Researching and proposing psi graph as a feature for botnet detection on iot devices

n algorithm is different. The purpose is to assess the reliability and accuracy of studies with the same dataset described in section 2.2.1. Table 2.3. Experimental results of static features approach in IoT malware detection Static features approaches Classifier Accuracy FPR (False Positive Rate) FNR (False Negative Rate) Features extracting and pre- processing time Classification time ELF-header [96] RIPPER 99,8 0,2 0,2 1h50m 0,75s PART 99,8 0,2 0,2 1,27s DT (J48) 99,6 0,5 0,3 1s String-based [70] SVM 98 0,9 2,2 4m47s 12,4s kNN 99,8 0,4 0,2 1s DT (J48) 99,4 0,4 0,6 8,75s RF 99.7 0,3 0,4 9,71s Image-based [25] Neural Network 89,1 12,7 1,4 14m19s 2m19s CFG-based [32] SVM 89 33,8 4,4 5 days 1,45s LR 85 15,1 19,0 0,5s RF 95 7,5 5,9 1,75s From the result table 2.3, it can be seen that the studies of representing the executable using non graph- based features is heavily depend on the value of the features (for example, function call inet_toa) and cannot describe complex semantic information between features (for example, data dependency in the life cycle of an IoT malware capable of a distributed denial of service attack, referred to as the IoT botnet). Besides, studies using non graph-based features are often quite weak with obfuscation techniques such as encoding, data insertion. Meanwhile, the graph-based approach can generally evaluate and represent structured information, complex information of botnets behavior. 8 Chapter 2 conclusion: The results of this Chapter provide motivation for the proposed methods of the thesis with the possible of the static analysis in IoT botnet malwares detecting problem. Moreover, graph-based features bring high efficiency and prospects in detecting IoT botnet malware. Contributions of Chapter 2: Evaluate and compare the difference between botnet malware on traditional computers and IoT devices, thereby serving as a basis to propose a suitable static analysis method for detecting IoT botnet malware; Building a reliable dataset for experiment in IoT botnet malware detection; Re-experiment and evaluation of current studies based on static analysis with the same dataset and experimental environment. These results have been published and presented in the Proceedings of Conferences and prestigious journals (at [B3], [B4], [B5] in the author's list of works). CHAPTER 3. PSI GRAPH FEATURE FOR DETECTION OF IOT BOTNET 3.1. Statement of the problem The research problem in this chapter is defined as: - Let 𝐿 = {𝑙1, 𝑙2, , 𝑙𝑛}, the set of 𝑛 executable files, in which 𝑙𝑖 ∈ {0,1} can be malicious executable files (value 1), or benign executable files (value 0) with 𝑖 = 1, 𝑛̅̅ ̅̅̅ - Let 𝐹 = {𝑓𝐴𝑙ℎ𝑎𝑛𝑎ℎ𝑛𝑎ℎ, 𝑓𝑆𝑢, 𝑓𝐻𝑎𝑑𝑑𝑎𝑑, 𝑓𝐴𝑧𝑚𝑜𝑜𝑑𝑒ℎ𝑃𝑎𝑗𝑜𝑢ℎ, 𝑓Alasmary }, a set of feature for the detection of botnet in IoT devices and have good results in recent years. Therefore, ∃𝑓𝑇𝑟𝑢𝑛𝑔 ∉ 𝐹 such that 𝑓𝑇𝑟𝑢𝑛𝑔(𝐿) is simpler than 𝑓𝑗 ∈ 𝐹, in terms of the graph structure, the simpler is quantified through the number of edges and the number of graph vertices. Although simpler in terms of structure, but 𝑓𝑇𝑟𝑢𝑛𝑔 gives better results than 𝑓𝑗 ∈ 𝐹 in terms of accuracy, execution time. 3.2. Explaination of the problem The thesis chooses an approach based on static analysis in detecting botnet malware on IoT devices. Currently, there have been studies following this approach, such as Alhanahnah et al. [4], Su et al. [25], HaddadPajouh et al. [14], Azmoodeh et al. [36], Hisham Alasmary et al. [33]. Specifically, Mohannad Alhanahnah et al. Combine various static features such as strings, control flow graph (CFG) and file structure statistics to generate the signatures used for classification of multi-architecture IoT malware. Su et al. proposed a lightweight method to distinguish IoT malicious patterns from IoT benign patterns based on grayscale images, and by feeding these gray-scale images into the convolutional neural network model to detect IoT malware. Hamed