Skip to main content
Springer Nature Link
Log in

Graph-Based Comparison of IoT and Android Malware

  • Conference paper
  • First Online:
Computational Data and Social Networks (CSoNet 2018)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11280))

Included in the following conference series:

Abstract

The growth in the number of android and Internet of Things (IoT) devices has witnessed a parallel increase in the number of malicious software (malware) that can run on both, affecting their ecosystems. Thus, it is essential to understand those malware towards their detection. In this work, we look into a comparative study of android and IoT malware through the lenses of graph measures: we construct abstract structures, using the control flow graph (CFG) to represent malware binaries. Using those structures, we conduct an in-depth analysis of malicious graphs extracted from the android and IoT malware. By reversing 2,874 and 201 malware binaries corresponding to the IoT and android platforms, respectively, extract their CFGs, and analyze them across both general characteristics, such as the number of nodes and edges, as well as graph algorithmic constructs, such as average shortest path, betweenness, closeness, density, etc. Using the CFG as an abstract structure, we emphasize various interesting findings, such as the prevalence of unreachable code in android malware, noted by the multiple components in their CFGs, the high density, strong closeness and betweenness, and larger number of nodes in the android malware, compared to the IoT malware, highlighting its higher order of complexity. We note that the number of edges in android malware is larger than that in IoT malware, highlighting a richer flow structure of those malware samples, despite their structural simplicity (number of nodes). We note that most of those graph-based properties can be used as discriminative features for classification.

This work is supported by the NSF grant CNS-1809000, NRF grant 2016K1A1A2912757, Florida Center for Cybersecurity (FC2) seed grant, and support by the Air Force Research Lab. This work would not have been possible without the support of Ernest J. Gemeinhart.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Gerber, A.: Connecting all the things in the Internet of Things. https://ibm.co/2qMx97a. Accessed 2017

  2. Harrison, L.: The Internet of Things (IoT) Vision. https://blog.equinix.com/blog/2015/03/12/the-internet-of-things-iot-vision/. Accessed 2015

  3. Mohaisen, A., Alrawi, O., Mohaisen, M.: AMAL: high-fidelity, behavior-based automated malware analysis and classification. Comput. Secur. 52, 251–266 (2015)

    Article  Google Scholar 

  4. Mohaisen, A., Alrawi, O.: AV-Meter: an evaluation of antivirus scans and labels. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 112–131. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_7

    Chapter  Google Scholar 

  5. Shang, S., Zheng, N., Xu, J., Xu, M., Zhang, H.: Detecting malware variants via function-call graph similarity. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software, MALWARE, pp. 113–120 (2010)

    Google Scholar 

  6. Mohaisen, A., Alrawi, O.: Unveiling Zeus: automated classification of malware samples. In: Proceedings of the 22nd International World Wide Web Conference, WWW, pp. 829–832 (2013)

    Google Scholar 

  7. Hu, X., Chiueh, T., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS, pp. 611–620 (2009)

    Google Scholar 

  8. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (2003)

    Google Scholar 

  9. Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 129–143. Springer, Heidelberg (2006). https://doi.org/10.1007/11790754_8

    Chapter  Google Scholar 

  10. Tamersoy, A., Roundy, K.A., Chau, D.H.: Guilt by association: large scale malware detection by mining file-relation graphs. In: Proceedings of the the 20th ACM International Conference on Knowledge Discovery and Data Mining, KDD, pp. 1524–1533 (2014)

    Google Scholar 

  11. Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, SP, pp. 590–604 (2014)

    Google Scholar 

  12. Caselden, D., Bazhanyuk, A., Payer, M., McCamant, S., Song, D.: HI-CFG: construction by binary analysis and application to attack polymorphism. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 164–181. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_10

    Chapter  Google Scholar 

  13. Wüchner, T., Ochoa, M., Pretschner, A.: Robust and effective malware detection through quantitative data flow graph metrics. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 98–118. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_6

    Chapter  Google Scholar 

  14. Jang, J.-W., Woo, J., Mohaisen, A., Yun, J., Kim, H.K.: Mal-Netminer: malware classification approach based on social network analysis of system call graph. In: Mathematical Problems in Engineering (2015)

    Google Scholar 

  15. Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: Proceedings of the ACM Workshop on Artificial Intelligence and Security, AISec, pp. 45–54 (2013)

    Google Scholar 

  16. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS, pp. 1105–1116 (2014)

    Google Scholar 

  17. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: a novel honeypot for revealing current IoT threats. J. Inf. Process. JIP 24, 522–533 (2016)

    Google Scholar 

  18. Shen, F., Vecchio, J.D., Mohaisen, A., Ko, S.Y., Ziarek, L.: Android malware detection using complex-flows. In: Proceedings of the 37th IEEE International Conference on Distributed Computing Systems, ICDCS, pp. 2430–2437 (2017)

    Google Scholar 

  19. Developers: Radare2. https://www.radare.org/r/. Accessed 2018

  20. Developers: VirusTotal. https://www.virustotal.com. Accessed 2018

  21. Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_11

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Central Florida, Orlando, FL, 32816, USA

    Hisham Alasmary, Afsah Anwar, Jeman Park, Jinchun Choi & Aziz Mohaisen

  2. Inha University, Incheon, Republic of Korea

    Jinchun Choi & Daehun Nyang

Authors
  1. Hisham Alasmary
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Afsah Anwar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jeman Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jinchun Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Daehun Nyang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Aziz Mohaisen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Daehun Nyang or Aziz Mohaisen .

Editor information

Editors and Affiliations

  1. Texas Southern University, Houston, TX, USA

    Xuemin Chen

  2. Ira A. Fulton School of Engineering, Tempe, AZ, USA

    Arunabha Sen

  3. Texas Southern University, Houston, TX, USA

    Wei Wayne Li

  4. University of Florida, Gainesville, AL, USA

    My T. Thai

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alasmary, H., Anwar, A., Park, J., Choi, J., Nyang, D., Mohaisen, A. (2018). Graph-Based Comparison of IoT and Android Malware. In: Chen, X., Sen, A., Li, W., Thai, M. (eds) Computational Data and Social Networks. CSoNet 2018. Lecture Notes in Computer Science(), vol 11280. Springer, Cham. https://doi.org/10.1007/978-3-030-04648-4_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04648-4_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04647-7

  • Online ISBN: 978-3-030-04648-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics