IoT Malware Detection Using Function-Call-Graph Embedding

Abstract

In the era of rapid network development, IoT devices are being deployed more and more widely, and various kinds of malware programs are gradually appearing at the deployment level. As a widely adopted static analysis approach, structure based analysis such as graph embedding can capture the semantic features of malware binaries and has received much research attention. In this paper, to further improve the robustness of the graph embedding approaches to IoT malware detection, we propose a novel method that incorporates both local and global characterizing features extracted from Function-Call Graphs (FCG) to perform the detection. The caller-callee relationship represents the local semantic features, and the global statistic feature represents the graph’s structural characteristics. The performance of the proposed method is evaluated on a largescale dataset consisting of 112K malware and 89k benignware samples collected from seven CPU architectures. It shows a 99% accuracy on IoT malware detection, outperforming existing graph embedding solutions. Moreover, when CPU architecture is taken into consideration, the proposed method combined with support vector machine and multilayer perception classifier can yield even higher performance.