HaddadPajouh et al., Azmoodeh et al. Proposed a method of detecting IoT malware using opcode sequences. Hisham Alasmary et al. Performed an in-depth study of the graph of Android malware and IoT botnet. With a detailed description of the characteristics of typical studies in static analysis to detect botnet malware on IoT devices, the new feature in the statement of the research problem in this Chapter will take advantage of the strong points. as well as solving the limitations of existing features, thereby bringing high efficiency in the problem of detecting IoT botnet malware with machine learning and deep learning algorithms. 3.3. Proposed method The research problem in this Chapter of the thesis will follow the following assumptions: The basic difference between botnet malware and other types of malicious code is that botnet always need a connection to C&C server to send/receive attack command from hacker. The infection and attacks of botnet malware on IoT devices have been studied a lot, and found that they often follow the general process. Each step in the life 9 cycle of the IoT botnet malware usually involves information represented in the form of strings such as hacker instruction commands, IP addresses / domain names of C&C servers, etc. Before going into the proposed methodology explaination, to better understand the problem, the following definitions are specified in this thesis. Definition 3.1: A function-call graph is a directed graph, represented by 𝐺 = (𝑉, 𝐸). Where 𝑉 is the set of vertices 𝑉 = 𝑉(𝐺) representing functions and the set of edges 𝐸 = 𝐸(𝐺), where 𝐸(𝐺) ⊆ 𝑉(𝐺) × 𝑉(𝐺), corresponding to the function calls. For each vertex 𝑣 ∈ 𝑉, the two defined functions 𝑉𝑛(𝑣) và 𝑉𝑓(𝑣) provide the function name and function type of the function represented by 𝑣. The function type 𝑡 ∈ {0,1} can be a local function (value 0) or an extension function (value 1). Definition 3.2: A Printable String Information (PSI) is a printable string of information appearing in the executable, either explicitly (eg “10.1.1.2”) or encrypted (eg “eGAIM”). Definition 3.3: The PSI graph is a directed graph, represented as follows 𝐺𝑃𝑆𝐼 = (𝑉, 𝐸), where: – 𝑉 is the vertices set composed of function which are in function-call graph and contain PSIs, – 𝐸 is the set of directed edges {(𝑉𝑖,𝑉𝑗), (𝑉𝑘,𝑉ℎ), } , reflecting the caller-callee relationship between two functions To prove the above hypothesis and answer the proposed research problem, the proposed method in this thesis has the following structure diagram: Figure 3.1. The workflow of proposed method to detect IoT botnet malware The thesis provides a general model of the proposed method, including 02 main processing phases: training phase and utilizing phase, illustrated in figure 3.1. In particular, the training phase and the use phase have a relatively similar treatment process, only different in Class Classification. With the input data being executable files on the IoT device, including malicious and benign files, the implementation process consists of four steps as follows: FCG graph generation, PSI graph generation , Preprocess and Feature Selection phase and finally Classifier. 3.4. Function call graph in IoT botnet malware detection A Function Call Graph (FCG) is a control flow graph, which represents the relational call between functions or subfunctions in an executing program. The formal definition is shown as definition 3.1. 