a novel framework to classify malware in mips architecture...

Research ArticleA Novel Framework to Classify Malware in MIPSArchitecture-Based IoT Devices

Tran Nghi Phu 12 Kien Hoang Dang1 Dung Ngo Quoc3 Nguyen Tho Dai14

and Nguyen Ngoc Binh5

1VNU University of Engineering and Technology (VNU-UET) Hanoi Vietnam2Peoplersquos Security Academy (PSA) Hanoi Vietnam3Posts and Telecommunications Institute of Technology (PTIT) Hanoi Vietnam4UMI UMMISCO 209 (IRDUPMC) Hanoi Vietnam5e Kyoto College of Graduate Studies for Informatics (KCGI) Kyoto Japan

Correspondence should be addressed to Tran Nghi Phu tnphvangmailcom

Received 8 June 2019 Revised 7 November 2019 Accepted 27 November 2019 Published 31 December 2019

Academic Editor Bela Genge

Copyright copy 2019 TranNghi Phu et alis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Malware on devices connected to the Internet via the Internet of ings (IoT) is evolving and is a core component of the fourthindustrial revolution IoT devices use the MIPS architecture with a large proportion running on embedded Linux operatingsystems but the automatic analysis of IoTmalware has not been resolved We proposed a framework to classify malware in IoTdevices by using MIPS-based system behavior (system callmdashsyscall) obtained from our F-Sandbox passive process and machinelearning techniques e F-Sandbox is a new type for IoTsandbox automatically created from the real rmware of the specializedIoTdevices inheriting the specialized environment in the real rmware therefore creating a diverse environment for sandboxingas an important characteristic of IoT sandbox is framework classies ve families of IoTmalware with F1-Weight 9744

1 Introduction

e rapid growth of the fourth industry development of theInternet of ings (IoT) leads to an unprecedented revo-lution in the cyber-physical systems and provides richutilities to users It envisaged the number of interconnecteddevices to exceed 50 billion by 2020 with an estimate ofabout 8 devices per person [1] Such an enormous amountwill impact our digital lives in many application domainstransportation healthcare smarthome smartcity medicaland health equipment energymanagement etc However inparallel with the developing IoT technology there is a se-curity issue of information leakage when anything can be-come a spy device anytime anywhere Since the last decadethe number of malware on IoT devices has exploded In therst half of 2018 there were more than 120000 IoTmalwareinstances detected by the Kaspersky IoT Lab [2]atrsquos morethan triple the amount of IoT malware seen throughout2017 Kaspersky Lab warns that the snowballing growth of

malware families for smart devices is a continuation of adangerous trend 2017 also saw the number of smart devicemalware modications rose to 10 times the amount seen in2016

Recorded attacks showed that target IoT devices havebecome critical In September 2016 IoTmalware built fromLinuxMirai malware was responsible for 11 Tbps DDoSattacks directed at the Dyn Domain Name System (DNS)provider [3] In 2017 LinuxBrickerbot a botnet similar toMirai infected more than 10 million IoTdevices around theworld [4] ere are many vulnerabilities that attackers canuse to obtain privileges for IoT devices OWASP hasidentied the tenmain issues [5] in which insecure rmwareinsecure web interface and insubrvbarcient authentication arementioned

ese problems made researchers do further study [6ndash13] and attracted the widespread attention of researcherssuch as IoTmalware ese methods can be divided into twomain categories Static methods are expressed by analyzing

HindawiSecurity and Communication NetworksVolume 2019 Article ID 4073940 13 pageshttpsdoiorg10115520194073940

and detecting malicious files without executing them Instatic malware analysis analysts reverse an executable fileinto assembly code to deepen their understanding of mal-ware activity )e static analysis [8 9] relies on extractingvarious characteristics from the executables such as Print-able String Information (PSI) Function Length Frequency(FLF) Operational codes (Opcodes) n-gram of byte se-quences header section and so on Dovom et al [11] used afuzzy pattern tree for the opcode of the executables to detectand classify in the IoTnodes One of the major advantages ofstatic analysis is the ability to observe the structure ofmalware All possible execution paths in the malware samplecan be detected without considering the processor archi-tectures Although static analysis has its advantages it hassome limitations )e key disadvantage of this approach isthat it is unable to detect complex and polymorphic mal-ware)erefore the static analysis approach alone might notbe sufficient to identify malware and should be com-plemented by the dynamic analysis [14] )e dynamic ap-proach consists of monitoring executable files during its run-time to detect abnormal behaviors)is approach performedby collecting information such as API calls network be-havior instruction traces registry changes memory writesand so on during the running process Based on thesecaptured data researchers have built machine learning (ML)or deep learning (DL) models to detect if a target file is amalware or not [11 15 16]

Almost all malware research is focusing on computingdevices with the Intel architecture (x86-64) [17 18] andrecently has switched to develop frameworks to detect IoTmalware such as [4151920] especially with the ARM ar-chitecture )ere have been a lot of frameworks to collectsystem calls of malware on the computer and mobile devicesand automatically analyze by machine learning Deep4-MalDroid [15] extracted the Linux kernel system calls fromthe executing apps on Android generates a weighted di-rected graph and then applies a deep learning frameworkresting on the graph-based features Martin et al [20]proposed a framework for dynamic and static analysis with alarge dataset extracted from Android applications and de-tected malware using a fusion of features and voting betweenclassifiers However no framework can collect system callsof IoT samples automatically analyze their logs and thenmeasure classificationmodel in a holistic of a full IoTdataset

In general the above frameworks have three maincomponents collection of IoTexecutable samples (includingmalware and benign executables) behavior extraction anddetectionclassification Concerning the first componentIoTPOTdeveloped by Pa et al [19] was the first honeypot tomimic IoT devices allowing the authors to capture morethan 4000 IoTmalware samples (according to [9]) AnotherIoTmalware database we can mention contains with morethan 9000 samples [21] Besides IoT malware samples it iscrucial to collect benign files to be able to implement de-tection algorithms Brash [22] has created 1078 benign and128 malware samples for ARM-based IoT applicationsSimilarly Nguyen et al [16] have collected 10033 ELF filesincluding 4002 IoTmalware samples and 6031 benign filesfrom different sources Samples were then labeled as

malwarebenign with VirusTotal [23] before inputting forclassifiers

)e second component comprises analyzing and loggingexecutable files during its runtime to detect abnormal be-haviors To perform this approach the most important partis to build a sandbox called an emulator so that executablefiles reveal all their behaviors In such an environmentmalware can only affect the virtual environments and notphysical devices Researchers use QEMU [24] a very popularopen-source system emulator to deal with this problemQEMU supports many types of processors such as ARMMIPS PowerPC x64 x86 and so on that are popularly usedin embedded devices [25] Some works are focusing ondeveloping sandbox such as [21 26ndash28] )e sandboxes areused as a core of IoT malware analysis and detectionframeworks such as [4 19] However these frameworks havedrawbacks that limit the detection capabilities of malwareIoTBox [19] has built a sandbox to capture and analyzeTelnet behaviors of IoTmalware used for DDoS attacks )isapproach could be useful for detecting network abnormalbehaviors but it cannot detect malware that behaves mostlyinside the operating system of the device such as Linux)eMoon [29] Costin et al [4] proposed a framework tocollect dynamic malware features based on the open-sourceCuckoo sandbox [26] to determine whether a LinuxElf fileis a malware or not However this framework is not pre-sented on how the collected data were analyzed and theprecision accuracy of the obtained results Rare [30] focusedon how to activate malware on Router by discovering staticand dynamic information to build a suitable environmentfor malware But Rare only used OpenWrt to build emulatedrouter did not emulate NVRAM and did not mentiondetecting malware on the router In the same approachChang et al [31] proposed IoTsandbox which can support 9kinds of CPU architectures including ARM (EL HF) MIPSMIPSEL PowerPC SPARC x86 x64 and sh4 )en ma-chine learning- or deep learning-based classifiers are usedfor classifying malware and benign files

