Go to DBLP homepageTS-HMD: Explainable Deep Learning for Time Series HPCs Based IoT Malware Detection
Abstract: With the development of the Internet of Things (IoT), the prevalence of malware attacks targeting IoT devices is rapidly escalating. Malware designed for IoT is increasingly adopting sophisticated techniques to evade detection and analysis. For instance, it leverages encryption, obfuscation, polymorphic and metamorphic techniques to escape static detection. Furthermore, anti-debugging and anti-VM methods enable IoT malware to evade dynamic detection, which fails to examine the actual state of executed malware. To enhance detection capabilities, deep learning models trained on amounts of data have gained widespread adoption. However, these models are considered as black boxes due to their lack of interpretability. Malware detection plays a crucial role in system security, and relying on such opaque models for crucial decisions is untenable. To tackle these challenges, we propose TS-HMD, which collects time series hardware performance counters (HPCs) values during the normal execution of samples in Linux container, and cannot trigger IoT malware evasive mechanism. It utilizes an LSTM model to detect IoT malware through these hardware-level fingerprints, and achieves high accuracy of 99.26% in detecting IoT malware and benign software. TS-HMD’s explainability is provided through SHAP, which can find contributive HPCs and time slices in decision-making. Corresponding characteristics can also be found in raw data and system calls collected by perf, and the further analyses reveal a correlation between HPCs values and software behaviors. TS-HMD also classifies IoT malware families, demonstrating its ability to distinguish different behaviors. Overall, TS-HMD provides an effective and transparent solution for IoT malware detection.
Loading