SHELLCORE: Automating Malicious IoT Software Detection Using Shell Commands Representation

Hisham Alasmary, Afsah Anwar, Ahmed Abusnaina, Abdulrahman Alabduljabbar, Mohammed Abuhamad, An Wang, Dae Hun Nyang, Amro Awad, David Mohaisen

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform various functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to IoT devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., DDoS. In this work, we provide a first look at the tasks managed by shell commands in Linux-based IoT malware towards detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, , to detect malicious shell commands. Namely, we collected a large dataset of shell commands, including malicious commands extracted from 2,891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with a term-and character-level features, is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e. binaries).

Original languageEnglish
JournalIEEE Internet of Things Journal
StateAccepted/In press - 2021


  • Data mining
  • Feature extraction
  • Internet of Things
  • IoT Security
  • Linux
  • Linux Shell Commands
  • Machine Learning.
  • Malware
  • Malware Detection
  • Password
  • Task analysis


Dive into the research topics of 'SHELLCORE: Automating Malicious IoT Software Detection Using Shell Commands Representation'. Together they form a unique fingerprint.

Cite this