Current sandboxes have been built on basic environ-ments including a common Linux-based operating systemand several additional monitoring tools )is strongly im-pacts on capture behaviors of a target executable file and thewhole detection process Firmwares are built and packagedfor specialized devices with specialized functions in manyenvironments that have little in common Many firmwareprograms cannot run in traditional malware analysissandboxes based on basic environments It is also hard toinstall required environments like firmware on the basicenvironment because it packages them in unpublishedfirmware )erefore we need to generate multivendor en-vironments like firmwares )at means IoT sandbox can setup not only a basic environment but also many environ-ments like firmware of physical devices To our knowledgethere are currently no sandboxes that can build environ-ments based on an actual device firmware can emulateNVRAM of devices and collect enough syscalls to classifymalware

)e MIPS processor architecture [32] appears in manynetwork devices such as routers wireless transmitters and

2 Security and Communication Networks

cameras [6 25] )e programrsquos behaviors are different whenrunning on every different processor architecture and op-erating system )erefore studying malware on devicesusing the Embedded Linux operating system and MIPSprocessor (MIPS ELF) is necessary Many studies have fo-cused on detecting malware through the syscall behaviorwith good detection results [33ndash35] but to our knowledgeresearch has not been carried out to detect malware viasyscall in MIPS ELF Previous studies focused on detectingmalware on Windows operating system for the i386 pro-cessor architecture Canzanese et al [33] evaluated withmany machine learning methods or deep learning appliedwith positive results It can also detect malware on theAndroid operating system via syscall like [34] Asmitha et al[35] experimented with the method of detecting malware onLinux through syscall with manymachine learning methodsbut the dataset is small with only 668 samples and also doneon the i386 architecture

In this paper we propose a novel framework thatconsists of analyzing MIPS ELF files based on syscall be-haviors We have collected and created a database of 3773MIPS ELF malware samples from Detux [21] IoTPOT [19]and VirusShare [36] We have built a specific QEMU-basedsandbox which was inherited from Firmadyne [25] andDetux [21] aimed at monitoring system call of the exe-cutable file )is sandbox named F-sandbox can self-configure the suitable requirement for a target MIPS exe-cutable file to reveal all behaviors Within this frameworkwe also implement popular machine learning classifiers suchas SVM Random Forest and Naive Bayes to evaluate theobtained data )e experiments show that our proposedframework can classify malware onMIPS with high accuracyby F1-Weight up to 9744 Our main contributions in thispaper are

(i) Proposing a novel sandbox which automatically setsup the adaptive environment for activating MIPSELF files

(ii) Comparing and selecting a suitable method ofextracting features and machine learning classifiersfor MIPS-based IoT malware detection purposes

(iii) Combining feature selection feature reduction andmachine learning methods with suitable parametersto build a novel framework for detecting MIPS-based IoT malware with high precision

(iv) Supporting the open-source activities we make oursystem available to the research community underan open-source license (GPL) to encourage furtherresearch into IoT For more information aboutsource code please see httpsgitlabcomNghiphuc500-sandbox)e F-sandbox system and maliciouscode detection module are provided at httpfirmwarevn in which the IoT dataset and in-structional materials are updated and provided tothe community

)e remaining sections of the paper are organized asfollows Section 2 shows related works Section 3 presents theF-Sandbox Section 4 describes the IDMD framework

Section 5 is about experiments finally the conclusions anddirections of the next development are with Section 6

2 Related Works

To perform the dynamic analysis the sandbox has a veryimportant role )ere are 2 types of sandboxes that arephysical and virtual Physical sandboxes are based on realhardware components such as RAM CPU and networkperipheral that give a better environment for the malware toreveal all their behaviors However physical sandboxes aredifficult to customize to storerestore their states )e typethat is not suitable for IoT-based malware because of thediversity of hardware in IoTdevices Different from PC IoTdevices have various processor architectures such as MIPSARM PowerPC and SPARC To deal with this problemVirtual sandbox based on the simulation and virtualizationtechnology is often used for monitoring executable files Ingeneral a virtual sandbox is built based on QEMU [24] ageneric and open-source machine emulator and virtualizerQEMU supports 26 different CPU architectures especiallyIoT processor architectures such as MIPS and ARM andsupports Windows and Linux operating systems )e mainchallenge of the virtual sandbox is the difficulty of setting upthe same function configuration especially network pe-ripherals )ere are two main virtual sandboxes that we canmention which are IoTPOT [19] and Detux [21]

Detux is an open-source sandbox based on QEMU thatsupports traffic analysis of the Linux malware in five dif-ferent CPU architectures MIPS MIPSEL ARM x86 andx64 )e first problem of Detux is that it does not virtualizenetwork peripheral so malware can infect other devicesthrough external connections Second the interaction withthe operating system was not considered so the informationsuch as file creation file deletion or read file are missingFinally the operating system executes files in Debian Linuxand it is not a common environment as used by IoTdevicestherefore it could be not suitable for some malware

IoTBox [19] is a sandbox aiming at analyzing networkbehaviors of IoT malware It supports 8 different processorarchitectures such as MIPS ARM MIPSEL PowerPC etcIoTPOT can detect common types of DOS attacks such asSYN flood UDP flood ACK flood and scan (Telnet UDPand TCP scan in some special port) DOS traffic will beblocked or allowed with low packet frequency to avoidharming the real system However limited to emulating onlyIoT devices from a few specific vendors IoTBOX is notsuitable for analyzing all kinds of malware that can infect IoTdevices When executing malware and monitoring DOSattack behavior may not be immediately executed thereforewe have to wait for a long time to observe it

Sandboxes capture two main data sources during theexecution of target files that are system calls and networkbehaviors Syscalls can be collected with different tools suchas Strace or Kernel probes

(i) Strace [37] is a tool on Linux operating system thatallows monitoring running programs collecting thesystem calls including the name parameters and

Security and Communication Networks 3

results of calling the system calls Strace allowstracking processes generated from the process beingtracked by Strace Strace has been used in manyworks to collect the interaction between executablefiles in the Android environment [34] or Linux [35]

(ii) Kernel probes abbreviated as Kprobes is a tool thatallows dynamically breaking into kernel routine andcollecting debugging information one of the in-formation kinds is a syscall Our sandbox usedKprobes built-in Kernel to monitor syscalls of allprocesses running on the firmware of an IoT deviceSometimes using Strace is not suitable for a trackingsystem First many processes could run beforestarting Strace therefore we can miss system callsSecond Strace can be easily resisted by some anti-debug techniques such as check ptrace status insource code During the process of collecting sys-calls in our experiments we have encountered suchmalware samples

Concerning network behaviors the popular tool thatcould be used is InetSim [38] InetSim is a Linux-basedsoftware package containing Perl scripts used to simulatemany network services such as DNS HTTP and FTPPynetSim [39] is considered an upgrade to improve InetSimfor IoT devices PyNetSim is developed in Python3 whichallows detecting malicious code protocols supportingscripts to interact with IoT malicious codes like bot DDoSMirai and LizardStresser

It is important to note that these previous works did notfocus on virtualizing network peripheral )is point limitsconsiderably monitoring the IoT malware behaviors espe-cially IoT botnet malware )is issue is indirectly solved byChen et al [25] )ey proposed a framework named Fir-madyne aiming at emulating router firmwarersquos web inter-face using QEMU Firmadyne can autoconfigure a suitableemulation environment for a wide range of the routerenabling a dynamic analysis of 23035 firmware imagesgathered from 42 devices vendors)is method does not relyon physical hardware to perform the analysis like Avatar[40] but Firmadyne emulates the firmware nonvolatilememory to execute the firmware web interface Once therouter web interface is emulated the popular scanningframework Metasploit is used for exploring vulnerabilitiesand its corresponding exploits However Firmadyne ana-lyzes only the web interfaces and ignores the firmwareoperating system execution Hence these methods cannottrace abnormal behaviors to detect malware as shown in theanalysis of Linux)eMoon and LinuxMirai malware ex-perimentation Based on Firmadyne we have built a novelsandbox that can set up the network configuration for mostIoT executable files including malware and benign )issandbox named F-Sandbox is presented in the next sectionand it is a part of the IDMD framework