10 Before constructing the function call graph, it is necessary to check and pre-process the defense techniques of the executable files to ensure the correctness of the function call graph. To check whether the files use encapsulation techniques, the thesis uses the DiE tool (Detect It Easy) [115] to check whether the files are packed and if so, what is the used packaging technique. Analysis on the thesis's test the dataset of 10010 samples found that only about 2% of the samples used obfuscation techniques, and the vast majority were UPX packaging techniques. After a packer has been identified, there are many tools that support unpacking, such as the UPX tool [121]. The executables that cannot be unpacked using the UPX tool will be removed from the dataset. After the unpack process, the thesis used IDA Pro as a tool to support decompilation because it is a cross-platform support tool. After performing the decompiling of the binary files with IDA Pro tool, the thesis obtained the assembly code of the file. The algorithm for building function call graph (algorithm 3.1) is deployed by the thesis inheriting from the research of Ming Xu et al. [108]. Algorithm 3.1: Constructing the Function Call Graph – FCG Input: Functions of executable file 𝐹, Output: The function call graph 𝐺𝐹 of the executable file 𝐹 // Initialization 1: 𝑮𝑭.𝑉 = 𝝓 and 𝑮𝑭.𝐸 = 𝝓 2: EntryFuncSet = 𝝓, FuncSet = 𝝓, FuncQ = 𝝓, VerSet = 𝝓 // Extracting functions from assembly code 3: FuncSet = SplitFuncs(𝐹) 4: EntryFuncSet = IdentifyEntryPointFuncs(𝑀) 5: FuncQ = InitQ(EntryFuncSet) // Building a caller-callee relationship 6: while(FuncQ is not empty) 7: baseVertex = Dequeue(FuncQ) 8: Insert baseVertex in 𝑮𝑭 9: baseVertex.enQFlag = true //Extracting the callee of set baseVertex 10: VerSet = getCallee(baseVertex) 11: for each vertex in VerSet 12: if((vertex ∩ FuncSet) ≡ 𝝓) // The vertices are not in FuncSet 13: continue 14: endif 15: headVertex = vertex 16: // Build the connecting edge between baseVertex and headVertex 17: if(𝑒 ∈ 𝑮𝑭.𝐸) 18: baseVertex.outDeg++ 19: headVertex.inDeg++ 20: else 21: Insert headVertex in 𝑮𝑭 22: Insert edge 𝑒 in 𝑮𝑭 23: endif 24: if(headVertex.enQFlag == false) 25: Enqueue headVertex in FuncQ 26: headVertex.enQFlag = true 27: endif 28: next vertex 29: end while 30: return 𝑮𝑭 31: end 11 The Call Graphs are still highly complex due to the large number of vertices and edges, and are often expensive to compute and to store [97]. If the complexity of a graph is based on the number of edges and vertices then the complexity will be 𝛰(|𝑉| ∗ |𝐸|) where |𝑉| is the number of edges and |𝐸| is the number of vertices. Therefore, based on the function call graph, the thesis aims to build a new graph feature with high efficiency (low complexity when it is possible to reduce the number of vertices and edges of the graph feature but still ensures high detection rate) in the problem of detecting IoT botnet malware when applied to machine learning and deep learning techniques. 3.5. PSI Graph construction Before building the PSI graph (definition 3.3), the thesis extracts all PSI (definition 3.2) existing inside the executable file with a plugin code of the IDAPro tool. Balancing the accuracy of classification results and computational complexity, the thesis chooses PSI functions with a minimum length of 3 characters or more. These PSIs can be in either explicit or encrypted form and often contain a lot of semantic information relevant to the attacker's intent. After constructing the function call graph, as well as identifying vertices containing PSI, the dissertation proceeds to browse the function call graph to construct PSI graph, the implementation process is as in algorithm 3.2. Algorithms 3.2: PSI-Graph Generation (FCG) 1 𝑉 = [ ], 𝐸 = [ ] 2 For each vertice 𝑣𝑖 in FCG do: 3 If exist psi in 𝑣𝑖 and do: 4 𝑉 = 𝑉 ∪ 𝑣𝑖 5 End if 6 For each edge 𝑒𝑗(𝑣𝑖, 𝑣𝑘) do: 7 If exist psi in 𝑣𝑘 and 𝑣𝑘 ∉ 𝑉 and 𝑒𝑗(𝑣𝑖 , 𝑣𝑘) ∉ 𝐸 do: 8 𝑉 = 𝑉 ∪ 𝑣𝑘 9 𝐸 = 𝐸 ∪ 𝑒𝑗(𝑣𝑖 , 𝑣𝑘) 10 End If 11 Enf for 12 End for 13 Return 𝑉, 𝐸 The PSI graphing process is based on trimming FCG graph to reduce the number of edges and the number of vertices, so the complexity of the PSI graph generation algorithm is 𝑂(|𝑉| ∗ |𝐸|) as well. will decrease. Table 3.1 shows the size comparison between PSI graph and function call graph. As can be seen, the PSI graph has a much smaller size than the function call graph in terms of the number of vertices and edges in both malicious and malicious files. Therefore, using the PSI graph as featured to detect malicious code can reduce