DL-FHMC: Deep Learning-Based Fine-Grained Hierarchical Learning Approach for Robust Malware Classification

Abstract

The acceptance of the Internet of Things (IoT) for both household and industrial applications is accompanied by the rapid growth of IoT malware. With the increase of their attack surface, analyzing, understanding, and detecting IoT malicious behavior are crucial. Traditionally, machine and deep learning-based approaches are used for malware detection and behavioral understanding. However, recent research has shown the susceptibility of those approaches to adversarial attacks by introducing noise to the feature space. In this work, we introduce DL-FHMC, a fine-grained hierarchical learning approach for robust IoT malware detection. DL-FHMC utilizes Control Flow Graph (CFG)-based behavioral patterns for adversarial IoT malicious software detection. In particular, we extract a comprehensive list of behavioral patterns from a large dataset of malicious IoT binaries, represented by the shared execution flows, and use them as a modality for malicious behavior detection. Leveraging machine learning and subgraph isomorphism matching algorithms, DL-FHMC provides state-of-the-art performance in detecting malware samples and adversarial examples (AEs). We first highlight the caveats of CFG-based IoT malware detection systems, showing the adversarial capabilities in generating practical functionality-preserving AEs with reduced overhead using Graph Embedding and Augmentation (GEA) techniques. We then introduce Suspicious Behavior Detector, a component that extracts comprehensive behavioral patterns from three popular IoT malicious families, Gafgyt, Mirai, and Tsunami, for AEs detection with high accuracy. The proposed detector operates as a model-independent standalone module, with no prior assumptions of the adversarial attacks nor their configurations.