3 F-Sandbox Architecture

Our proposed sandbox uses instrumentated kernel thatwas built with Kprobes allowing tracing Linux kernel

function calls and any instruction inside the kernel andinspecting the registers Using INetSimPyNetSim tosimulate the Internet the F-Sandbox provides a full en-vironment that reveals behaviors of an ELF file includingboth syscalls and network interaction [41] during itsruntime)e collected results from F-Sandbox will be staticanalysis information of the sample network data generatedin the pcaprsquos form file log INetsimPyNetSim about in-formation interacting with the Internet and other syscallsystem behavior in the form of a file syscall log F-Sandboxstructure has 4 main components Sandbox ControllerVirtual Machine QEMUMonitor and INetSimPyNetSimserver shown in Figure 1

(i) 0e Sandbox Controller interacts with the QEMUmonitor through calling commands that displaynetwork configuration and restore snapshots )esandbox controller interacts with the virtual machineby calling SSHTelnet procedures to the virtualmachine transmitting executable files from the realmachine inside granting execution rights requestingfile execution and getting log files It supports twomethods SSH and Telnet to connect and interactvirtual machine while Detux only supports SSH thisis our improvement over Detux )e sandbox con-troller operates the virtual machine by Telnet pro-tocol the file will be transferred to a virtual machineby wget ftp or tftp instead of scp depending on thespecific environment of the firmware

(ii) 0e virtual machine based on QEMU includes 2components QEMU image and Linux kernel )eimage of QEMU used in F-Sandbox containing thefile-system is extracted from the firmware by theFirmadyne Extract tool More tools are added to itand its configuration info is modified to emulate inQEMU but still fully inherit the packaged envi-ronment of the firmware )e Linux kernel used inthe F-Sandbox is the F-Kernel which improved fromthe Firmadyne instrumented kernel )e instru-mented kernel of Firmadyne can only listen to 15syscalls of the system therefore we extend to listen toall syscalls of the system aiming to collect all mali-cious code behavior Collecting all syscalls can affectthe speed of the F-Sandbox in many situations it isonly necessary to collect syscalls with a high fre-quency therefore the F-Kernel allows flexible con-figuration of syscall quantities to be collected withdifferent thresholds by setting syscall parameter whenstarting the F-Sandbox)e virtual machine interactswith the INetSim server through sending requests(HTTP FTP DNS etc) and recovers fake responsesfrom INetSim enp0s3 is an Ethernet Network In-terface of the host machine eth0 is the EthernetNetwork Interface of the virtual machine A virtualbridge connects host machines and virtual machines

(iii) 0e monitor performs virtual machine interactionthrough snapshot restore it is the same function ofDetux


(iv) InetSim server performs a simulation of the Internetenvironment it will redirect all network traffic tothe InetSim server via IPtables and DNS poisoning)is is one of the best tools for simulation of net-work service it helps us to emulate the networkenvironment to make malware reveal behaviors asconnecting to a server scanning port withoutharming the real Internet environment )e INet-Sim log will record the interactions with theInternet

We use QEMU as shown in Figure 2 to emulate firmwarewith loaded ELF files A good deal of firmware had an SSHserver other ones had only Telnet server Hence the F-Sandbox controller provides both Telnet and SSH connec-tors to interact with the two types of firmware Our methodof transferring files to the virtual machines is also very di-verse we created an FTP server an Apache web server and aTFTP server used by the virtual machine to downloadmalware file and execute it

)e sandbox controller calls a procedure to start thevirtual machine and QEMU monitor and initializes thevirtual machine from the existing state by using the imagerecovery function or configuring the network installingrequired packages and creating a snapshot to restore afterrunning a sample

4 IoT Dynamic Malware Detection Framework

We propose an IoT dynamic malware detection (IDMD)framework to learn and classify IoTmalware all steps shownin Figure 3 )e IDMD framework includes two phasesclassification model generation and classification In theclassification model generation phase the feature vectors oflabeled ELF samples are extracted by feature vectors

generation function and then these feature vectors with theirlabels are used to train amodel)e feature vectors generationfunction includes three steps sandbox initialization sandboxexecution and feature selection In the classification phaseunlabeled samples will be extracted by the feature vectorgeneration function with generated parameters from theclassification model generation phase then the extractedfeature vector will be classified by the generated model fromthe classification model generation phase

41 Sandbox Initialization As mentioned above oursandbox can build adaptive environments with samples byusing suitable firmware To select the suitable firmware foran ELF file to be executed this step extracts necessary in-formation such as Architecture (MIPS ARM etc) theendianness (Big-endianLittle-endian) and bit-length (163264) )is static information is extracted by using fileutility in Linux It helps our framework to select suitablefirmware among our database of 253 real MIPS-basedfirmwares of D-Link TP-Link Asus Belkin Linksys etc)e selected firmware is used to initialize our Sandboxes)e selected firmware has many parameters such as whattypes of transfer protocol they supported (FTP TFTP SCP)and what control protocol they supported (SSH Telnet))is information will configure the sandbox controller andstart and control the sandbox It is not trivial to determinewhich firmware is the most suitable to an ELF file thereforefor each ELF file our sandbox loads selected firmware one byone to perform with and the file with the most capturedsystem-call will be kept for the next steps

42 Sandbox Execution After initializing the sandbox withsuitable required parameters the sandbox controller

Host machine(i)

(ii)

(iii)

IP 192168196

IP 1921681timesDNS server gateway 192168196

Installed TFTP server FTP server Apache webserver to transfer file from host and virtual machineUsed IPTable to redirect all incoming packet toINetSim server

INetSimserver

Sandboxcontroller

QEMUmonitor

Filesystem from firmware sshtelnet serveris preinstalled

F-instrumentedkernel linux withsyscall monitoring

Virtual machine by Qemu

Virtual bridge

enp0s3

eth0

Figure 1 F-Sandbox structure


transfers the input ELF file into the sandbox )en bygranting all permissions to the ELF file F-Sandbox starts themonitoring function for 30 seconds Kprobe will collect thesyscall generated from the running program and its childprocesses )erefore it will be analyzed and filtered tocapture all log by the input ELF file If the malware sends anetwork request outside it will be automatically redirectedto INetSim via Iptables and the built-in DNS-poisoningtechnique in InetSim and INetSim server will return the fakeresponse of the same type as the object that the templaterequires It presents a sample of captured syscall log inFigure 4

43 Feature Selection To avoid the training time-consumingand reduce the risk of overfitting we try to extract the most

relevant features related to the label and then apply machinelearning algorithms to improve the performance of themodel In this paper there are two main selection steps

(i) )e selection of quantity and name of syscall amonglog files

(ii) )e selection of feature vectors among n-gramfeatures generated by selected syscall

)e MIPS architecture Linux operating system has 345different syscalls However they are not used by performedELF files especially ELF malware )e average used syscallsby 3223 ELF files is about 146 )e syscalls read and senttoare the most used ELF files which represent 86 of allcaptured log files )e 30 most frequent syscalls representover 99 of the whole captured ones In our experiments

Classification model generation

Labeled ELF files(including Malwares)

(LightAidra miraigafgyt dofloo and

benigns)

Sandboxinitialization

Sandboxexecution

Feature selectionClassifiction

modelgeneration

Feature vectors generation

Classification

Classification

Label of ELF files

Unlabeled ELF file Feature vectorsgeneration

LightAidra label

Mirai label

Gafgyt label

Dofloo label

Benign label

Figure 3 Proposed process for IoT malware classification

TP-linkenvironment

sandbox

D-linkenvironment

sandbox

Netgearenvironment

sandbox

Netgearsystem files

Wrtenvironment

sandbox

Wrtsystem files

Others

QEMU QEMU QEMU QEMUTP-link

system filesD-link

system files

F-kernel F-kernel F-kernel F-kernel

Syscall logs fromKprobe

Sandbox controller

Figure 2 F-sandbox with multivendor environments


the more the syscalls monitoring the slower the systemperformance When we try to implement F-Kernel moni-toring of more than 45 syscalls by Kprobe F-Sandbox slowsdown leading to programs not working because of a timeoutand the calculation time F-Sandbox used Kprobe which isdynamic instrumentation by trap instructions and thenlooking up handlers will incur an enormous overhead It isbecause of this reason that when we try to implement toomany syscalls our system will slow down)erefore insteadof taking into account all captured ones we remove everysyscalls except for the 30 most frequent ones and then applythe n-gram technique to construct feature vectors afterward

)e n-gram is the method of counting the occurrences ofn elements standing close to each other in a sequence itstores the number of these occurrences in a vector tocharacterize that string )is method has proven to be ef-fective in detecting malware based on syscall [17] In ourresearch we use n-gram with n 1 2 3 to get the featurevectors of the syscalls sequence With the selection of thesyscall set as above the vector is characterized by 2-gram and3-gram directions with how to choose 30 features are30times 30 900 features and 27000 features

To select n-gram features that have the strongest rela-tionship with the label efficient feature reduction techniquesbased on scores such as Chi-square or Information Gain canbe used [42] But Chandra and Gupta [43] said that in most oftheir cases Chi-square was ahead or at part with InformationGain In our experiments Chi-square is more efficient thanInformation Gain)erefore our framework used Chi-squareas a feature reduction method )e Chi-square score iscomputed between each feature and the target afterward weselect the desired number of features with the best Chi-squarescores It determines if the association between two cate-gorical variables of the sample would reflect their real asso-ciation in the population and it is the technique we chose forselecting the most relevant features in this paperWe will rankfeatures according to the following formula

X2(D t c) 1113944

etisin 01

1113944ecisin 01

Netecminus Eetec

1113872 11138732

Eetec

(1)

where et 1 when the content ofD contains a characteristicotherwise et 0 ec 1 whenD belongs to class c otherwise

ec 0N is the observed frequency ofD and E is the expectedfrequency We choose the number of feature vectors basedon the ratio between the total features scores and thesubfeatures scores ranking order by descending We de-termine that 350 features having the highest score represent999 of the total score of 900 features (n 2) as shown inFigure 5 )ese selected features will be then inputted to theclassification step

44 Classification )e machine learning methods are wellstudied in detecting malware each method will give the resultfor different datasets Souri and Hosseini [44] have reportedmany recent studies and evaluated three popular researchmethods with malware detection and the best result isSupport Vector Machine (SVM) Random Forest (RF) andNaive Bayes (NB) )e SVM classification method has per-formed well on traditional classification tasks and we selectedit for the text classification systems and intrusion detectionsystems and achieves high accuracy when combined with then-gram feature extraction method )e advantage of thismethod is that its general capability can be improved by usingthe principle of structural risk minimization SVM uses akernel function to map training data into a higher-dimensionspace so that the problem is separable Decision Tree is astructured hierarchical tree used to classify objects based on aseries of rules Random Forest uses many trees and forecast byaveraging the predictions of each component tree NaivendashBayes is a probability-based classificationmethod which givesgood results in detecting malicious code [45]

5 Experiments

51 MIPS IoT Samples An IoT sample dataset used fortesting is a set of 3403 MIPS ELF samples including 3223malware samples and 228 benign files Malware datasets arecollected from 2 different sources Detux [21] and IoTPOTteam [19] Detux has collected more than 9000 samplesincluding more than 3200 MIPS ELF samples IoTPOT hascollected 4000 samples of which 938MIPS ELF samples andonly 38 samples coincide with the MIPS ELF pattern ofDetux To label the experimental samples there are 2 mainoptions which are an evaluation based on a reputable an-tivirus like Kaspersky [46] or antivirus software combination[18] We labeled the templates based on Virustotal [23] firstidentify malicious designs that are Virustotal samples dis-covered by over 10 software including reputable softwareKaspersky Avast Avg Symantec we got 3223 malicioussamples We then labeled this 3223 malwares based on theantivirus combination which uses Symantecrsquos main labelthe antivirus engine has a good detection capability and aclever naming scheme In the malicious dataset there are 37different families many popular and popular maliciouscodes like LightAidraAidraZendran DoflooSpikeMrBlackWrkatkSotdasAESDDoSDnsAmp GafgytBASH-LITELizkebabTorlus TsunamiKaiten SecurityRiskMoose Hajime TrojanGen etc but to ensure the classi-fication accuracy and avoid the imbalance in the number ofsamples of the classes in the training process articles select

[ 1820448000] fm open[PID 1121 (modprobe)] fileliblibmso0[ 1820448000] fm read[PID 1121 (modprobe)] fd0 size4096[ 1820448000] fm close[PID 1121 (modprobe)] fd0[ 1820448000] fm open[PID 1121 (modprobe)] fileliblibcso0[ 1820448000] fm read[PID 1121 (modprobe)] fd0 size4096[ 1820448000] fm close[PID 1121 (modprobe)] fd0[ 1820448000] fm open[PID 1121 (modprobe)] fileliblibcso0[ 1820448000] fm close[PID 1121 (modprobe)] fd0[ 1820448000] fm open[PID 1121 (modprobe)] filelibmodules263270modulesdep[ 1820448000] fm open[PID 1121 (modprobe)] filelibmodulesmodulesdep[ 1820452000] fm write[PID 1121 (modprobe)] fd2 size35[ 1820452000] fm do_exit[PID 1121 (modprobe)] code256[ 1820452000] fm open[PID 1123 (modprobe)] fileliblibmso0[ 1820452000] fm read[PID 1123 (modprobe)] fd0 size4096[ 1820452000] fm close[PID 1123 (modprobe)] fd0[ 1820452000] fm open[PID 1123 (modprobe)] fileliblibcso0[ 1820452000] fm read[PID 1123 (modprobe)] fd0 size4096[ 1820452000] fm close[PID 1123 (modprobe)] fd0[ 1820452000] fm open[PID 1123 (modprobe)] fileliblibcso0[ 1820452000] fm close[PID 1123 (modprobe)] fd0[ 1820456000] fm open[PID 1123 (modprobe)] filelibmodules263270modulesdep

Figure 4 Captured system calls log of a malware sample


only 4 typical malicious family names and have a samplenumber greater than 100 )e distribution of the maliciouscodes in the IoT dataset is shown in Figure 6

We collect the benign dataset from the basic programsavailable on Embedded Linux BusyBox built-in programsEmbedded Linux kernel and some MIPS-based basic ap-plications )e number of clean samples collected is 280samples Devices using MIPS chips are specialized devicesthere are very limited application stores and the number ofclean programs collected is therefore also limited )us theinput dataset has five labels four malware labels includingLightAidra Mirai Gafgyf Dofloo and one Benign label

52 Collecting Syscall Log According to [17] the syscall logmust be collected within a certain time and the minimumlength of the syscall log is 1500 which will show the result inthe best detection with malware on Windows i386 archi-tecture )e numbers generated during the first 30 s focusedsandbox implementation when increasing this time to 60 s90 s 120 s the syscall number obtained does not changemuch so we continue to collect the log for each sample in 30seconds )e average syscall log length of the sample set islower than the threshold of 1500 syscalls and for each typeof malware it gives the average length of the different logswhich is the average length of malicious code families shownin Table 1

