Investigating behavioral differences between IoT malware via function call sequence graphs

ABSTRACTIoT malware that infects IoT devices is rampant. Most IoT malware variants are generated by changing various behaviors such as an attack method based on existing malware families. Nearly all antivirus software only identifies the malware family's name; thus, we cannot acquire further details about differences between malware behaviors. In this paper, we propose a graph-based method for confirming differences in malware behaviors and investigating the actual conditions of malware variants. The proposed method first extracts a sequence of function calls from a binary file of malware and represents the sequence to a directed graph, which we refer to as a function call sequence graph (FCSG). Next, the method automatically checks if the FCSG matches signature-FCSGs, which are manually generated as small-scale FCSGs representing malicious behaviors of known malware such as a function of attacks and network scans. To demonstrate the usability of our proposed method, we applied the proposed method to 24,126 in-the-wild IoT malware specimens and investigated the existence of specimens with mixed behaviors from multiple malware families or were specialized for some attacking behaviors.