Skip to main content
SpringerLink
Log in

ATLAS: A Practical Attack Detection and Live Malware Analysis System for IoT Threat Intelligence

  • Conference paper
  • First Online:
Information Security (ISC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13640))

Included in the following conference series:

  • 826 Accesses

Abstract

Recently, malware targeting IoT devices has become more prevalent. In this paper, we propose a practical ATtack detection and Live malware Analysis System (ATLAS) that provides up-to-date threat intelligence for IoT. ATLAS consists of a hybrid IoT honeypot infrastructure, attack attribution, malware downloader and live malware analysis system. Since deployment, ATLAS received 859 distinct malware binaries targeting 17 real IoT devices. When compared with VirusTotal timestamps, 65% of these samples have been seen first by our infrastructure or are yet to be known to VirusTotal to date. Through static and dynamic analysis of 17 malware samples, we are able to identify not only the attack vectors, but also command & control (C &C) communication methods and other characteristics. We show that a novel adaptive clustering technique is capable of performing automated malware analysis to detect known malware families as well as 0-day malware. Evaluation with 204 ARM 32-bit malware results in detection of 44 clusters. Further in depth analysis on the selected samples that forms new clusters (potential 0-day malware) indicates that they are indeed novel variants of IoT malware using evolving attack vectors: 17 binaries formed new clusters and did not belong to any known cluster nor to VirusTotal.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. A., N.: Lumen - an alternative lumina compatible server for IDA Pro (2020). https://lumen.abda.nl

  2. Alrubayyi, H., Goteng, G., Jaber, M., Kelly, J.: Challenges of malware detection in the IoT and a review of artificial immune system approaches. J. Sensor Actuator Netw. 10(4) (2021). https://www.mdpi.com/2224-2708/10/4/61

  3. Aung, Y.L., Tiang, H.H., Wijaya, H., Ochoa, M., Zhou, J.: Scalable VPN-forwarded honeypots: Dataset and threat intelligence insights. In: Sixth Annual Industrial Control System Security (ICSS) Workshop. pp. 21–30. ACM, New York, NY, USA (2020)

    Google Scholar 

  4. Burks, D.: Security Onion - a free and open platform for threat hunting, network security monitoring, and log management (2021). https://securityonionsolutions.com

  5. Elastic: Elasticsearch, Logstash and Kibana (ELK) stack (2021). https://www.elastic.co

  6. Guarnizo, J.D., et al.: SIPHON: towards scalable high-interaction physical honeypots. In: Proceedings of the ACM Workshop on Cyber-Physical System Security, pp. 57–68. ACM (2017)

    Google Scholar 

  7. Jeon, J., Park, J.H., Jeong, Y.S.: Dynamic analysis for IoT malware detection with convolution neural network model. IEEE Access 8, 96899–96911 (2020)

    Article  Google Scholar 

  8. Kato, S., Tanabe, R., Yoshioka, K., Matsumoto, T.: Adaptive observation of emerging cyber attacks targeting various IoT devices. In: 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 143–151 (2021)

    Google Scholar 

  9. LLC, G.: BinExport - exporter component of BinDiff (2021). https://github.com/google/binexport

  10. Luo, T., Xu, Z., Jin, X., Jia, Y., Ouyang, X.: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices. In: Proceedings of Blackhat (2017)

    Google Scholar 

  11. Minerva, R., Biru, A., Rotondi, D.: Towards a definition of the Internet of Things (IoT). IEEE Internet Initiative (2015). http://iot.ieee.org/images/files/pdf/IEEE_IoT_Towards_Definition_Internet_of_Things_Revision1_27MAY15.pdf

  12. Neray, P.: Cloud-delivered IoT/OT threat intelligence (2021). https://techcommunity.microsoft.com/t5/microsoft-defender-for-iot-blog/cloud-delivered-iot-ot-threat-intelligence-now-available-for/ba-p/2335754

  13. Nokia: Threat intelligence report 2020 (2021). https://www.nokia.com/networks/portfolio/cyber-security/threat-intelligence-report-2020

  14. (NSA), N.S.A.: Ghidra - a software reverse engineering (SRE) suite of tools (2021). https://ghidra-sre.org

  15. Oliver, J., Cheng, C., Chen, Y.: TLSH - a locality sensitive hash (2021). https://documents.trendmicro.com/assets/wp/wp-locality-sensitive-hash.pdf

  16. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: a novel honeypot for revealing current IoT threats. J. Inf. Process. 24(3), 522–533 (2016)

    Google Scholar 

  17. Park, Y., Reeves, D.S., Stamp, M.: Deriving common malware behavior through graph clustering. Comput. Secur. 39, 419–430 (2013). https://www.sciencedirect.com/science/article/pii/S0167404813001351

  18. Provos, N., et al.: A virtual honeypot framework. In: Proceedings of USENIX Security Symposium, vol. 173, pp. 1–14 (2004)

    Google Scholar 

  19. Rist, L.: Conpot - ICS/SCADA honeypot (2021). https://github.com/mushorg/conpot

  20. Sebastián, S., Caballero, J.: AVClass2: Massive malware tag extraction from AV labels. In: Annual Computer Security Applications Conference, pp. 42–53. ACM, New York, NY, USA (2020)

    Google Scholar 

  21. Splunk: Splunk - data-driven security for the modern SOC (2021). https://www.splunk.com/en_us/cyber-security.html

  22. Tambe, A., et al.: Detection of threats to IoT devices using scalable VPN-forwarded honeypots. In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, pp. 85–96. ACM, New York, NY, USA (2019)

    Google Scholar 

  23. Wang, B., Dou, Y., Sang, Y., Zhang, Y., Huang, J.: IoTCMal: towards a hybrid IoT honeypot for capturing and analyzing malware. In: ICC 2020–2020 IEEE International Conference on Communications (ICC), pp. 1–7 (2020)

    Google Scholar 

  24. Wüchner, T., Cisłak, A., Ochoa, M., Pretschner, A.: Leveraging compression-based graph mining for behavior-based malware detection. IEEE Trans. Depend. Secur. Comput. 16(1), 99–112 (2019)

    Article  Google Scholar 

Download references

Acknowledgements

This work is supported by the National Research Foundation of Singapore under its National Satellite of Excellence Programme entitled “Design Science and Technology for Secure Critical Infrastructure” (Award Number: NSoE_DeST-SCI2019-0002).

Author information

Authors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Yan Lin Aung & Jianying Zhou

  2. Department of Computer Science, ETH Zürich, Zürich, Switzerland

    Martín Ochoa

Authors
  1. Yan Lin Aung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martín Ochoa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jianying Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yan Lin Aung .

Editor information

Editors and Affiliations

  1. University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. Xidian University, Xian, China

    Xiaofeng Chen

  3. University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

  4. University of Wollongong, Wollongong, NSW, Australia

    Yudi Zhang

  5. Petra Christian University, Surabaya, Indonesia

    Rolly Intan

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Aung, Y.L., Ochoa, M., Zhou, J. (2022). ATLAS: A Practical Attack Detection and Live Malware Analysis System for IoT Threat Intelligence. In: Susilo, W., Chen, X., Guo, F., Zhang, Y., Intan, R. (eds) Information Security. ISC 2022. Lecture Notes in Computer Science, vol 13640. Springer, Cham. https://doi.org/10.1007/978-3-031-22390-7_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22390-7_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22389-1

  • Online ISBN: 978-3-031-22390-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation