Function-Level Syscall Fingerprinting for IoT Malware Capability Classification
摘要
This paper presents a function-level syscall fingerprinting approach for cross-architecture Internet of Things (IoT) malware capability profiling. Our method extracts syscall patterns from malware functions across MIPS, PowerPC, and i586 architectures, generating normalized syscall fingerprints that enable immediate capability assessment without requiring family-based classification or dynamic execution. Cross-architecture consistency evaluation using Mirai, Lizkebab, and Bashlite demonstrates reliable normalization effectiveness, with PowerPC-i586 pairs achieving the strongest similarity, while capability profiling evaluation shows effective inference for unknown Lizkebab functions against Mirai and Bashlite reference databases. Performance analysis confirms linear scaling with an average processing time of 7.3 s, while case studies demonstrate effective capability inference for unknown functions. The approach enables rapid, architecture-agnostic malware analysis suitable for heterogeneous IoT environments where traditional approaches face scalability limitations.