet 2018 ; Conference date: 18-12-2018 Through 20-12-2018",

year = "2018",

doi = "10.1007/978-3-030-04648-4\_22",

language = "English",

isbn = "9783030046477",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "259--272",

editor = "Thai, \{My T.\} and Xuemin Chen and Li, \{Wei Wayne\} and Arunabha Sen",

booktitle = "Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings",

}

Alasmary, H, Anwar, A, Park, J, Choi, J, Nyang, D & Mohaisen, A 2018, Graph-based comparison of IoT and android malware. in MT Thai, X Chen, WW Li & A Sen (eds), Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11280 LNCS, Springer Verlag, pp. 259-272, 7th International Conference on Computational Data and Social Networks, CSoNet 2018, Shanghai, China, 18/12/18. https://doi.org/10.1007/978-3-030-04648-4_22

Graph-based comparison of IoT and android malware. / Alasmary, Hisham; Anwar, Afsah; Park, Jeman et al.
Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings. ed. / My T. Thai; Xuemin Chen; Wei Wayne Li; Arunabha Sen. Springer Verlag, 2018. p. 259-272 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11280 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Graph-based comparison of IoT and android malware

AU - Alasmary, Hisham

AU - Anwar, Afsah

AU - Park, Jeman

AU - Choi, Jinchun

AU - Nyang, Daehun

AU - Mohaisen, Aziz

N1 - Funding Information: This work is supported by the NSF grant CNS-1809000, NRF grant 2016K1A1A2912757, Florida Center for Cybersecurity (FC2) seed grant, and support by the Air Force Research Lab. This work would not have been possible without the support of Ernest J. Gemeinhart. Publisher Copyright: © Springer Nature Switzerland AG 2018.

PY - 2018

Y1 - 2018

N2 - The growth in the number of android and Internet of Things (IoT) devices has witnessed a parallel increase in the number of malicious software (malware) that can run on both, affecting their ecosystems. Thus, it is essential to understand those malware towards their detection. In this work, we look into a comparative study of android and IoT malware through the lenses of graph measures: we construct abstract structures, using the control flow graph (CFG) to represent malware binaries. Using those structures, we conduct an in-depth analysis of malicious graphs extracted from the android and IoT malware. By reversing 2,874 and 201 malware binaries corresponding to the IoT and android platforms, respectively, extract their CFGs, and analyze them across both general characteristics, such as the number of nodes and edges, as well as graph algorithmic constructs, such as average shortest path, betweenness, closeness, density, etc. Using the CFG as an abstract structure, we emphasize various interesting findings, such as the prevalence of unreachable code in android malware, noted by the multiple components in their CFGs, the high density, strong closeness and betweenness, and larger number of nodes in the android malware, compared to the IoT malware, highlighting its higher order of complexity. We note that the number of edges in android malware is larger than that in IoT malware, highlighting a richer flow structure of those malware samples, despite their structural simplicity (number of nodes). We note that most of those graph-based properties can be used as discriminative features for classification.

AB - The growth in the number of android and Internet of Things (IoT) devices has witnessed a parallel increase in the number of malicious software (malware) that can run on both, affecting their ecosystems. Thus, it is essential to understand those malware towards their detection. In this work, we look into a comparative study of android and IoT malware through the lenses of graph measures: we construct abstract structures, using the control flow graph (CFG) to represent malware binaries. Using those structures, we conduct an in-depth analysis of malicious graphs extracted from the android and IoT malware. By reversing 2,874 and 201 malware binaries corresponding to the IoT and android platforms, respectively, extract their CFGs, and analyze them across both general characteristics, such as the number of nodes and edges, as well as graph algorithmic constructs, such as average shortest path, betweenness, closeness, density, etc. Using the CFG as an abstract structure, we emphasize various interesting findings, such as the prevalence of unreachable code in android malware, noted by the multiple components in their CFGs, the high density, strong closeness and betweenness, and larger number of nodes in the android malware, compared to the IoT malware, highlighting its higher order of complexity. We note that the number of edges in android malware is larger than that in IoT malware, highlighting a richer flow structure of those malware samples, despite their structural simplicity (number of nodes). We note that most of those graph-based properties can be used as discriminative features for classification.

KW - Android

KW - Graph analysis

KW - IoT

KW - Malware

UR - http://www.scopus.com/inward/record.url?scp=85059072847&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-04648-4_22

DO - 10.1007/978-3-030-04648-4_22

M3 - Conference contribution

AN - SCOPUS:85059072847

SN - 9783030046477

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 259

EP - 272

BT - Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings

A2 - Thai, My T.

A2 - Chen, Xuemin

A2 - Li, Wei Wayne

A2 - Sen, Arunabha

PB - Springer Verlag

T2 - 7th International Conference on Computational Data and Social Networks, CSoNet 2018

Y2 - 18 December 2018 through 20 December 2018

ER -

Alasmary H, Anwar A, Park J, Choi J, Nyang D, Mohaisen A. Graph-based comparison of IoT and android malware. In Thai MT, Chen X, Li WW, Sen A, editors, Computational Data and Social Networks - 7th International Conference, CSoNet 2018, Proceedings. Springer Verlag. 2018. p. 259-272. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-04648-4_22

Graph-based comparison of IoT and android malware

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this