| Presentation | 2018-06-25 Calculating Similarity between IoT Malware Samples over CPU Architectures Ryoichi Isawa, Tao Ban, Ying Tie, Katsunari Yoshioka, Daisuke Inoue, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Malware samples infecting IoT (Internet of Things) devices such as Web cameras andhome routers have spread over the Internet. Those samples are often generated byreusing source code to run on various CPU architectures (e.g., ARM and MIPS) of IoTdevices, and they behave similar, but their binaries vary because of different ISAs(Instruction Set Architecture). Even if analysts simply compare the malware binaries, they cannot find out similar samples from their malware repository. In thispaper, we propose a method for calculating similaritybetween malware samples running on different CPU architectures. A key idea behind our method is to convert each malware binary into an intermediate representationto fill the gap between different ISAs. It then calculates their similarity based onthe intermediate representation. With experiments using twelve in-the-wild malwaresamples (Mirai-ARM/MIPS and Bashlite-ARM/MIPS samples), we evaluated effectivenessof our method. Although the number of samples was not sufficient, thispaper shows a future direction for calculating the similarity. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Internet of Things / Malware analysis / Intermediate representation / N-gram / Jaccard similarity |
| Paper # | IA2018-2,ICSS2018-2 |
| Date of Issue | 2018-06-18 (IA, ICSS) |
| Conference Information | |
| Committee | ICSS / IA |
|---|---|
| Conference Date | 2018/6/25(2days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | Ehime University |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | Internet Security, etc. |
| Chair | Yoshiaki Shiraishi(Kobe Univ.) / Katsuyoshi Iida(Hokkaido Univ.) |
| Vice Chair | Hiroki Takakura(NII) / Katsunari Yoshioka(Yokohama National Univ.) / Rei Atarashi(IIJ) / Hiroyuki Osaki(Kwansei Gakuin Univ.) / Toru Kondo(Hiroshima Univ.) |
| Secretary | Hiroki Takakura(NTT) / Katsunari Yoshioka(NICT) / Rei Atarashi(Tokyo Metropolitan Univ.) / Hiroyuki Osaki(TOYOTA-IT) / Toru Kondo(NEC) |
| Assistant | Akira Yamada(KDDI labs.) / Keisuke Kito(Mitsubishi Electric) / Kenji Ohira(Tokushima Univ.) / Ryohei Banno(Tokyo Inst. of Tech.) |
| Paper Information | |
| Registration To | Technical Committee on Information and Communication System Security / Technical Committee on Internet Architecture |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | Calculating Similarity between IoT Malware Samples over CPU Architectures |
| Sub Title (in English) | |
| Keyword(1) | Internet of Things |
| Keyword(2) | Malware analysis |
| Keyword(3) | Intermediate representation |
| Keyword(4) | N-gram |
| Keyword(5) | Jaccard similarity |
| 1st Author's Name | Ryoichi Isawa |
| 1st Author's Affiliation | NICT(NICT) |
| 2nd Author's Name | Tao Ban |
| 2nd Author's Affiliation | NICT(NICT) |
| 3rd Author's Name | Ying Tie |
| 3rd Author's Affiliation | Yokohama National University(YNU) |
| 4th Author's Name | Katsunari Yoshioka |
| 4th Author's Affiliation | Yokohama National University/NICT(YNU/NICT) |
| 5th Author's Name | Daisuke Inoue |
| 5th Author's Affiliation | NICT(NICT) |
| Date | 2018-06-25 |
| Paper # | IA2018-2,ICSS2018-2 |
| Volume (vol) | vol.118 |
| Number (no) | IA-108,ICSS-109 |
| Page | pp.pp.7-12(IA), pp.7-12(ICSS), |
| #Pages | 6 |
| Date of Issue | 2018-06-18 (IA, ICSS) |