By analyzing the collected logs when executing thetemplates in F-Sandbox the log files of length less than 50are generated by samples with errors such as insufficientparameters to operate lack of libraries errors initialize andso on A sample when normally active has a length of syscalllog more than 50 the number of programs with severalsyscalls over 1500 such as [17] is not large most programscall the number of syscalls in the range from 50 to 500 asshown in Table 2)e range of syscallrsquos lengthMIPS ELF filesis shorter which can also be explained because programswritten on IoTare often simpler on multipurpose computersdue to constrained resources and functions

From the initial process created when running thesample the malicious code creates a lot of child processesin which malicious code creates 1000 child processes and

most malicious code creates 3 child processes )e numberof generated child processes is shown in Figure 7)erefore when collecting the syscall log of the sample itis a syscall log of all processes generated when executingthat pattern

Analyzing the collected log file the malware only uses136 syscalls the benign set uses 127 most of the syscall of 2episodes overlap and there are 160 syscalls appear in bothsets Distributing irregular patterns 2 syscalls read and sendto occupy 86 of the system Detailed statistics of syscalls isshown in Figure 8 )e data feature syscall log is alsoconsistent with the published behavior of malicious codesending information to the destination

)rough analysis malware on IoT devices also hashidden features such as detection of analysis programsSeveral malware samples can detect Strace tracking so itdoes not activate them Some previous observations suggestthat malicious code on IoT is simple but still uses commonhidden techniques of malware

53 PerformanceMeasures We measure the effectiveness ofthe classifiers in terms of precision recall and F1 score Itcomputes these three quantities on a per-class basis )eprecision for a class Ck is the fraction of processes classifiedas Ck

Lightaidra Mirai Dofloo Gafgyt Other

1058

788

239157

981

Figure 6 Types of malware in the IoT dataset

100

1955

368 142 057 018 01 003 00010

20

40

60

80

100

1 50 100 150 200 250 300 350 400

Figure 5 )e ratio between the total features scores and thesubfeatures scores ranking order by descending

Table 2 Evaluating the number of syscall samples

Label 50 100 200 300 400 500 1500Number of benignsamples 280 259 145 123 104 94 6

Number of malwaresamples 2370 2288 2165 2142 765 756 67

Table 1 Number sample of each class

Label Lightaidra Mirai Gafgyt Dofloo BenignNumber of samples 796 477 132 241 280Average length ofsyscall log 354 3012 300 691 286


precisionCk TPCk

TPCk + FPCk

(2)

where TPCk and FPCk are the numbers of true positives andfalse positives predicted by the classifier ie the number of

processes correctly and incorrectly classified as belonging toCk )e precision measures the relevance of the positiveclassifications A precision of 1 indicates that the classifier isalways correct when it classifies a process as belonging toclass Ck whereas a precision of 0 shows it is never correctwhen it does so )e recall of class Ck is the fraction of theprocesses belonging to Ck in the ground truth that arecorrectly classified

recallCk TPCk

TPCk + FNCk

(3)

where FNCk is the number of false negatives ie thenumber of instances of Ck misclassified as belonging toanother class )e recall measures the sensitivity of theclassifier A recall of 1 shows that a classifier correctlyidentifies every instance of class Ck whereas a recall of 0indicates that a classifier never identifies instances of Ck )eF1 score of a class Ck is the harmonic mean of the precisionand recall of that class An F1 score of 0 indicates 0 recall or 0precision whereas an F1 score of 1 indicates perfect recalland precision In this study per-class F1 scores are averagedover all the classes to provide an overall characterization of aclassifier We consider three averaging techniques ac-counting for the unbalanced representation of the malwareclasses used in this study

(i) Microaveraged F1 score the F1 score computedfrom the aggregate set characterizing classifierperformance on large classes

(ii) Macroveraged F1 score the average of the F1 scoresof the classes characterizing classifier performanceon small classes

(iii) Weighted F1 score the weighted average of the F1scores of the classes with weights proportional totheir support in the ground truth

54 Training and Evaluation We installed the test based onthe Scikit-learn Python library 0192 on laptop Core i5MacBook Pro Ram 16GB Build 10 datasets generated fromthe IoT dataset according to the minimum length of syscalllog n with n 50 100 150 200 250 300 350 400 450 500to determine which threshold is the most suitable fordetecting MIPS ELF malware classification If the length ofthe selected log file is too small there will not be enoughinformation to determine the program characteristics Onthe contrary if the length of the log file is too large manyprograms that simply click are not evaluated and the abilityto detect malicious code will be delayed )e goal is todetermine the threshold as small as possible and whichmachine learning method is most suitable )e smaller thethreshold is determined the sooner the malware is detected

With the method of extracting n-gram characteristics ifn is too small (1-gram) the information got shows only thefrequency of single syscall occurrences If n is too large thenumber of the characteristic collections is very large and thecharacteristics obtained are sensitive to the transformationtechniques of malware Recently studied experiments

1 process2 process3 process4 process

5 process6 process7 processgt8 process

4

4

63

43

267

7

Figure 7 Statistics of the number of processes created by the IoTdataset

ReadSendtoTime_newselectCloseOpen

FcntlRecvfromReadlinkSocketOther

Figure 8 )e rate of system calls


[33 46] gave the best results with 2-gram and 3-gram so 2-gram and 3-gram are selected in this model test

After extracting the feature vector by the n-grammethod Chi-square is used to reduce the dimensional of thefeature vector to K dimensions Based on the experiments in[46 47] we set K 350

We experimented with the dataset to select the bestparameters for SVM NB and RF using the grid searchmethod For SVM we classify using the OVO method usethe Sigmoid kernel and find the optimal parameter C in therange (1ndash100000) and the gamma value in the range(00000001ndash1) For RF we find two pros-parametric pa-rameters the feature function which is one of three func-tions (sqrt log2 sqr) and the number of n_estimators in therange (2ndash700)

Cross validation is a popular method in machinelearning to assess a detectionclassification methodrsquos out-comes gained from experiments that can be generalized intoan independent sample It consists of many techniques suchas Repeated Random Sub-sampling K-fold and Leave-OutK-fold involves randomly dividing the set of observationsinto K groups or folds of equal size )e first fold is treatedas a validation set and the method is fit on the remainingKminus 1 folds [48] )e K-fold validation is suitable for limitedsize datasets [49] In the experiments we use a 5-fold cross-validation method with the selected parameter set in thetraining and evaluating step It divides data into different fivesections four of them are used as training data and theremained section is used as testing data for each experimentMeasures are calculated as the average of five times in theseexperiments

55 Experimental Results )e table in Figure 9 representsthe overall results of F1-Macro F1-Micro and F1-weightcorresponding to different machine learning methods andthreshold syscall lengths )e results show that the modelsfor the measurements are approximately the same alto-gether about one value and there are nomany deviations thatdemonstrate a good model

)e charts in Figures 10ndash12 compare the results ofidentification methods RF SVM and NB with 2-gram and

3-gram features Experimental results show that 2-gramgives the best value for the classifier with all three algorithmsRF SVM and NB

)e charts in Figures 13 and 14 compare the F1-Weighted value of 3 sets classifier with different minimumsyscall log thresholds )e experimental results show that RFgives the best classification ability then to SVM and NBFrom both charts above it can be seen that the minimumsyscall log threshold for classifying malicious code on theMIPS ELF set is 400

From the experimental results we can see

(i) With MIPS ELF samples our framework gets thehighest results with the 2-gram feature extractionmethod with the Random Forest classificationmethod the minimum syscall length threshold is400 Compared with the minimum length of thesyscall log evaluated by Canzanese et al [33] withmalware dataset onWindows is 1500 the MIPS ELFfile is smaller the reason why it can be explained isbecause of the simple embedded program sets )ereare fewer functions than Windows which is also thefeature of embedded software )at may also be the

F1 - micro F1 - weightLen F1 - macroRF SVM NB RF SVM NB RF SVM NB

50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376

Figure 9 F1-Macro F1-Micro and F1-weight with 2-gram feature

09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram

Figure 10 Random forest classification with 2-gram and 3-gram


reason for the 2-gram explanation for the ability toclassify better than 3-gram

(ii) )e results in the IoT dataset are good and gatherclassification from objective sources thus provingthat F-Sandbox works correctly and efficiently

