ShellCore: Automating Malicious IoT Software Detection Using Shell Commands Representation

Hisham Alasmary, Afsah Anwar, Ahmed Abusnaina, Abdulrahman Alabduljabbar, Mohammed Abuhamad, An Wang, Daehun Nyang, Amro Awad, David Mohaisen

Research output: Contribution to journalArticlepeer-review

4 Scopus citations


The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform various functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to Internet of Things (IoT) devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., Distributed Denial of Service. In this work, we provide a first look at the tasks managed by shell commands in Linux-based IoT malware toward detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, ShellCore, to detect malicious shell commands. Namely, we collected a large data set of shell commands, including malicious commands extracted from 2891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with a term- and character-level features, ShellCore is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e., binaries).

Original languageEnglish
Pages (from-to)2485-2496
Number of pages12
JournalIEEE Internet of Things Journal
Issue number4
StatePublished - 15 Feb 2022

Bibliographical note

Publisher Copyright:
© 2014 IEEE.


  • Internet of Things (IoT) security
  • Linux shell commands
  • machine learning
  • malware detection


Dive into the research topics of 'ShellCore: Automating Malicious IoT Software Detection Using Shell Commands Representation'. Together they form a unique fingerprint.

Cite this