complexity (increase processing speed, reduce computation time cost) compared to using function call graph. Table 3.1. Comparison between the PSI graph and the call graph of the FCG function Class Average number of vertices in PSI graph Average number of edges in PSI graph Average number of vertices in FCG Average number of edges in FCG Maliciousness 147.1 1110.5 254.5 3075.5 Benignness 167.8 1693.9 530.9 2962.2 12 As can be seen in Figure 3.2, the number of vertices in PSI graph is concentrated mainly in the range [1, 300] for both malicious and benign files. Although there is a slight difference in distribution, this difference is not obvious enough to establish a threshold value to distinguish between benign and IoT malicious samples. Figure 3.2. Number of edges and vertices between sample patterns In order to easily visualize the operation results of the PSI graph generation algorithm, Figure 3.3 shows an example of the function call graph of the Linux.Bashlite pattern, it can be clearly seen that the PSI graph is much simpler than the graph function call. On average, a PSI graph contains only about 16 vertices and 60 edges compared to the 156 vertices and 360 edges of the function call graph. Figure 3.3. Function call graph (left) and PSI graph (right) of Linux.Bashlite malware sample In summary, the PSI graph characteristics obtained by the thesis have the following characteristics: - Be built based on static method; - Can reflect "lifecycle behavior" or can be called as simulation of infection process of IoT botnet malware; - Only consider the structure of printable string information (PSI), not consider the value of the strings; 13 - Be built based on function call graph. 3.6. Experimental evaluation 3.6.1. Experimental environment Using the experimental data set presented in section 2.2.1 of this thesis summary, to conduct the experiments, the thesis divides the dataset into two subset: training set and testing set. The training set contain an equal number of 2690 samples for both the malicious and the benign classes. The test subset contains 4630 samples. The experiment is built with Python and PyTorch framework on Ubuntu 16.04 operating system using Intel Core i5-8500, 3.0GHz chip, NVIDIA GeForce GTX1080Ti graphics card and 32 GB RAM. 3.6.2. Evaluation model To evaluate the effectiveness of PSI graph features in the IoT botnet malware detection problem, the thesis feeds PSI graph features into the evaluation model as shown in Figure 3.4. The thesis aims at approach based on the analysis and representation of the entire structure of the PSI graph into fixed-length numerical vector values, so the thesis uses graph2vec [39] in the data preprocessing process. Figure 3.4. Evaluation model of detecting IoT botnet malware using PSI Graph Graph2vec is an unsupervised learning technique for converting a graph into a digital vector. Graph2vec is based on the idea of a doc2vec approach [82] using the skip-gram network. Graph2vec learns to represent graphs by treating an entire graph as a text and subgraphs as the words that make up that text. Thuật toán 3.3: Graph2vec (𝒢, 𝐷, 𝛿, 𝔢, 𝛼) Input: 𝒢 = {𝐺1, 𝐺2, , 𝐺𝑛}: Set of graphs such that each graph 𝐺𝑖 = (𝑉𝑖, 𝐸𝑖 , 𝜆𝑖) for which embedding have to be learnt 𝐷: Maximun degree of rooted subgraphs to be considered for learning embeddings. This will produce a vocabulary of subgraphs, 𝑆𝐺𝑣𝑜𝑐𝑎𝑏 = {𝑠𝑔1, 𝑠𝑔2, } from all the graphs in 𝒢 𝛿: number of dimensions (embedding size) 𝔢: number of epochs 𝛼: Learning rate Output: Matrix of vector representation of graphs Φ ∈ ℝ|𝒢| × 𝛿 1: Initialization: Sample Φ from ℝ|𝒢| × 𝛿 2: for 𝔢 = 1 to 𝔢 do 3: 𝜔 = 𝑆h𝑢𝑓𝑓𝑙𝑒(𝒢) 4: for each 𝐺𝑖 ∈ 𝜔 do 5: for each 𝑣 ∈ 𝑉𝑖 do 6: for 𝑑 = 0 to 𝐷 do 14 7: 𝑠𝑔𝑣 (𝑑) := GetWLSubgraph(𝑣, 𝐺𝑖 , 𝑑) 8: 𝒥(Φ) = − log Pr( 𝑠𝑔𝑣 (𝑑)|Φ(𝒢)) 9: Φ = Φ − 𝛼 𝜕𝒥 𝜕Φ 10: Return Φ The working principle of graph2vec is as follows: the entire graph is treated as a document, then the subgraphs in the graph in question are treated as sentences where each