Skip to main content
Springer Nature Link
Log in

Graph-Based Classification of IoT Malware Families Enhanced by Fuzzy Hashing

  • Conference paper
  • First Online:
Internet of Things (IFIPIoT 2024)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 737))

Included in the following conference series:

  • 92 Accesses

Abstract

The proliferation of Internet of Things (IoT) devices has led to an increase in IoT malware, posing a significant cybersecurity threat. Detecting and mitigating this threat is challenging due to the diverse CPU architectures in IoT malware families and the limited resources of IoT devices. Specialized detection methods are needed to identify malware across different platforms, while lightweight mechanisms are required to minimize resource strain. This paper introduces a novel graph-based framework, Aggregated Weighted Graph of Hashes (AWGH), to tackle the CPU diversity challenge. The framework leverages Function Call Graphs (FCGs) and fuzzy hashing to capture the structural and code characteristics of IoT malware. By utilizing static analysis techniques, the framework can efficiently group new malware samples and identify similarities with existing families, even in the case of unknown malware to mitigate potential risks before they cause significant damage. FCGs are generated using IDA Pro [1], and fuzzy hashes are calculated using ssdeep [2]. The framework is implemented in Python and evaluated using a dataset from VirusTotal [3] through 10-fold cross-validation. The experimental results demonstrate the effectiveness of the proposed framework in accurately classifying the IoT malware into IoT malware families across various CPU architectures (MIPS, ARM, i386, PowerPC, and AMD64).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Fuzzy hash.

References

  1. SA, H.-R.: Ida pro. https://www.hex-rays.com. Accessed Nov 2020

  2. ssdeep project. https://github.com/ssdeep-project/ssdeep. Accessed Nov 2020

  3. Virustotal-free online virus, malware and URL scanner. https://www.virustotal.com. Accessed Nov 2020

  4. Gopal, T. S., Meerolla, M., Jyostna, G., Eswari, P.R.L., Magesh, E.: Mitigating mirai malware spreading in IoT environment. In: 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2226–2230. IEEE (2018)

    Google Scholar 

  5. Kambourakis, G., Kolias, C., Stavrou, A.: The mirai botnet and the IoT zombie armies. In: MILCOM 2017-2017 IEEE Military Communications Conference (MILCOM), pp. 267–272. IEEE (2017)

    Google Scholar 

  6. Kumar, A., Lim, T.J.: Early detection of Mirai-like IoT bots in large-scale networks through sub-sampled packet traffic analysis. In: Arai, K., Bhatia, R. (eds.) FICC 2019. LNNS, vol. 70, pp. 847–867. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-12385-7_58

    Chapter  MATH  Google Scholar 

  7. Tanaka, H., Yamaguchi, S.: On modeling and simulation of the behavior of IoT malwares Mirai and Hajime. In: 2017 IEEE International Symposium on Consumer Electronics (ISCE), pp. 56–60. IEEE (2017)

    Google Scholar 

  8. Chang, K.-C., Tso, R., Tsai, M.-C.: IoT sandbox: to analysis IoT malware Zollard. In: Proceedings of the Second International Conference on Internet of things, Data and Cloud Computing, p. 4. ACM (2017)

    Google Scholar 

  9. Sivanathan, A., Sherratt, D., Gharakheili, H.H., Sivaraman, V., Vishwanath, A.: Low-cost flow-based security solutions for smart-home IoT devices. In: 2016 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1–6. IEEE (2016)

    Google Scholar 

  10. Doshi, R., Apthorpe, N., Feamster, N.: Machine learning DDOS detection for consumer internet of things devices. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 29–35. IEEE (2018)

    Google Scholar 

  11. Ozawa, S., Ban, T., Hashimoto, N., Nakazato, J., Shimamura, J.: A study of IoT malware activities using association rule learning for darknet sensor data. Int. J. Inf. Secur. 19(1), 83–92 (2020)

    Article  Google Scholar 

  12. Jamal, A., Hayat, M.F., Nasir, M.: Malware detection and classification in IoT network using ANN. Mehran Univ. Res. J. Eng. Technol. 41(1), 80–91 (2022)

    Article  MATH  Google Scholar 

  13. Wang, B., Dou, Y., Sang, Y., Zhang, Y., Huang, J.: IoTCMAL: towards a hybrid IoT honeypot for capturing and analyzing malware. In: ICC 2020 - 2020 IEEE International Conference on Communications (ICC), pp. 1–7 (2020)

    Google Scholar 

  14. Luo, T., Xu, Z., Jin, X., Jia, Y., Ouyang, X.: IoTcandyJar: towards an intelligent-interaction honeypot for IoT devices. Black Hat (2017)

