Malware Detection in IoT

In 2016 there was a row of incidents which attracted keen interest in the safety of IoT. Among them, there were record DDoS-attacks against the French hosting provider OVH and Dyn DNS provider of the USA. It is known that these attacks are launched using the massive botnet consisting of routers, IP cameras, printers and other devices.

Last year the world also learned about enormous a botnet, consisting of nearly five million routers. The German telecommunication giant Deutsche Telekom also faced hacking of the router after the devices used by clients of the operator were infected Mirai. Cracking did not stop on a piece of network equipment: security concerns were also found in intelligent dishwashers of Miele and AGA furnaces. “Frosting on the cake” is the BrickerBot worm who not just infected vulnerable devices as most of his “peers”, but actually rendered them completely unserviceable [1].

As representatives of the Kaspersky company told, they fixed not only the attacks arriving from the network equipment classified as home devices but also the hardware of an enterprise-grade without the knowledge of corporate owners.

“Even more disturbing is the fact that among all IP addresses from which there were attacks there were some which placed monitoring systems and/or device management with corporate and protective affairs”, – researchers say [2].

 Timeline of the most famous malware for IoT.
Figure 1: Timeline of the most famous malware for IoT.

Devices for sale in outlets, restaurants and gas stations belong to analysable; systems of digital TV broadcasting; systems of physical security and monitoring of access; and devices of monitoring of the environment.

Researchers also found malicious software infecting a monitoring system at the seismic station in Bangkok and also industrial programmable microcontrollers and management systems a supply in other places.

In baits, the attacks from China, Vietnam, Russia, Brazil and Turkey are found.

“The increasing number of the malicious applications intended for IoT devices and the related incidents of safety shows serious security of smart devices. 2016 showed that these threats not only are conceptual but also are very real”, – researchers say. “The existing competition in the market of DDoS induces cybercriminals to look for new resources for start of more and more powerful attacks”.

Kaspersky recommends that devices did not allow access because of the limits of their local area network if it especially is not required for the use of the device. All network services which are not necessary also shall be disconnected. Passwords shall be by default changed and if they cannot be, then network services shall be disconnected if these passwords are used, or access to devices out of a local area network shall be turned off.

For detection of the aberrant behaviour happening in the existing mobile environment (malicious software, a virus, a worm, etc.) were executed detection based on signatures, detection based on behaviour and detection based on the analysis. Tendencies of researches are generalised in the table below based on their methods of detection and collected data:

Table 1: Malware Detection Techniques.
Detection technique Collected data Description
Signature-based technique Executable file analysis Uses the readelf command to carry out static analysis on executable files using system calls
Source code analysis Uses the Android sandbox to carry out static/dynamic analysis on applications
Packet analysis Uses functions such as packet-preprocessing and pattern-matching to detect malware
API call history Collects system events of upper layers and monitors their API calls to detect malware
Behavior-based technique System log data Detects anomalies in terms of Linux kernels and monitors traffic, kernel system calls, and file system log data by users
SMS, Bluetooth Lightweight agents operating in smartphones record service activities such as usage of SMS or Bluetooth, comparing the recorded results with users average values to analyze whether there is intrussion or not
Battery consumption Monitors abnormal battery consumption of smartphones to detect intrussion by newly created or currently known attacks
System call Monitors system calls of smartphone kernel to detect external attacks through outsourcing
Process information Continuously monitors logs and events and classifies them into normal and abnormal information
Dynamic analysis technique Data marking Analyzes malware by carrying out static taint analysis for Java source code
Data marking Modifies stack frames to add taint tags into local variables and method arguments and traces the propagation process through tags to analyze malware

Detection based on signatures is the traditional method used for detection of malicious software in the environment of the PC. For determination of the signature static and dynamic methods are at the same time used. Static analysis is aimed at a code of a source and an object and analyses codes without the actual start of the program. It decompiles the source code of malicious software for detection of the vulnerabilities arising in commands, instructions, etc. Dynamic analysis is a method of search of certain templates in a memory leak, traffic flow and a data stream in case of the actual start of the program. However, the application of this method to the mobile environment requires the large volume of memory, and service data of productivity are high for compliance of templates.

Signatures based on technologies monitor the known threats. In the case of computation, all objects have attributes which can be used for the creation of the unique signature. Algorithms can quickly and effectively scan an object to define its sign-code signature [3]. When the solution provider for protection against malicious applications identifies an object as harmful, its signature is added to the database of the known malicious applications. These records may contain hundreds of millions of signatures which identify harmful objects. This method of identification of harmful objects was the main method used by harmful products and remains the basic approach used by the latest firewalls, mail and network gateways.

