Improving Scalable Clustering for IoT Malware via Code Region Extraction
摘要
IoT malware is often generated in large quantities through source code modifications and widely used in cyberattacks. For fine-grained functional analysis, it is crucial to extract and utilize relevant behavioral information from the executables of malware samples. In this study, our primary objective is to improve the clustering accuracy of IoT malware based on phylogenetic trees, and from the results, we investigate which components are useful for analyzing functional characteristics at a level more fine-grained than the family.Executable code can generally be classified into statically linked library functions and user-written code, the latter presumed to reflect attacker-specific functionality. Based on this fact, we hypothesized that meaningful functional distinctions among samples are primarily captured in the user code regions. To test this hypothesis, we constructed multiple datasets with and without user code and library functions, and evaluated clustering quality with respect to two functional label sets: disabling information and exploit information.The experimental results showed that, as hypothesized, excluding library functions and retaining only the opcodes of user code improves clustering accuracy for disabling information, whereas for exploit labels, accuracy improves even when only the library function regions are used. These results demonstrate that eliminating irrelevant information is effective for functional label classification, and that functional analysis does not necessarily rely solely on user code; rather, it was revealed that vulnerability-related information is also contained in the library parts.