6 Conclusions and Future Work

In this paper we proposed a framework for detecting andclassifying MIPS ELF malware based on syscall and machinelearning methods )is is the first study specializing inmalware in MIPS ELF In particular the main contributionis MIPS IoT dataset a novel type for IoT sandbox based onthe improvement and integration of Detux sandbox andFirmadyne emulation We also collected standardized theMIPS IoT dataset In theory the study has shown manycharacteristics of the malware type in MIPS ELF finding themost suitable methods and parameters for detecting MIPSELF malware based on machine learning methods To thebest of our knowledge this paper is the first to provide acomprehensive framework including not only an overallmethodology but also a sandbox environment and relatedtools for collecting MIPS-based malware syscalls classifyingthem to their respective families and evaluating the clas-sification performances We provided the generated IoTdataset used in our experiments and the source code of oursandbox tool to researchers at sites httpsgitlabcomNghiphuc500-sandbox and httpfirmwarevn for aca-demic purposes

In future work we continue to develop F-Sandbox sothat malware can execute at high rates exposing morebehavior In this framework we have only exploited theinformation about syscall obtained from F-Sandbox to de-tect malware other information such as network behaviorsprocess states will be further considered and researchedStatic information not only uses to initialize F-Sandbox butalso combines with dynamic behaviors to detectclassifymalware )erefore our works in near time integrate static

06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM

Figure 14 F1-weighted with 3-gram

067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram

Figure 11 SVM classification with 2-gram and 3-gram

06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram

Figure 12 Naive bayes classification with 2-gram and 3-gram


information static feature system behaviors and networkbehaviors are that extracted from F-Sandbox to detectclassify malware F-Sandbox supports and experiments forthe MIPS architecture therefore next time we will deployfor another architecture such as ARM PowerPC

Data Availability

Supporting the open-source activities we make our systemavailable to the research community under an open-sourcelicense to encourage further research into IoT For moreinformation about source code please see httpsgitlabcomNghiphuc500-sandbox )e implemention of F-sandbox system and malicious code detection module areprovided at httpfirmwarevn in which syscall logs ofC500-IoT dataset is also updated regularly and provided tothe community

Conflicts of Interest

)e authors declare that they have no conflicts of interest

Acknowledgments

)is research was partially funded by Ministry of Scienceand Technology of Vietnam grant number KC011916-20

References

[1] ldquo)e internet of things how the next evolution of the internetis changing everythingrdquo 2019 httpwwwciscocom

[2] Kaspersky IoT Lab Report ldquoNew IoTmalware grew three foldin H1 2018rdquo 2019 httpswwwkasperskycomaboutpress-releases2018_new-iot-malware-grew-three-fold-in-h1-2018

[3] K Angrishi ldquoTurning internet of things into internet ofvulnerabilities IoT botnetsrdquo 2017 httpsarxivorgabs170203681

[4] A Costin and Z Jonas ldquoIoTmalware comprehensive surveyanalysis framework and case studiesrdquo in Proceedings of theBlack Hat Conference 2018 Las Vegas NV USA August 2018

[5] ldquoInternet of )ings Top 10 Projectrdquo 2019 httpwwwowasporg

[6] A Costin Z Jonas A Francillon and D Balzarotti ldquoA large-scale analysis of the security of embedded firmwaresrdquo inProceedings of the 23rd USENIX Security Symposiumpp 95ndash110 2014 httpswwwusenixorgconferenceusenixsecurity14techincal-sessionspresentationcostin

[7] D Davidson B Moench T Ristenpart and S Jha ldquoFIE onFirmware Finding Vulnerabilities in Embedded SystemsUsing Symbolic Executionrdquo in Proceedings of the 22nd Se-curity Symposium (USENIX) pp 463ndash478 Washington DCUSA August 2013

[8] A Kapoor and S Dhavale ldquoControl flow graph based mul-ticlass malware detection using Bi-normal separationrdquo De-fence Science Journal vol 66 no 2 pp 138ndash145 2016

[9] M Alhanahnah Q Lin and Q Yan ldquoEfficient signaturegeneration for classifying cross-architecture IoTmalwarerdquo inProceedings of the IEEE Conference on Communications andNetwork Security (CNS) pp 1ndash9 Beijing China June 2018

[10] S Yan R Wang H Christophe K Christopher andV Giovanni Firmalice-Automatic Detection of AuthenticationBypass Vulnerabilities in Binary Firmware NDSS New YorkNY USA 2015

[11] E M Dovom A Amin D Ali D Ellis Newton R M Pariziand H Karimipour ldquoFuzzy pattern tree for edge malwaredetection and categorization in IoTrdquo Journal of Systems Ar-chitecture vol 97 pp 1ndash7 2019

[12] T N Phu N Q Dung L V Hoang N D )o andN N Binh ldquoA system emulation for malware detection inroutersrdquo International Journal of Innovative Technology andExploring Engineering (IJITEE) vol 8 no 11 pp 32ndash40 2019

[13] Pavel Celeda R Krejci and V Krmicek ldquoRevealing andanalysing modem malwarerdquo in Proceedings of the 2012 IEEEInternational Conference on Communications (ICC)pp 971ndash975 Ottawa ON USA June 2012

[14] C Tankard ldquo)e security issues of the internet of thingsrdquoComputer Fraud amp Security vol 2015 no 9 pp 11ndash14 2015

[15] S Hou A Saas L Chen and Y Ye ldquoDeep4MalDroid a deeplearning framework for android malware detection based onLinux kernel system call graphsrdquo in Proceedings of the 2016IEEEWICACM International Conference onWeb IntelligenceWorkshops (WIW) Omaha NE USA October 2016

[16] H T Nguyen Q D Ngo and L Van Hoang ldquoIoT botnetdetection approach based on PSI graph and DGCNN clas-sifierrdquo in Proceedings of the 2018 IEEE International Con-ference on Information Communication and Signal Processing(ICICSP) pp 18ndash122 Singapore September 2018

[17] C Raymond ldquoDetection and classification of maliciousprocesses using system call analysisrdquo Drexel UniversityPhiladelphia PA USA 2015 httpspdfssemanticscholarorg8060eae74c98a66cfcc736f4fca61d46f4dbc1d4pdf Doc-tor of Philosophy

[18] K Rieck P Trinius C Willems and T Holz ldquoAutomaticanalysis of malware behavior using machine learningrdquoJournal of Computer Security vol 19 no 4 pp 639ndash668 2011

[19] Y M P Pa S Suzuki K Yoshioka T Matsumoto T Kasamaand C Rossow ldquoIoTPOT a novel honeypot for revealingcurrent IoT threatsrdquo Journal of Information Processingvol 24 no 3 pp 522ndash533 2016

[20] A Martin R Lara-Cabrera and D Camacho ldquoAndroidmalware detection through hybrid features fusion and en-semble classifiers the AndroPyTool framework and theOmniDroid datasetrdquo Information Fusion vol 52 pp 128ndash142 2018

[21] ldquoDetuxrdquo 2019 httpsgithubcomdetuxsandboxdetux[22] D Brash ldquoRecent additions to the ARMv7-A architecturerdquo in

Proceedings of the 2010 IEEE International Conference onComputer Design Amsterdam Netherlands October 2010

[23] ldquoVirus Totalrdquo 2019 httpvirustotalcom[24] ldquoQEMUrdquo 2019 httpwikiqemuorg[25] D D Chen M Egele M Woo and D Brumley Towards

Automated Dynamic Analysis for Linux-Based EmbeddedFirmware Carnegie Mellon University Pittsburgh PA USA2015

[26] ldquoCuckoo Sandboxmdashautomated malware analysisrdquo 2019httpswwwcuckoosandboxorg

