Professional Documents
Culture Documents
Classifying Iot Malware Delivery Patterns For Attack Detection
Classifying Iot Malware Delivery Patterns For Attack Detection
Candidate:
Fabrizio Farinacci
Student ID: 1530961
Thesis advisor:
Prof. Leonardo Querzoni
Co-Advisor:
Dr. Giuseppe Laurenza
A. Y. 2016 - 2017
Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Problem
The highly vulnerable IoT landscape favors the proliferation of threats
and in particular malware. Understanding and characterizing them is
a fundamental requirement for preventing IoT devices compromise.
Thesis objective
Design a platform, trained on top of knowledge extracted from real
attacks collected by the platform itself, capable of recognizing known
attacks and detecting variants or completely new attacks.
Related work
Works in the IoT security field divides into:
• Studies providing basic security guidelines for preventing,
mitigating and recovery from attacks.
[Angrishi et al., 2017]
Contributions
Approach overview
Attack patterns
Definition
Attack patterns are sequence of operations having a precise, but often
hidden and sneaky goal meaningful for the attacker.
Example
# Mirai
/bin/busybox cp /bin/echo dvrHelper; >dvrHelper; ...
...
/bin/busybox cp dvrHelper upnp; > upnp; ...
echo -ne "some HEX string" > upnp; /bin/busybox ECCHI
./upnp; ./dvrHelper telnet.mips; /bin/busybox IHCCE
# Hajime
cd /var; cat .s || cp /bin/echo .s; /bin/busybox ECCHI ...
...
>.s; cp .s .i; echo -ne "some HEX string" > .s; /bin/busybox ECCHI
./.s>.i; ./.i; rm .s; exit
• Once the attack profiles are extracted, they can be employed for:
◦ Grouping the attacks for devising attack classes and their evolution.
◦ Classifying the attacks and being so able to recognize them.
Performed tests:
• Attack grouping:
◦ Clustering comparison on 50.000 samples (' 1/5 of dataset).
◦ Incremental time-based k-fold cross-validation (k = 10).
• Attack classification:
◦ Incremental time-based k-fold cross-validation (k = 10).
◦ Stratified k-fold cross-validation (k = 5).
Classifying IoT malware delivery patterns for attack detection
Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
0,95 8
6
0,9
4
0,85 2
0,8 0
FMI Homogeneity Completeness Avg. Time (sec.)
DBSCAN BIRCH DBSCAN BIRCH
That’s all!