    Google Scholar 

  15. Feng, X., Li, Q., Wang, H., Sun, L.: Acquisitional rule-based engine for discovering internet-of-things devices. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 327–341 (2018)

    Google Scholar 

  16. Oosterhof, M.: Cowrie SSH/Telnet honeypot (2016)

    Google Scholar 

  17. Kumar, S., Kumar, A.: Image-based malware detection based on convolution neural network with autoencoder in industrial internet of things using software defined networking honeypot. Eng. Appl. Artif. Intell. 133, 108374 (2024)

    Article  MATH  Google Scholar 

  18. Alhanahnah, M., Lin, Q., Yan, Q., Zhang, N., Chen, Z.: Efficient signature generation for classifying cross-architecture IoT malware. In: 2018 IEEE Conference on Communications and Network Security (CNS), pp. 1–9. IEEE (2018)

    Google Scholar 

  19. Su, J., Vasconcellos, V.D., Prasad, S., Daniele, S., Feng, Y., Sakurai, K.: Lightweight classification of IoT malware based on image recognition. In: 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 664–669. IEEE (2018)

    Google Scholar 

  20. Naeem, H., Guo, B., Naeem, M.R.: A light-weight malware static visual analysis for IoT infrastructure. In: 2018 International Conference on Artificial Intelligence and Big Data (ICAIBD), pp. 240–244. IEEE (2018)

    Google Scholar 

  21. Isawa, R., Ban, T., Tie, Y., Yoshioka, K., Inoue, D.: Evaluating disassembly-code based similarity between IoT malware samples. In: 2018 13th Asia Joint Conference on Information Security (AsiaJCIS), pp. 89–94. IEEE (2018)

    Google Scholar 

  22. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTpot: analysing the rise of IoT compromises. In: 9th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 15) (2015)

    Google Scholar 

  23. Azmoodeh, A., Dehghantanha, A., Choo, K.-K.R.: Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning. IEEE Trans. Sustain. Comput. (2018)

    Google Scholar 

  24. Pitolli, G., Laurenza, G., Aniello, L., Querzoni, L., Baldoni, R.: Malfamaware: automatic family identification and malware classification through online clustering. Int. J. Inf. Secur. 1–16 (2020)

    Google Scholar 

  25. Dib, M., Torabi, S., Bou-Harb, E., Assi, C.: A multi-dimensional deep learning framework for IoT malware classification and family attribution. IEEE Trans. Netw. Serv. Manag. 18(2), 1165–1177 (2021)

    Article  Google Scholar 

  26. Chaganti, R., Ravi, V., Pham, T.D.: Deep learning based cross architecture internet of things malware detection and classification. Comput. Secur. 120, 102779 (2022)

    Article  Google Scholar 

  27. Rahat, M.A., Banerjee, V., Bloom, G., Zhuang, Y.: Cimalir: cross-platform IoT malware clustering using intermediate representation. In: 2024 IEEE 14th Annual Computing and Communication Workshop and Conference (CCWC), pp. 0460–0466 (2024)

    Google Scholar 

  28. Sikder, A.K., Petracca, G., Aksu, H., Jaeger, T., Uluagac, A.S.: A survey on sensor-based threats to internet-of-things (IoT) devices and applications. arXiv preprint arXiv:1802.02041 (2018)

  29. Hasan, R., Saxena, N., Haleviz, T., Zawoad, S., Rinehart, D.: Sensing-enabled channels for hard-to-detect command and control of mobile devices. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 469–480. ACM (2013)

    Google Scholar 

  30. Azmoodeh, A., Dehghantanha, A., Conti, M., Choo, K.-K.R.: Detecting crypto-ransomware in IoT networks based on energy consumption footprint. J. Ambient Intell. Human. Comput. 1–12 (2017)

    Google Scholar 

  31. Caviglione, L., Gaggero, M., Lalande, J.-F., Mazurczyk, W., Urbański, M.: Seeing the unseen: revealing mobile malware hidden communications via energy consumption and artificial intelligence. IEEE Trans. Inf. Forensics Secur. 11(4), 799–810 (2015)

    Article  Google Scholar 

  32. HaddadPajouh, H., Dehghantanha, A., Khayami, R., Choo, K.-K.R.: A deep recurrent neural network based approach for internet of things malware threat hunting. Futur. Gener. Comput. Syst. 85, 88–96 (2018)

    Article  Google Scholar 

  33. Alasmary, H., Anwar, A., Park, J., Choi, J., Nyang, D., Mohaisen, A.: Graph-based comparison of IoT and android malware. In: Chen, X., Sen, A., Li, W.W., Thai, M.T. (eds.) CSoNet 2018. LNCS, vol. 11280, pp. 259–272. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04648-4_22

