A Novel Static Analysis Approach Using System Calls for Linux IoT Malware Detection

Electronics Pub Date : 2024-07-23 DOI:10.3390/electronics13152906

Jayanthi Ramamoorthy, Khushi Gupta, Ram C. Kafle, N. Shashidhar, C. Varol

{"title":"A Novel Static Analysis Approach Using System Calls for Linux IoT Malware Detection","authors":"Jayanthi Ramamoorthy, Khushi Gupta, Ram C. Kafle, N. Shashidhar, C. Varol","doi":"10.3390/electronics13152906","DOIUrl":null,"url":null,"abstract":"The proliferation of Internet of Things (IoT) devices on Linux platforms has heightened concerns regarding vulnerability to malware attacks. This paper introduces a novel approach to investigating the behavior of Linux IoT malware by examining syscalls and library syscall wrappers extracted through static analysis of binaries, as opposed to the conventional method of using dynamic analysis for syscall extraction. We rank and categorize Linux system calls based on their security significance, focusing on understanding malware intent without execution. Feature analysis of the assigned syscall categories and risk ranking is conducted with statistical tests to validate their effectiveness and reliability in differentiating between malware and benign binaries. Our findings demonstrate that potential threats can be reliably identified with an F1 score of 96.86%, solely by analyzing syscalls and library syscall wrappers. This method can augment traditional static analysis, providing an effective preemptive measure to enhance Linux malware analysis. This research highlights the importance of static analysis in strengthening IoT systems against emerging malware threats.","PeriodicalId":504598,"journal":{"name":"Electronics","volume":"7 12","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Electronics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3390/electronics13152906","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The proliferation of Internet of Things (IoT) devices on Linux platforms has heightened concerns regarding vulnerability to malware attacks. This paper introduces a novel approach to investigating the behavior of Linux IoT malware by examining syscalls and library syscall wrappers extracted through static analysis of binaries, as opposed to the conventional method of using dynamic analysis for syscall extraction. We rank and categorize Linux system calls based on their security significance, focusing on understanding malware intent without execution. Feature analysis of the assigned syscall categories and risk ranking is conducted with statistical tests to validate their effectiveness and reliability in differentiating between malware and benign binaries. Our findings demonstrate that potential threats can be reliably identified with an F1 score of 96.86%, solely by analyzing syscalls and library syscall wrappers. This method can augment traditional static analysis, providing an effective preemptive measure to enhance Linux malware analysis. This research highlights the importance of static analysis in strengthening IoT systems against emerging malware threats.

查看原文本刊更多论文

利用系统调用进行 Linux 物联网恶意软件检测的新型静态分析方法

Linux 平台上物联网 (IoT) 设备的激增加剧了人们对恶意软件攻击脆弱性的担忧。本文介绍了一种研究 Linux 物联网恶意软件行为的新方法，即通过静态分析二进制文件来检查系统调用和库系统调用包装器，而不是使用动态分析来提取系统调用的传统方法。我们根据安全重要性对 Linux 系统调用进行排序和分类，重点是在不执行的情况下了解恶意软件的意图。我们通过统计测试对分配的系统调用类别和风险排名进行了特征分析，以验证它们在区分恶意软件和良性二进制文件方面的有效性和可靠性。我们的研究结果表明，仅通过分析系统调用和库系统调用封装，就能可靠地识别潜在威胁，F1 得分为 96.86%。这种方法可以增强传统的静态分析，为加强 Linux 恶意软件分析提供有效的先发制人的措施。这项研究强调了静态分析在加强物联网系统应对新兴恶意软件威胁方面的重要性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Electronics

自引率

0.00%

发文量