IoT Malware Detection through Threshold Random Walks

Candidate: Botticelli Biagio
Advisor: Prof. Leonardo Querzoni
Co-Advisor: Dott. Giuseppe Laurenza
Master of Science in Engineering in Computer Science - A.Y. 2016 - 2017
IoT Malware Detection
through
Threshold Random Walks

Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 2
Internet of Things
The Internet of Things describes the vision where objects become part of
the Internet: where every object is uniquely identiﬁed, and accessible to
the network, its position and status known, where services and
intelligence are added to this expanded Internet, fusing the digital and
physical world into a single one.
6.5 Devices per Person
An increased connectivity leads
to an exponential increase in
the threat surface: more smart
technology we add, more likely
is to be hacked from the point
of view of security.

IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 3
Mirai Example: IoT as a weapon
20th September 2016 : KrebsOnSecurity.com targeted by an
extremely large and unusual Distributed Denial-of-Service
(DDoS) attack of over 660 Gbps of trafﬁc.
Innovative Aspect: the attack was performed by using
direct trafﬁc generated by a botnet of hacked IoT devices
infected by a malware called Mirai.
ThingsBot (or Botnet of Things): automated botnet of
compromised IoT devices (things).
Botmaster
Botnet: robot network of hacked machines (or bots),
which run malicious code under the remote command and
control (C&C) of a botmaster for many malicious activities.
IoT as weapon: from Internet of Things
to Internet of Threats!

IoT Malware
AidraMirai
Tsunami
Linux.Hydra
Chuck Norris Psyb0t
Hajime
Linux/IRCTelnet
LightAidra
RemaintenBASHLITE
Predecessor Successor
Influenced
LEGEND
2008
200920102010
2013
2014 2016
2016
2016
2016
2014

Related Works
• Honeypharm: “the more honeypots there are in different networks , the higher are the chances
to capture new malware samples”.
Key Concept: Distributed Architecture of low-interaction honeypots
• IoTPOT: “the more embedded services are emulated for different CPU architectures, the more
information on existing IoT malware can be obtained”.
Key Concept: Emulation of embedded services for different architectures
• SIPHON: “rather than emulated embedded services, the use of real-existing high interactive
vulnerable IoT devices improves results in attracting cyber-criminals”.
Key Concept: Real embedded vulnerable IoT devices offered to attackers
• Fast Port-scan Detection using SHT: ”the Threshold Random Walk algorithm could be used to
effectively detect the reconnaissance phase of network attacks”.
Key Concept: Threshold Random Walk applied for Malware Detection

Problem Statement & Thesis Contributions
Problem Statement: devices of the Internet of Things are under constant attack of cyber-criminals
since they are typically low secured (or completely unsecure). However, we cannot adopt
traditional lines of defense for malware detection due to computational resource constraints.
Thesis Contributions: design and implement an online detection Threshold Random Walk-
based algorithm which is fast, light and capable to identify attacks even with the low resources
of Internet of Things sensors and objects.
To get more knowledge of attack techniques performed by IoT malware, a Distributed
Architecture of honeypots had been implemented. This architecture should attract modern
attack patterns and capture samples of the newest threats from different locations in the world.

Distributed Honeypot Architecture
Automated Procedure: the DIAG VM daily connects to Cowrie instance in New York and to Cowrie-Dumper
in Singapore to locally download all the obtained data (logs and malware samples) and to restore the
initial honeypot conﬁguration.
Cowrie

in New York

IP: 162.243.211.8
Cowrie-Dumper

in Singapore

IP: 128.199.204.0
DIAG VM

in Rome

IP: 192.168.2.197
DIAG Network
Results: a total number of 332 970 attacking sessions were collected (~100 Gb of data).

Distribution of Top 15 Attacking IPs - NY
New York Cowrie: 294 943 connections, 53 718 originated by different IPs.

Distribution of Top 15 Attack IPs - Singapore
Singapore Cowrie-Dumper: 50 897 connections, 15 250 originated by different IPs.
Observation 2: Only 299 IPs attacked both
New York and Singapore honeypot instances.
Observation 1: Italy is 18th with 133 IPs.

Threshold Random Walk
η1
η0
η2
time
Y1
Y2
Y3
Y4
Y5
Y6
Y7
Y8
Y9
Y10
Λ(Y)
WARNING
H1 = ATTACK
H0 = LEGAL

Attack Patterns & Attack Groups
• Initial Shell Pattern

• Busybox & Busybox Checks

• Connectors

• Malware Download

• Hexadecimal Code
• Malware Creation

• System Exploration

• Kill Processes

• Fingerprinting

• Suspect Files
Dangerousness: the degree of danger of
the command is given by the command
type, contextualized within the type of
interaction that we are considering.
Attack Groups: “fast” data structures in
which to store attack strings, classiﬁed
according to their dangerousness.