The technology of detection of malicious applications on the basis of signatures has a row of advantages from which the main thing is that it is well-known and clear - the very first anti-virus programs used this approach. It is also fast, simple in control and widely available. First of all, it provides proper protection against many millions old, but active threats.

Check that the new file is harmful can be difficult and labour-consuming, and often, the malicious application already develops by then. In the Annual report on the cybersecurity of Cisco 2017, it was set that 95 % of files of malicious applications which they analysed were not even 24-hour that specifies fast “time for development”. The time delay in the detection of new forms of malicious software does corporations vulnerable to severe losses.

The modern malicious software often strikes directly, being reduced for a short period. For example, “Puzzle” begins deleting files within 24 hours. HDDcryptor infected 2000 systems in San Francisco of the municipal transport agency before it was found. Therefore vulnerable to infection waiting for the signature to be very risky.

The other problem is that the modern malicious software can change the signature to avoid detection; signatures are created by a study of internal components of an object, and authors of malicious applications change these components, saving at the same time functionality and behaviour of an object.

There is a set of methods of conversion, including a swap of a code, renaming of registers, extension and abbreviation of code and also insertion of a code of garbage or other constructions.

Detection based on behaviour is a method of detection of the status of invasion by the comparative analysis of the predetermined templates of the attack and behaviour of the process which occur in the system. It is one of the researches which receives the greatest attention because of limited detection of harmful behaviour on the basis of signature detection recently. To find the abnormal templates, it generally monitors information on events which arises in such functions of the smartphone as memory use, contents of the SMS and consuming of the battery. Are often used detection based on a host (for direct monitoring of information in the device) and detection on a network (for information collection on a network). As detection on the basis of a host increases uses of the battery and memory of the smartphone, the method of detection of data collection in the device and data transfer on the external analytical server is generally used. Besides, for fall forward of the analysis of dynamic data, the method of machine learning is used. Therefore it is crucial to select suitable functions for collection and to select an appropriate algorithm of machine learning for accurate detection.

Assessment of the malicious code and its behaviour in the process of execution is called dynamic analysis. The threat or malicious intention can also be estimated by the static analysis, which looks for dangerous opportunities in the code and structure of an object.

Although the decision is not entirely reliable, behavioural detection still allows technologies to reveal new and unknown threats in real time. Some examples of when the technology based on behaviour succeeds when the systems of the signature do not work:

  • protection against new and unimaginable types of harmful attacks,
  • detection of a separate copy of the malicious software aimed at the person or the organisation,
  • determination of malicious software in a specific environment when opening files,
  • obtaining exhaustive information on malicious software.

There are several essential restrictions about which it is necessary to know. If the malicious application defines that it is launched in an isolated software environment, it will try to avoid detection, having reduced harmful actions. It is critical that “sandbox” remained undetectable, and most of them such is not.

It also requires time for the analysis of the behaviour of an object; while static analysis can be made in real time, dynamic analysis can enter latency while an object is implemented. Besides, many behavioural decisions are exclusively cloudy, that can be a problem for some organisations. Ordinary technologies of “sandbox” have limited visibility and can estimate only interaction between an object and an operating system. Watching for 100 % of actions which a harmful object can make, even when it delegates these actions to an operating system or other programs, OHO can estimate not only communication of malicious software with an operating system but also each command processed by the processor.

Expanded solutions for the detection of malicious applications watch and evaluate each code line executed by malicious software in a context. They analyse all requests for access to specific files, processes, connections or services. It includes each command executed at the level of an operating system or other programs which were caused, including the low-level code hidden by rootkits.

The technology identifies all harmful or, at least, suspicious actions which when combining do very clear that the file is harmful before it is released in a network actually to execute any potentially dangerous behaviour [4].

As well as the detection of malicious applications according to the signature, and the behavioural method is important and has advantages. The best safety will be ensured due to the use of both technologies. Too many security service specialists are misled by the sellers advertising firewalls of the next generation and other “modern” security protections. They do not understand that these “latest” products rely only on the ten years' approach based on signatures to the detection of malicious applications which will miss evasive malicious applications and the attacks with zero-day.

[3] R. Khan, S. U. Khan, R. Zaheer, S. Khan, “Future Internet: The Internet of Things architecture possible applications and key challenges”, Proc. 10th Int. Conf. FIT, pp. 257-260, Dec. 2012.
[4] H. Kumarage, I. Khalil, A. Alabdulatif, Z. Tari, X. Yi, “Secure data analytics for the cloud-integrated Internet of Things applications”, IEEE Cloud Comput., vol. 3, no. 2, pp. 46-56, Mar. 2016.
en/iot-open/security_and_privacy_in_iot_ume/iot_security/malware_detection_in_the_iot.txt · Last modified: 2020/07/20 09:00 by
CC Attribution-Share Alike 4.0 International Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0