vertex in the graph is processed as a word. Then the document is built by using the graph traverse technique. Once the document has been built, use the skipgram technique to represent this graph. Due to having to predict subgraphs, that is, graphs with similar subgraphs and similar structures have similar embedding. The result of this step is a set of one-hot vectors of arbitrary length representing the set of graphs. In the proposed study, the thesis presents PSI graphs as numerical vectors of 1024 length and used for later classification. The data collected after the PSI graph preprocessing step will be used to decide whether a file is malicious using the deep neural network classifier. To build convolutional neural networks, the thesis inherits the network model proposed by Kim [75]. The first layer of the neural network is the input layer, the next layer performs convolution operations using multiple filter sizes. The output of this class is passed to a nonlinear function, called the ReLU trigger, defined as 𝑓(𝑥) = max(0, 𝑥), because the ReLU trigger has a simpler computation. compared with the sigmoid activation function (this usually requires an exponential computational complexity) [100]. Next, the max-pooling class is used to reduce the data dimension from the convolutional layer, so the complexity and computational resources of the processing can be reduced and data scalable. Finally, the fully connected layer performs subclassing the outputs generated from the convolution layer and the pooling class. 3.6.3. Experimental results and discussion In order to evaluate the effectiveness of features of PSI graph in detecting IoT botnet malware, the thesis experimented and gave a result table in which focus on 02 features: PSI graph and FCG graph features with Measurement metrics include accuracy, FNR, FPR and cost of processing time. Table 3.2. The results of detecting IoT botnet malware by PSI graph and function call graph Metric Features Accuracy (%) FNR (%) FPR (%) Time (m) PSI-graphs 98,7 1,83 0,78 88 FCGs 95,3 5,81 4,13 545 From the results in Table 3.2, it can be seen that the proposed method using PSI graph features performs better than the function call graph. The results showed that the proposed method achieved 1.7% higher accuracy than using the call graph, and the execution time was also 457 minutes less. Besides, the false negative rate (false nagative/false elimination rate) in the proposed method is 1.83% while the FCG method is 5.81%. Meanwhile, with malware detection problems, the lower the false negative rate, the lower the classifier misdetecting the malicious code as benign files. Besides, the proposed method of the thesis still has a very small rate of error in wrongly labeling benign files as malicious code. This occurs in some benign files having a PSI graph structure similar to that of some Linux.Bashlite malware samples. Manually analyzing those sample sets found that the different executables, the FCG graph and the resulting assembly code were different but still had the same PSI graph structure. However, this false detection rate is only 0.78%, a very small percentage.. Table 3.3. Comparison between the IoT botnet detection methods Methods Algorithms Dataset Accuracy (%) Su et al. [25] Deep neural network (CNN) 95.13 15 Methods Algorithms Dataset Accuracy (%) HaddadPajouh et al. [14] Recurrent neural network (RNN) Dataset described in section 2.2.1 includes 6943 samples (of which 3098 botnet from IoTPOT) 97.88 PSI-Graph Deep neural network (CNN) 98.7 From the result table 3.3, it can be seen that the research methods of Su et al. [25], HaddadPajouh et al [14] all showed promising results. Although the results of the current studies are promising, the lack of test data sets and the source code of the test models makes retesting and evaluating them quite difficult. This thesis tries to rebuild those methods through the materials, published articles of the above methods. The results showed that the