IoT malware classification based on reinterpreted function-call graphs

Various malware and cyberattacks have arisen along with the proliferation of IoT devices. The evolving malware targeting IoT devices calls forth effective and efficient solutions to protect vulnerable IoT de-vices from being compromised. In this paper, we investigate the feasibility of a state-of-the-art graph embedding method, graph2vec, for performing family classification for IoT malware, with promising re-sults reported. To further improve the generalization performance of the classifiers based on graph2vec- extracted features, we propose two new mechanisms to improve the quality of feature representation. First, we unify user-defined function calls by reinterpreting the opcode sequences therein to better cap-ture the semantics of the function-call relationship in malware binaries. Then, we integrate literal infor-mation into the graph2vec embedding of the function call graph to achieve better discriminant ability. To prove the effectiveness of the proposed scheme, we carried out performance comparison on a large-scale dataset containing more than 108K malware binaries collected from seven CPU architectures. The accu-racy rates obtained by five widely adopted classifiers on malware family classification are improved by 2%, on average, by adopting the two proposed mechanisms. Specifically, when combined with the pro-posed approach, the support vector machine classifier obtained an accuracy rate of 98.88% on malware family classification, outperforming known function-call-graph (FCG)-based methods and previous work on static malware analysis.(c) 2022 Elsevier Ltd. All rights reserved.