This paper presents a function-level syscall fingerprinting approach for cross-architecture Internet of Things (IoT) malware capability profiling. Our method extracts syscall patterns from malware functions across MIPS, PowerPC, and i586 architectures, generating normalized syscall fingerprints that enable immediate capability assessment without requiring family-based classification or dynamic execution. Cross-architecture consistency evaluation using Mirai, Lizkebab, and Bashlite demonstrates reliable normalization effectiveness, with PowerPC-i586 pairs achieving the strongest similarity, while capability profiling evaluation shows effective inference for unknown Lizkebab functions against Mirai and Bashlite reference databases. Performance analysis confirms linear scaling with an average processing time of 7.3 s, while case studies demonstrate effective capability inference for unknown functions. The approach enables rapid, architecture-agnostic malware analysis suitable for heterogeneous IoT environments where traditional approaches face scalability limitations.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Function-Level Syscall Fingerprinting for IoT Malware Capability Classification

  • Yutaro Osako,
  • Hayato Hamano,
  • Yuto Aono,
  • Toshihiro Yamauchi,
  • Katsunari Yoshioka,
  • Takahiro Kasama,
  • Takuya Fujihashi,
  • Shunsuke Saruwatari

摘要

This paper presents a function-level syscall fingerprinting approach for cross-architecture Internet of Things (IoT) malware capability profiling. Our method extracts syscall patterns from malware functions across MIPS, PowerPC, and i586 architectures, generating normalized syscall fingerprints that enable immediate capability assessment without requiring family-based classification or dynamic execution. Cross-architecture consistency evaluation using Mirai, Lizkebab, and Bashlite demonstrates reliable normalization effectiveness, with PowerPC-i586 pairs achieving the strongest similarity, while capability profiling evaluation shows effective inference for unknown Lizkebab functions against Mirai and Bashlite reference databases. Performance analysis confirms linear scaling with an average processing time of 7.3 s, while case studies demonstrate effective capability inference for unknown functions. The approach enables rapid, architecture-agnostic malware analysis suitable for heterogeneous IoT environments where traditional approaches face scalability limitations.