    Chapter  Google Scholar 

  34. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTpot: analysing the rise of IoT compromises. In: 9th USENIX Workshop on Offensive Technologies (WOOT 15), (Washington, D.C.), USENIX Association (2015)

    Google Scholar 

  35. Alasmary, H., et al.: Analyzing and detecting emerging internet of things malware: a graph-based approach. IEEE Internet Things J. 6(5), 8977–8988 (2019)

    Article  MATH  Google Scholar 

  36. Public cyberiocs repository. https://freeiocs.cyberiocs.pro/. Accessed Nov 2020

  37. Alasmary, H., et al.: Poster: analyzing, comparing, and detecting emerging malware: a graph-based approach (2019)

    Google Scholar 

  38. Nguyen, H.-T., Ngo, Q.-D., Le, V.-H.: A novel graph-based approach for IoT botnet detection. Int. J. Inf. Secur. 1–11 (2019)

    Google Scholar 

  39. Nguyen, H.-T., Ngo, Q.-D., Nguyen, D.-H., Le, V.-H.: Psi-rooted subgraph: A novel feature for IoT botnet detection using classifier algorithms. ICT Express (2020)

    Google Scholar 

  40. Pahl, M.-O., Aubet, F.-X., Liebald, S.: Graph-based IoT microservice security. NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1–3. IEEE (2018)

    Google Scholar 

  41. Abusnaina, A, et al.: Breaking graph-based IoT malware detection systems using adversarial examples: poster. In: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, pp. 290–291 (2019)

    Google Scholar 

  42. Nguyen, H.-T., Ngo, Q.-D., Le, V.-H.: IoT botnet detection approach based on psi graph and DGCNN classifier. In: 2018 IEEE International Conference on Information Communication and Signal Processing (ICICSP), pp. 118–122. IEEE (2018)

    Google Scholar 

  43. Darabian, H., Dehghantanha, A., Hashemi, S., Homayoun, S., Choo, K.-K.R.: An opcode-based technique for polymorphic internet of things malware detection. Concurr. Comput. Pract. Exp. 32(6), e5173 (2020)

    Article  Google Scholar 

  44. Nguyen, H.-T., Nguyen, D.-H., Ngo, Q.-D., Tran, V.-H., Le, V.-H.: Towards a rooted subgraph classifier for IoT botnet detection. In: Proceedings of the 2019 7th International Conference on Computer and Communications Management, pp. 247–251 (2019)

    Google Scholar 

  45. Wu, C.-Y., Ban, T., Cheng, S.-M., Takahashi, T., Inoue, D.: IoT malware classification based on reinterpreted function-call graphs. Comput. Secur. 125, 103060 (2023)

    Article  Google Scholar 

  46. Li, Y., Sundaramurthy, S.C., Bardas, A.G., Ou, X., Caragea, D., Hu, X., Jang, J.: Experimental study of fuzzy hashing in malware clustering analysis. In: 8th Workshop on Cyber Security Experimentation and Test (\(\{\)CSET\(\}\) 15) (2015)

    Google Scholar 

  47. Mirzaei, O., Suarez-Tangil, G., de Fuentes, J.M., Tapiador, J., Stringhini, G.: Andrensemble: Leveraging API ensembles to characterize android malware families. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 307–314 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of New Brunswick, Fredericton, NB, Canada

    Nastaran Mahmoudyar, Ali A. Ghorbani & Arash Habibi Lashkari

Authors
  1. Nastaran Mahmoudyar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ali A. Ghorbani
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Arash Habibi Lashkari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nastaran Mahmoudyar .

Editor information

Editors and Affiliations

  1. Université Côte d’Azur, CNRS, I3S, Sophia Antipolis, France

    Gaëtan Rey

  2. Université Côte d'Azur, CNRS, I3S, Sophia Antipolis, France

    Jean-Yves Tigli

  3. Université Côte d’Azur, Polytech‘Lab, Sophia Antipolis, France

    Erwin Franquet

Rights and permissions

Reprints and permissions

Copyright information

© 2025 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mahmoudyar, N., Ghorbani, A.A., Lashkari, A.H. (2025). Graph-Based Classification of IoT Malware Families Enhanced by Fuzzy Hashing. In: Rey, G., Tigli, JY., Franquet, E. (eds) Internet of Things. IFIPIoT 2024. IFIP Advances in Information and Communication Technology, vol 737. Springer, Cham. https://doi.org/10.1007/978-3-031-81900-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-81900-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-81899-8

  • Online ISBN: 978-3-031-81900-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships