Go to DBLP homepageA Realtime IoT Malware Classification System Based on Pending Samples
Abstract: With the rapid growth of the Internet of Things (IoT) devices, a lot of IoT malware has been created, and the security against IoT malware, especially the family classification, has become a more important issue. There exist three requirements which classification systems must achieve: detection of new families, precise classification for sequential inputs, and being independent of computer architectures. However, existing methods do not satisfy them simultaneously. In this paper, we propose a realtime IoT malware classification system based on pending samples. In order to detect new families and to classify sequential inputs precisely, we introduce the concept of “pending samples”. This concept is useful when heterogeneous inputs which are difficult to classify instantly come into the system. This is because the system can postpone classifying them until similar samples come. Once similar samples are gathered, we regard these samples as a new cluster, meaning that detecting new families is achieved. Moreover, we use printable strings to satisfy the requirement of being independent of architectures because strings are common among different architectures. Our results show the ability to detect new families demonstrated by finding new clusters after applying our algorithm to the initial clusters. Furthermore, our new clustering algorithms achieves a 0.130 higher V-measure compared to the k-means algorithm, which is the representative clustering algorithm.
Loading