proposed method of the thesis achieved better accuracy than that of Su and HaddadPajouh at 3.57% and 0.82%, respectively. Table 3.4. Evaluation over-fitting Methods Algorithms Dataset Accuracy (%) PSI-Graph Deep neural network (CNN) Dataset described in section 2.2.1 includes 10,010 samples (of which 6165 botnet IoTPOT and VirusShare) 97,8 Finally, over-fitting problems often occur with deep learning algorithms. This occurs when the model too matches the training data set but does not perform well when it executes it on the extended subsets. To evaluate the over-matching problem in the proposed model, the thesis added 3067 malicious code samples collected from VirusShare to the test set and recalculated the accuracy. As shown in Table 2.4, when adding malicious code samples from VirusShare to the sample data set, the detection accuracy of malicious code decreased slightly (down 0.9%). Thus, from the experimental results, the thesis finds that the proposed method achieves good results in detecting IoT malware, and at the same time solving the problem of over-fitting in the acceptable range. Conclusion Chapter 3 Based on the analysis and evaluation of the characteristics of the IoT botnet malware and in order to solve the limitations of previous studies in detecting the botnet IoT malware based on the feature of the graph structure, the thesis proposed a high-level feature-based light approach, called the PSI graph, to detect the IoT botnet malware. The proposed method of mining the life cycle of IoT botnet malware to generate PSI graph characteristics, applying the advantages of deep learning method to achieve accuracy up to 98.7% with the same degree of overlap in the handicap range. received with the problem of detecting IoT botnet malware. However, the proposed method only focuses on exploiting the overall structure of the PSI graph, and still has a rather large time cost complexity. Contributions of Chapter 3 Proposing a new feature with a graph structure, effective in detecting multi-architectural botnet malware on IoT devices, called PSI graph. The research results have been published and presented in the Proceedings of Conferences and prestigious journals domestically and internationally (at [B1], [B6], [B7] in the list of works of the author). 16 CHAPTER 4. PSI-ROOTED SUBGRAPH FEATURE IN DETECTING IOT BOTNET 4.1. Statement of the problem The method of detecting IoT botnet malware based on PSI graph features has shown high feasibility and efficiency. However, this proposed method focuses on exploiting the overall structure of the PSI graph and does not exploit the paths in the PSI graph, in other words the method focuses on considering the PSI graph as a graph. application. The fact that the growing trend of botnet malware executables on IoT devices is getting more and more complex is the fact that the structure of the PSI Graph will also be complex. Meanwhile, the malicious behaviors that often appear in the life cycle of the IoT botnet malware can be the paths in the PSI graph, illustrated in Figure 4.1, it can be the green or red paths, while the other routes are redundant data. Based on that, the research problem of this Chapter is stated as follows: Building a new feature based on PSI graph features, but focusing on exploring paths in PSI graphs, thereby building the characteristic. Displaying a new graph, called PSI-rooted subgraph representing malicious behavior of IoT botnet malware, improving efficiency of detecting IoT botnet malware with simple machine learning algorithms. Figure 4.1. Illustration the problem idea using a PSI-rooted subgraph 4.2. Building PSI-rooted subgraph feaure Definition 4.1 (PSI-rooted subgraph): Let 𝐺𝑠𝑔 = (𝑉, 𝐸, 𝜃, 𝑑) represents an acyclic directed PSI- Rooted sub-graph that is generated from 𝐺𝑃𝑆𝐼 rooted at vertex 𝜃; where 𝑉 𝜖 𝐺𝑃𝑆𝐼 is the set of vertexes whereas the length between (𝜃, 𝑉𝑖) satisfy 0 ≤ (𝜃, 𝑉𝑖) ≤ 𝑑, and E is a set of directed edges between vertexes in 𝑉. After building