[27] C Willems T Holz and F Freiling ldquoToward automateddynamic malware analysis using CWSandboxrdquo IEEE Securityand Privacy Magazine vol 5 no 2 pp 32ndash39 2007

[28] U Bayer A Moser C Kruegel and E Kirda ldquoDynamicanalysis of malicious coderdquo Journal in Computer Virologyvol 2 no 1 pp 67ndash77 2006

[29] ldquoSuspectedmass exploit against linksys E1000E1200 routersrdquo2019 httpsiscsanseduforumsdiarySuspected+Mass+Exploit+Against+Linksys+E1000+E1200+Routers17621

[30] D Ahmad C-Yu Chuang M Faloutsos Z Qian and H YinldquoRARE a systematic augmented router emulation for


malware analysisrdquo in Passive and Active Measurement Lec-ture Notes in Computer Science R Beverly G Smaragdakisand A Feldmann Eds pp 60ndash72 Springer InternationalPublishing Cham Switzerland 2018

[31] K-C Chang R Tso and M-C Tsai ldquoIoTsandbox to analysisIoT malware zollardrdquo in Proceedings of the InternationalConference on Internet of things and Cloud Computingpp 4ndash12 Cambridge UK March 2017

[32] ldquoMIPS wikipediardquo 2019 httpsviwikipediaorgwikiMIPS[33] R Canzanese S Mancoridis and M Kam ldquoRun-time clas-

sification of malicious processes using system call analysisrdquo inProceedings of the 10th International Conference on Maliciousand Unwanted Software (MALWARE) pp 21ndash28 FajardoPR USA October 2015

[34] S Chaba R Kumar R Pant and M Dave ldquoMalware de-tection approach for android systems using system call logsrdquo2017 httpsarxivorgabs170908805

[35] K A Asmitha and P Vinod ldquoA machine learning approachfor Linux malware detectionrdquo in Proceedings of the 2014International Conference on Issues and Challenges in Intelli-gent Computing Techniques (ICICT) pp 825ndash830 GhaziabadIndia February 2014

[36] ldquoVirus sharerdquo 2019 httpsvirussharecom[37] ldquoStrace toolrdquo 2019 httpsourceforgenetprojectsstrace[38] ldquoInetSimrdquo 2019 httpswwwinetsimorg[39] ldquoPyNetsimrdquo 2019 httpsgithubcomjjo-secpynetsim[40] J Zaddach L Bruno A Francillon and D B Avatar ldquoA

framework to support dynamic security analysis of embeddedsystems firmwaresrdquo in Proceedings of the 2014 Network andDistributed System Security Symposium pp 23ndash26 )e In-ternet Society San Diego CA USA February 2014

[41] M Sikorski and A Honig Practical Malware Analysis 0eHands-On Guide to Dissecting Malicious Software No StarchPress San Francisco CA USA 1st edition 2012

[42] Y Yang and J O Pedersen ldquoA comparative study on featureselection in text categorizationrdquo in Proceedings of the Four-teenth International Conference on Machine Learningvol 412ndash420 Morgan Kaufmann Publishers Inc NashvilleTN USA July 1997

[43] B Chandra and M Gupta ldquoAn efficient statistical featureselection approach for classification of gene expression datardquoJournal of Biomedical Informatics vol 44 no 4 pp 529ndash5352011

[44] A Souri and R Hosseini ldquoA state-of-the-art survey of mal-ware detection approaches using data mining techniquesrdquoHuman-Centric Computing and Information Sciences vol 8no 1 2018

[45] F Shang Y Li X Deng and D He ldquoAndroid malwaredetection method based on naive Bayes and permissioncorrelation algorithmrdquo Cluster Computing vol 21 no 1pp 955ndash966 2017

[46] Y Ding W Dai S Yan and Y Zhang ldquoControl flow-basedopcode behavior analysis for malware detectionrdquo Computersamp Security vol 44 pp 65ndash74 2014

[47] R Perdisci D Ariu P Fogla G Giacinto and W LeeldquoMcPAD a multiple classifier system for accurate payload-based anomaly detectionrdquo Computer Networks vol 53 no 6pp 864ndash881 2009

[48] G James D Witten T Hastie and R Tibshirani An In-troduction to Statistical Learning With Applications in RSpringer Berlin Germany 1st edition 2013

[49] Y Bengio and Y Grandvalet ldquoNo unbiased estimator of thevariance of k-fold cross-validationrdquo Journal of MachineLearning Research vol 5 pp 1089ndash1105 2004


International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

and detecting malicious files without executing them Instatic malware analysis analysts reverse an executable fileinto assembly code to deepen their understanding of mal-ware activity )e static analysis [8 9] relies on extractingvarious characteristics from the executables such as Print-able String Information (PSI) Function Length Frequency(FLF) Operational codes (Opcodes) n-gram of byte se-quences header section and so on Dovom et al [11] used afuzzy pattern tree for the opcode of the executables to detectand classify in the IoTnodes One of the major advantages ofstatic analysis is the ability to observe the structure ofmalware All possible execution paths in the malware samplecan be detected without considering the processor archi-tectures Although static analysis has its advantages it hassome limitations )e key disadvantage of this approach isthat it is unable to detect complex and polymorphic mal-ware)erefore the static analysis approach alone might notbe sufficient to identify malware and should be com-plemented by the dynamic analysis [14] )e dynamic ap-proach consists of monitoring executable files during its run-time to detect abnormal behaviors)is approach performedby collecting information such as API calls network be-havior instruction traces registry changes memory writesand so on during the running process Based on thesecaptured data researchers have built machine learning (ML)or deep learning (DL) models to detect if a target file is amalware or not [11 15 16]

Almost all malware research is focusing on computingdevices with the Intel architecture (x86-64) [17 18] andrecently has switched to develop frameworks to detect IoTmalware such as [4151920] especially with the ARM ar-chitecture )ere have been a lot of frameworks to collectsystem calls of malware on the computer and mobile devicesand automatically analyze by machine learning Deep4-MalDroid [15] extracted the Linux kernel system calls fromthe executing apps on Android generates a weighted di-rected graph and then applies a deep learning frameworkresting on the graph-based features Martin et al [20]proposed a framework for dynamic and static analysis with alarge dataset extracted from Android applications and de-tected malware using a fusion of features and voting betweenclassifiers However no framework can collect system callsof IoT samples automatically analyze their logs and thenmeasure classificationmodel in a holistic of a full IoTdataset

In general the above frameworks have three maincomponents collection of IoTexecutable samples (includingmalware and benign executables) behavior extraction anddetectionclassification Concerning the first componentIoTPOTdeveloped by Pa et al [19] was the first honeypot tomimic IoT devices allowing the authors to capture morethan 4000 IoTmalware samples (according to [9]) AnotherIoTmalware database we can mention contains with morethan 9000 samples [21] Besides IoT malware samples it iscrucial to collect benign files to be able to implement de-tection algorithms Brash [22] has created 1078 benign and128 malware samples for ARM-based IoT applicationsSimilarly Nguyen et al [16] have collected 10033 ELF filesincluding 4002 IoTmalware samples and 6031 benign filesfrom different sources Samples were then labeled as

malwarebenign with VirusTotal [23] before inputting forclassifiers

)e second component comprises analyzing and loggingexecutable files during its runtime to detect abnormal be-haviors To perform this approach the most important partis to build a sandbox called an emulator so that executablefiles reveal all their behaviors In such an environmentmalware can only affect the virtual environments and notphysical devices Researchers use QEMU [24] a very popularopen-source system emulator to deal with this problemQEMU supports many types of processors such as ARMMIPS PowerPC x64 x86 and so on that are popularly usedin embedded devices [25] Some works are focusing ondeveloping sandbox such as [21 26ndash28] )e sandboxes areused as a core of IoT malware analysis and detectionframeworks such as [4 19] However these frameworks havedrawbacks that limit the detection capabilities of malwareIoTBox [19] has built a sandbox to capture and analyzeTelnet behaviors of IoTmalware used for DDoS attacks )isapproach could be useful for detecting network abnormalbehaviors but it cannot detect malware that behaves mostlyinside the operating system of the device such as Linux)eMoon [29] Costin et al [4] proposed a framework tocollect dynamic malware features based on the open-sourceCuckoo sandbox [26] to determine whether a LinuxElf fileis a malware or not However this framework is not pre-sented on how the collected data were analyzed and theprecision accuracy of the obtained results Rare [30] focusedon how to activate malware on Router by discovering staticand dynamic information to build a suitable environmentfor malware But Rare only used OpenWrt to build emulatedrouter did not emulate NVRAM and did not mentiondetecting malware on the router In the same approachChang et al [31] proposed IoTsandbox which can support 9kinds of CPU architectures including ARM (EL HF) MIPSMIPSEL PowerPC SPARC x86 x64 and sh4 )en ma-chine learning- or deep learning-based classifiers are usedfor classifying malware and benign files

