ATLAS: A Practical Attack Detection and Live Malware Analysis System for IoT Threat Intelligence
Metadata only
Date
2022Type
- Conference Paper
ETH Bibliography
yes
Altmetrics
Abstract
Recently, malware targeting IoT devices has become more prevalent. In this paper, we propose a practical ATtack detection and Live malware Analysis System (ATLAS) that provides up-to-date threat intelligence for IoT. ATLAS consists of a hybrid IoT honeypot infrastructure, attack attribution, malware downloader and live malware analysis system. Since deployment, ATLAS received 859 distinct malware binaries targeting 17 real IoT devices. When compared with VirusTotal timestamps, 65% of these samples have been seen first by our infrastructure or are yet to be known to VirusTotal to date. Through static and dynamic analysis of 17 malware samples, we are able to identify not only the attack vectors, but also command & control (C&C) communication methods and other characteristics. We show that a novel adaptive clustering technique is capable of performing automated malware analysis to detect known malware families as well as 0-day malware. Evaluation with 204 ARM 32-bit malware results in detection of 44 clusters. Further in depth analysis on the selected samples that forms new clusters (potential 0-day malware) indicates that they are indeed novel variants of IoT malware using evolving attack vectors: 17 binaries formed new clusters and did not belong to any known cluster nor to VirusTotal. Show more
Publication status
publishedExternal links
Book title
Information Security. ISC 2022Journal / series
Lecture Notes in Computer ScienceVolume
Pages / Article No.
Publisher
SpringerEvent
Subject
IoT Honeypot; Attack Detection; Live Malware Analysis; Threat IntelligenceMore
Show all metadata
ETH Bibliography
yes
Altmetrics