Classifying Iot Malware Delivery Patterns For Attack Detection

Classifying IoT malware delivery patterns for attack detection
Master of Science in Engineering in Computer Science
Candidate:
Fabrizio Farinacci
Student ID: 1530961
Thesis advisor:
Prof. Leonardo Querzoni
Co-Advisor:
Dr. Giuseppe Laurenza
A. Y. 2016 - 2017
Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Background: The Internet of Things

• The Internet of Things (IoT) is that vision in which anything
from vehicles to home appliances are equipped with Internet
connectivity and digitally connected for exchanging data.
• Sadly, the IoT came recently under the spotlight more for its
widespread security issues rather than its enormous potential.

Background: Threats affecting the IoT

• Being the IoT panorama formed by unsecure, misconfigured and
easily accessible devices, makes it the cybercriminals Holy Grail!
• This environment favored the proliferation of IoT malware and in
particular botnets, mainly devoted to perform DDoS attacks.

Problem statement and thesis objective
Problem
The highly vulnerable IoT landscape favors the proliferation of threats
and in particular malware. Understanding and characterizing them is
a fundamental requirement for preventing IoT devices compromise.
Thesis objective
Design a platform, trained on top of knowledge extracted from real
attacks collected by the platform itself, capable of recognizing known
attacks and detecting variants or completely new attacks.

Related work
Works in the IoT security field divides into:
• Studies providing basic security guidelines for preventing,
mitigating and recovery from attacks.
[Angrishi et al., 2017]
• Proposing honeypot systems designed for the IoT environment,

with the goal of assessing the current threats.
[SIPHON, Guarnizo et al., 2017]
• Designing detection strategies, employing either simple device

white-listing mechanism or unreliable signature-based approaches.
[Meidan et al., 2017]
• Proposing proof-of-concept mechanism for detecting infected

devices and automatize the recovery strategy.
[AntibIoTic, De Donno et al., 2017]
Contributions
The contributions made by this work are the following:

1. Showing the honeypots capabilities of revealing IoT threats;
2. Identifying specific attack patterns for characterizing the attacks;
3. Introducing an approach for profiling the attacks;
4. Showing how profiles enable to group similar attacks;
5. Showing how profiles enable to classify and recognize attacks;
6. Showing how profiles enable to track the evolution of attacks.

Approach overview

Attack profile extraction

Attack patterns
Definition
Attack patterns are sequence of operations having a precise, but often
hidden and sneaky goal meaningful for the attacker.
Example
# Mirai
/bin/busybox cp /bin/echo dvrHelper; >dvrHelper; ...
...
/bin/busybox cp dvrHelper upnp; > upnp; ...
echo -ne "some HEX string" > upnp; /bin/busybox ECCHI
./upnp; ./dvrHelper telnet.mips; /bin/busybox IHCCE
# Hajime
cd /var; cat .s || cp /bin/echo .s; /bin/busybox ECCHI ...
...
>.s; cp .s .i; echo -ne "some HEX string" > .s; /bin/busybox ECCHI
./.s>.i; ./.i; rm .s; exit

Pattern-based attack representation

Phase 4: Attack aggregation and classification
• Once the attack profiles are extracted, they can be employed for:
◦ Grouping the attacks for devising attack classes and their evolution.
◦ Classifying the attacks and being so able to recognize them.
• For the grouping task, we employed the unsupervised learning

clustering algorithms BIRCH and DBSCAN.
• For the classification task, we trained and evaluated the supervised
learning classifiers Random Forest, Decision Tree, Bernoulli Naive
Bayes and Linear Kernel SVM.

Dataset description and testing methodology

Dataset: ' 270.000 attacks collected by the platform and divided
in 17 classes, representing either variants or different attacks.
Used metrics:
• Attack grouping: Homogeneity and completeness scores,
Fowlkes–Mallows index and silhouette coefficient.
• Attack classification: F1 and accuracy scores, precision and recall.
Performed tests:
• Attack grouping:
◦ Clustering comparison on 50.000 samples (' 1/5 of dataset).
◦ Incremental time-based k-fold cross-validation (k = 10).
• Attack classification:
◦ Incremental time-based k-fold cross-validation (k = 10).
◦ Stratified k-fold cross-validation (k = 5).
Test 1: BIRCH and DBSCAN comparison
Clustering comparison - Observed metrics Clustering comparison - Time performance

1 10
0,95 8
6
0,9
4
0,85 2
0,8 0
FMI Homogeneity Completeness Avg. Time (sec.)
DBSCAN BIRCH DBSCAN BIRCH
(a) Observed metrics comparison (b) Time performance comparison

Test 2: Incremental time-based k-fold grouping
BIRCH Online - Periodical tuning

1
0,8
0,6
0,4
0,2
0
1 2 3 4 5 6 7 8 9 10
Folds (Time)
FMI Homogeneity score Completeness score Silhouette coeff.

Test 3: Incremental time-based k-fold classification
Random Forest - Incremental k-fold

1
0,8
0,6
0,4
0,2
0
1 2 3 4 5 6 7 8 9
Folds (Time)
F1 score Precision Recall Accuracy score

Test 4: Stratified k-fold classification

F1 score Precision
1 1
0,999 0,999
0,998 0,998
0,997 0,997
0,996 0,996
0,995 0,995
Random Decision Bernoulli Linear Random Decision Bernoulli Linear
Forest Tree Naive Kernel Forest Tree Naive Kernel
Bayes SVM Bayes SVM
(c) F1 score (d) Precision
Recall Accuracy score

1 1
0,999 0,999
0,998 0,998
0,997 0,997
0,996 0,996
0,995 0,995
Random Decision Bernoulli Linear Random Decision Bernoulli Linear
Forest Tree Naive Kernel Forest Tree Naive Kernel
Bayes SVM Bayes SVM
(e) Recall (f) Accuracy score

Conclusions and future work

Conclusions
Results shown that our approach delivers promising results in the field
of attack recognition, enabling to study the evolution of attacks,
for at least for the subset of attacks that we managed to collect.
Future work
• Extending the platform, by:
1. Improving the honeypot platform;
2. Building a platform for organizing the data;
3. Developing Visual Analytics tools.
• Improving the description of attacks, by:
1. Improving the attack pattern identification;
2. Integrating with signature-based information.
• Online monitoring for attack prevention, by designing an online
detection procedure capable of detecting ongoing attacks.
That’s all!
Thanks for the attention!

Any questions?

Classifying Iot Malware Delivery Patterns For Attack Detection

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Classifying Iot Malware Delivery Patterns For Attack Detection

Uploaded by

Copyright:

Available Formats

Classifying IoT malware delivery patterns for attack detection

Master of Science in Engineering in Computer Science

Background: The Internet of Things