• Connectors




• Kill Processes

• Fingerprinting

• Suspect Files
Dangerous
Attack Probability:
99%
Knowledge Base



• Connectors




• Kill Processes

• Fingerprinting

• Suspect Files
High
Attack Probability:
90%
Dangerous
Attack Probability:
99%
Knowledge Base



• Connectors




• Kill Processes

• Fingerprinting

• Suspect Files
High
Attack Probability:
90%
Medium
Attack Probability:
70%
Dangerous
Attack Probability:
99%
Knowledge Base



• Connectors




• Kill Processes

• Fingerprinting

• Suspect Files
High
Attack Probability:
90%
Medium
Attack Probability:
70%
Low
Attack Probability:
60%
Dangerous
Attack Probability:
99%
Knowledge Base

TRW as Binary Classification Problem
TRW detection is a binary classification problem in which the output is chosen among two hypotheses:
• TP - Detection: TRW selects H1, detecting the
interaction as an attack and H1 is in fact True.
• FP - False Positive - Type I Error: TRW selects H1
(attack) when H0 is in fact True;
TRW receives a legitimate interaction as input
and it detects the connection as malicious.
• FN - False Negative - Type II Error: TRW chooses H0
(legal), but H1 was True;
TRW receives a malicious interaction as input
and it detects the connection as legitimate.
• TN - Nominal: TRW picks H0 when H0 is in fact True.
Binary Classification
Confusion Matrix

How does the Threshold Random Walk perform? Is it correctly formulated?
Experiment 1: k-Fold Cross Validation
Dataset 1: all attacking sessions captured by honeypots between 24th April and 31st October 2017.
270 379 malicious interactions in total.
k-Fold Cross Validation: the data is divided into k subsets of the same size. Each one of the k subsets is
used once as the validation set and the other k−1 subsets are put together to form the training set.
In cases of large imbalance in the dataset, stratiﬁed approach folds are created containing approximately
the same percentage of samples of each target class as the complete set.

Experiment 1: Average Metrics Results
Standard
Deviation

TRW has very good
performances even on
potentially unknown
attack sessions formed
by new attack strings
never seen before.
Experiment 2: Metrics Results
Dataset 2: all “new” attacking sessions captured in the last months of November and December 2017.
125 182 total interactions: equally divided in 62 591 new malicious and 62 591 legal logs.
How does the Threshold Random Walk perform in case of “unknown” attacking sessions?
How does the algorithm behave in terms of number of commands necessary to carry out the detection?

Experiment 2: Detection Performances
Threshold Random
W a l k d e t e c t s a
malicious series of
commands in ~ 6,44
events on average
with a maximum of 9
commands required.

Experiment 3: Detection vs. Execution
Average Length
at Detection
Dataset 3: all “complete” attacking sessions formed by series of commands that would actually infect a device.
114 226 logs = ~34.305% of 332 970 total interactions
Each interaction has the characteristic of having at least one command to sample execution.

Conclusions & Future Works
Conclusions: experiments proved that Threshold Random Walk outcomes promising results. It’s:
• Fast: detection of malicious interactions id performed in early stages of attacking sessions;
• Lightweight: no particular computing requirements;
• Extensible: upgradeable knowledge base allows to include emerging new attack techniques;
• Efficient: TRW makes the correct decision on quite all observed malicious sequences of commands.
Future Works:

• SSH/Telnet Emulation: create a Telnet/SSH traffic sampling system on a real communication channel.
• Automation of KB Creation: design an automated process that integrates into the existing KB new
discovered attack strings, without necessarily having to start its creation from scratch.
• Architecture Improvement: new honeypot solution could be integrated in the existing architecture.
• ELK Framework: ElasticSearch, LogStash and Kibana Data Analytics tool could be integrated into the
DIAG VM server to have a visual report of collected data in structured file formats (.json files).

“A secure system is one that does what is supposed to do, and nothing more”.
J.B. Ippolito, Native Intelligence, Inc.
Any Question?

Biagio Botticelli - botticelli.1212666@studenti.uniroma1.it

M.Sc. in Engineering in Computer Science
Thank You!
“A secure system is one that does what is supposed to do, and nothing more”.
J.B. Ippolito, Native Intelligence, Inc.
Any Question?

IoT Malware Detection through Threshold Random Walks

More Related Content

What's hot (20)

Similar to IoT Malware Detection through Threshold Random Walks (20)

More from Biagio Botticelli (10)

Recently uploaded (20)

IoT Malware Detection through Threshold Random Walks