Current sandboxes have been built on basic environ-ments including a common Linux-based operating systemand several additional monitoring tools )is strongly im-pacts on capture behaviors of a target executable file and thewhole detection process Firmwares are built and packagedfor specialized devices with specialized functions in manyenvironments that have little in common Many firmwareprograms cannot run in traditional malware analysissandboxes based on basic environments It is also hard toinstall required environments like firmware on the basicenvironment because it packages them in unpublishedfirmware )erefore we need to generate multivendor en-vironments like firmwares )at means IoT sandbox can setup not only a basic environment but also many environ-ments like firmware of physical devices To our knowledgethere are currently no sandboxes that can build environ-ments based on an actual device firmware can emulateNVRAM of devices and collect enough syscalls to classifymalware

)e MIPS processor architecture [32] appears in manynetwork devices such as routers wireless transmitters and










2 Related Works


























Host machine(i)

(ii)

(iii)

IP 192168196



INetSimserver

Sandboxcontroller

QEMUmonitor




Virtual bridge

enp0s3

eth0












benigns)


Sandboxexecution


modelgeneration


Classification

Classification

Label of ELF files


LightAidra label

Mirai label

Gafgyt label

Dofloo label

Benign label


TP-linkenvironment

sandbox

D-linkenvironment

sandbox

Netgearenvironment

sandbox

Netgearsystem files

Wrtenvironment

sandbox

Wrtsystem files

Others


system filesD-link

system files



Sandbox controller






X2(D t c) 1113944

etisin 01

1113944ecisin 01

Netecminus Eetec

1113872 11138732

Eetec

(1)




5 Experiments















1058

788

239157

981


100

1955

368 142 057 018 01 003 00010

20

40

60

80

100

1 50 100 150 200 250 300 350 400








precisionCk TPCk

TPCk + FPCk

(2)



recallCk TPCk

TPCk + FNCk

(3)









4

4

63

43

267

7

















50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia










2 Related Works


























Host machine(i)

(ii)

(iii)

IP 192168196



INetSimserver

Sandboxcontroller

QEMUmonitor




Virtual bridge

enp0s3

eth0












benigns)


Sandboxexecution


modelgeneration


Classification

Classification

Label of ELF files


LightAidra label

Mirai label

Gafgyt label

Dofloo label

Benign label


TP-linkenvironment

sandbox

D-linkenvironment

sandbox

Netgearenvironment

sandbox

Netgearsystem files

Wrtenvironment

sandbox

Wrtsystem files

Others


system filesD-link

system files



Sandbox controller






X2(D t c) 1113944

etisin 01

1113944ecisin 01

Netecminus Eetec

1113872 11138732

Eetec

(1)




5 Experiments















1058

788

239157

981


100

1955

368 142 057 018 01 003 00010

20

40

60

80

100

1 50 100 150 200 250 300 350 400








precisionCk TPCk

TPCk + FPCk

(2)



recallCk TPCk

TPCk + FNCk

(3)









4

4

63

43

267

7

















50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





















Host machine(i)

(ii)

(iii)

IP 192168196



INetSimserver

Sandboxcontroller

QEMUmonitor




Virtual bridge

enp0s3

eth0












benigns)


Sandboxexecution


modelgeneration


Classification

Classification

Label of ELF files


LightAidra label

Mirai label

Gafgyt label

Dofloo label

Benign label


TP-linkenvironment

sandbox

D-linkenvironment

sandbox

Netgearenvironment

sandbox

Netgearsystem files

Wrtenvironment

sandbox

Wrtsystem files

Others


system filesD-link

system files



Sandbox controller






X2(D t c) 1113944

etisin 01

1113944ecisin 01

Netecminus Eetec

1113872 11138732

Eetec

(1)




5 Experiments















1058

788

239157

981


100

1955

368 142 057 018 01 003 00010

20

40

60

80

100

1 50 100 150 200 250 300 350 400








precisionCk TPCk

TPCk + FPCk

(2)



recallCk TPCk

TPCk + FNCk

(3)









4

4

63

43

267

7

















50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia











benigns)


Sandboxexecution


modelgeneration


Classification

Classification

Label of ELF files


LightAidra label

Mirai label

Gafgyt label

Dofloo label

Benign label


TP-linkenvironment

sandbox

D-linkenvironment

sandbox

Netgearenvironment

sandbox

Netgearsystem files

Wrtenvironment

sandbox

Wrtsystem files

Others


system filesD-link

system files



Sandbox controller






X2(D t c) 1113944

etisin 01

1113944ecisin 01

Netecminus Eetec

1113872 11138732

Eetec

(1)




5 Experiments















1058

788

239157

981


100

1955

368 142 057 018 01 003 00010

20

40

60

80

100

1 50 100 150 200 250 300 350 400








precisionCk TPCk

TPCk + FPCk

(2)



recallCk TPCk

TPCk + FNCk

(3)









4

4

63

43

267

7

















50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





X2(D t c) 1113944

etisin 01

1113944ecisin 01

Netecminus Eetec

1113872 11138732

Eetec

(1)




5 Experiments















1058

788

239157

981


100

1955

368 142 057 018 01 003 00010

20

40

60

80

100

1 50 100 150 200 250 300 350 400








precisionCk TPCk

TPCk + FPCk

(2)



recallCk TPCk

TPCk + FNCk

(3)









4

4

63

43

267

7

















50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia












1058

788

239157

981


100

1955

368 142 057 018 01 003 00010

20

40

60

80

100

1 50 100 150 200 250 300 350 400








precisionCk TPCk

TPCk + FPCk

(2)



recallCk TPCk

TPCk + FNCk

(3)









4

4

63

43

267

7

















50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


precisionCk TPCk

TPCk + FPCk

(2)



recallCk TPCk

TPCk + FNCk

(3)









4

4

63

43

267

7

















50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia













50 8553 8031 6771 9289 9169 6887 9198 8963 6706100 8610 8515 6951 9303 9202 6946 9223 9132 6785150 8545 8317 7069 939 9245 7049 9279 9133 6926200 8598 8304 7851 9395 9271 8496 9295 9152 8388250 8558 8283 7829 9400 9263 8490 9288 9144 8378300 8553 8128 7821 9415 9283 8495 9301 9113 8391350 8505 8130 7386 9373 9249 7979 9265 9093 7850400 9255 8849 7924 9756 9613 9367 9744 9601 9340450 9222 9048 8009 9753 9608 9417 9742 9604 9400500 9241 9094 7979 9751 9663 9397 9739 9664 9376


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram








06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







06

065

07

075

08

085

09

095

100 200 300 400 500

RFNBSVM


067

072

077

082

087

092

097

100 200 300 400 500

RFNBSVM


09

091

092

093

094

095

096

097

098

100 200 300 400 500

2-gram3-gram


06

065

07

075

08

085

09

095

100 200 300 400 500

2-gram3-gram




Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Data Availability




Acknowledgments


References



















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






















RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


a novel framework to classify malware in mips architecture...

Documents