ATLAS: A Practical Attack Detection and Live Malware Analysis System for IoT Threat Intelligence.

Recently, malware targeting IoT devices has become more prevalent. In this paper, we propose a practical ATtack detection and Live malware Analysis System (ATLAS) that provides up-to-date threat intelligence for IoT. ATLAS consists of a hybrid IoT honeypot infrastructure, attack attribution, malware downloader and live malware analysis system. Since deployment, ATLAS received 859 distinct malware binaries targeting 17 real IoT devices. When compared with VirusTotal timestamps, 65% of these samples have been seen first by our infrastructure or are yet to be known to VirusTotal to date. Through static and dynamic analysis of 17 malware samples, we are able to identify not only the attack vectors, but also command & control (C&C) communication methods and other characteristics. We show that a novel adaptive clustering technique is capable of performing automated malware analysis to detect known malware families as well as 0-day malware. Evaluation with 204 ARM 32-bit malware results in detection of 44 clusters. Further in depth analysis on the selected samples that forms new clusters (potential 0-day malware) indicates that they are indeed novel variants of IoT malware using evolving attack vectors: 17 binaries formed new clusters and did not belong to any known cluster nor to VirusTotal.