The Internet of Things (IoT) is one of the most promising technology vision of the most recent years. It will really impact the way economy, industry and govern- ments perform their operation, with all the benefits coming from the increase of connectivity among devices pushed to the limit. Unfortunately, the availability of countless number of Internet connected devices having a small but usable computing power is the Holy Grail of cybercriminals, especially if (like in the most of the cases) those devices are also particularly vulnerable to attacks. The enormous growth of IoT malware spotted in the wild is the proof that shows how the situation is already dramatic and that it is worsening everyday more and more. Designing strategies to defend, detect and mitigate those attacks it is critical to secure the IoT environment and to realize the vision of the Internet of Things. In this work, an approach for recognizing and classifying the attacks targeting IoT devices is presented. The approach leverages the fact that attacks and particularly malware (and even more in the case of the IoT) are characterized by extensive code reuse, enabling the identification of attack patterns characterizing the device compromise stage. Furthermore, the definition of those patterns enables the profiling, grouping and classification of the attacks in an effective and robust way against the small changes performed by attackers to evade signature-based approaches.

1. Classifying IoT malware delivery patterns for attack detection
Master of Science in Engineering in Computer Science
Candidate:
Fabrizio Farinacci
Student ID: 1530961
Thesis advisor:
Prof. Leonardo Querzoni
Co-Advisor:
Dr. Giuseppe Laurenza
A. Y. 2016 - 2017

2. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Background: The Internet of Things
• The Internet of Things (IoT) is that vision in which anything
from vehicles to home appliances are equipped with Internet
connectivity and digitally connected for exchanging data.
• Sadly, the IoT came recently under the spotlight more for its
widespread security issues rather than its enormous potential.
Classifying IoT malware delivery patterns for attack detection

3. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Background: Threats affecting the IoT
• Being the IoT panorama formed by unsecure, misconfigured and
easily accessible devices, makes it the cybercriminals Holy Grail!
• This environment favored the proliferation of IoT malware and in
particular botnets, mainly devoted to perform DDoS attacks.
Classifying IoT malware delivery patterns for attack detection

4. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Problem statement and thesis objective
Problem
The highly vulnerable IoT landscape favors the proliferation of threats
and in particular malware. Understanding and characterizing them is
a fundamental requirement for preventing IoT devices compromise.
Thesis objective
Design a platform, trained on top of knowledge extracted from real
attacks collected by the platform itself, capable of recognizing known
attacks and detecting variants or completely new attacks.
Classifying IoT malware delivery patterns for attack detection

5. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Related work
Works in the IoT security field divides into:
• Studies providing basic security guidelines for preventing,
mitigating and recovery from attacks.
[Angrishi et al., 2017]
• Proposing honeypot systems designed for the IoT environment,
with the goal of assessing the current threats.
[SIPHON, Guarnizo et al., 2017]
• Designing detection strategies, employing either simple device
white-listing mechanism or unreliable signature-based approaches.
[Meidan et al., 2017]
• Proposing proof-of-concept mechanism for detecting infected
devices and automatize the recovery strategy.
[AntibIoTic, De Donno et al., 2017]
Classifying IoT malware delivery patterns for attack detection

6. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Contributions
The contributions made by this work are the following:
1. Showing the honeypots capabilities of revealing IoT threats;
2. Identifying specific attack patterns for characterizing the attacks;
3. Introducing an approach for profiling the attacks;
4. Showing how profiles enable to group similar attacks;
5. Showing how profiles enable to classify and recognize attacks;
6. Showing how profiles enable to track the evolution of attacks.
Classifying IoT malware delivery patterns for attack detection

7. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Approach overview
Classifying IoT malware delivery patterns for attack detection

8. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Attack profile extraction
Classifying IoT malware delivery patterns for attack detection

9. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Attack patterns
Definition
Attack patterns are sequence of operations having a precise, but often
hidden and sneaky goal meaningful for the attacker.
Example
# Mirai
/bin/busybox cp /bin/echo dvrHelper; >dvrHelper; ...
...
/bin/busybox cp dvrHelper upnp; > upnp; ...
echo -ne "some HEX string" > upnp; /bin/busybox ECCHI
./upnp; ./dvrHelper telnet.mips; /bin/busybox IHCCE
# Hajime
cd /var; cat .s || cp /bin/echo .s; /bin/busybox ECCHI ...
...
>.s; cp .s .i; echo -ne "some HEX string" > .s; /bin/busybox ECCHI
./.s>.i; ./.i; rm .s; exit
Classifying IoT malware delivery patterns for attack detection

10. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Pattern-based attack representation
Classifying IoT malware delivery patterns for attack detection

11. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Phase 4: Attack aggregation and classification
• Once the attack profiles are extracted, they can be employed for:
◦ Grouping the attacks for devising attack classes and their evolution.
◦ Classifying the attacks and being so able to recognize them.
• For the grouping task, we employed the unsupervised learning
clustering algorithms BIRCH and DBSCAN.
• For the classification task, we trained and evaluated the supervised
learning classifiers Random Forest, Decision Tree, Bernoulli Naive
Bayes and Linear Kernel SVM.
Classifying IoT malware delivery patterns for attack detection

12. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Dataset description and testing methodology
Dataset: 270.000 attacks collected by the platform and divided
in 17 classes, representing either variants or different attacks.
Used metrics:
• Attack grouping: Homogeneity and completeness scores,
Fowlkes–Mallows index and silhouette coefficient.
• Attack classification: F1 and accuracy scores, precision and recall.
Performed tests:
• Attack grouping:
◦ Clustering comparison on 50.000 samples ( 1/5 of dataset).
◦ Incremental time-based k-fold cross-validation (k = 10).
• Attack classification:
◦ Incremental time-based k-fold cross-validation (k = 10).
◦ Stratified k-fold cross-validation (k = 5).
Classifying IoT malware delivery patterns for attack detection

13. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Test 1: BIRCH and DBSCAN comparison
0,8
0,85
0,9
0,95
1
FMI Homogeneity Completeness
Clustering comparison - Observed metrics
DBSCAN BIRCH
(a) Observed metrics comparison
0
2
4
6
8
10
Avg. Time (sec.)
Clustering comparison - Time performance
DBSCAN BIRCH
(b) Time performance comparison
Classifying IoT malware delivery patterns for attack detection

14. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Test 2: Incremental time-based k-fold grouping
0
0,2
0,4
0,6
0,8
1
1 2 3 4 5 6 7 8 9 10
Folds (Time)
BIRCH Online - Periodical tuning
FMI Homogeneity score Completeness score Silhouette coeff.
Classifying IoT malware delivery patterns for attack detection

15. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Test 3: Incremental time-based k-fold classification
0
0,2
0,4
0,6
0,8
1
1 2 3 4 5 6 7 8 9
Folds (Time)
Random Forest - Incremental k-fold
F1 score Precision Recall Accuracy score
Classifying IoT malware delivery patterns for attack detection

16. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Test 4: Stratified k-fold classification
0,995
0,996
0,997
0,998
0,999
1
Random
Forest
Decision
Tree
Bernoulli
Naive
Bayes
Linear
Kernel
SVM
F1 score
(c) F1 score
0,995
0,996
0,997
0,998
0,999
1
Random
Forest
Decision
Tree
Bernoulli
Naive
Bayes
Linear
Kernel
SVM
Precision
(d) Precision
0,995
0,996
0,997
0,998
0,999
1
Random
Forest
Decision
Tree
Bernoulli
Naive
Bayes
Linear
Kernel
SVM
Recall
(e) Recall
0,995
0,996
0,997
0,998
0,999
1
Random
Forest
Decision
Tree
Bernoulli
Naive
Bayes
Linear
Kernel
SVM
Accuracy score
(f) Accuracy score
Classifying IoT malware delivery patterns for attack detection

17. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
Conclusions and future work
Conclusions
Results shown that our approach delivers promising results in the field
of attack recognition, enabling to study the evolution of attacks,
for at least for the subset of attacks that we managed to collect.
Future work
• Extending the platform, by:
1. Improving the honeypot platform;
2. Building a platform for organizing the data;
3. Developing Visual Analytics tools.
• Improving the description of attacks, by:
1. Improving the attack pattern identification;
2. Integrating with signature-based information.
• Online monitoring for attack prevention, by designing an online
detection procedure capable of detecting ongoing attacks.
Classifying IoT malware delivery patterns for attack detection

18. Introduction Related work and contributions Proposed approach Results evaluation Conclusions and future work
That’s all!
Thanks for the attention!
Any questions?
Classifying IoT malware delivery patterns for attack detection