2023
A Practical Attack on the TLSH Similarity Digest Scheme
G. Fuchs and R. Nagy and L. Buttyán
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security, 2023.
Bibtex
| Abstract
| PDF
| Link
@inproceedings {
author = {Gabor Fuchs and Roland Nagy and Levente Buttyán},
title = {A Practical Attack on the TLSH Similarity Digest Scheme},
booktitle = {ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security},
year = {2023},
howpublished = "\url{https://dl.acm.org/doi/10.1145/3600160.3600173}"
}
Keywords
Similarity digest schemes, locality sensitive hashing, TLSH, similarity- based malware detection
Abstract
Similarity digest schemes are used in various applications (e.g., digital forensics, spam filtering, malware clustering, and malware detection), which require them to be resistant to attacks aiming at generating semantically similar inputs that have very different similarity digest values. In this paper, we show that TLSH, a widely used similarity digest function, is not sufficiently robust against such attacks. More specifically, we propose an automated method for modifying executable files (binaries), such that the modified binary has the exact same functionality as the original one, it also remains syntactically similar to the original one, yet, the TLSH difference score between the original and the modified binaries be- comes high. We evaluate our method on a large data set containing malware binaries, and we also show that it can be used effectively to generate adversarial samples that evade detection by SIMBIoTA, a recently proposed similarity-based malware detection approach.
Increasing the Robustness of a Machine Learning-based IoT Malware Detection Method with Adversarial Training
J. Sandor and R. Nagy and L. Buttyán
WiseML'23: Proceedings of the 2023 ACM Workshop on Wireless Security and Machine Learning, 2023.
Bibtex
| Abstract
| PDF
| Link
@inproceedings {
author = {Jozsef Sandor and Roland Nagy and Levente Buttyán},
title = {Increasing the Robustness of a Machine Learning-based IoT Malware Detection Method with Adversarial Training},
booktitle = {WiseML'23: Proceedings of the 2023 ACM Workshop on Wireless Security and Machine Learning},
year = {2023},
howpublished = "\url{https://dl.acm.org/doi/10.1145/3586209.3591401}"
}
Keywords
Internet-of-Things; malware detection; machine learning; adversarial examples; adversarial training
Abstract
We study the robustness of SIMBIoTA-ML, a recently proposed machine learning-based IoT malware detection solution against adversarial samples. First, we propose two adversarial sample creation strategies that modify existing malware binaries by appending extra bytes to them such that those extra bytes are never executed, but they make the modified samples dissimilar to the original ones. We show that SIMBIoTA-ML is robust against the first strategy, but it can be misled by the second one. To overcome this problem, we propose to use adversarial training, i.e., to extend the training set of SIMBIoTA-ML with samples that are crafted by using the adversarial evasion strategies. We measure the detection accuracy of SIMBIoTA-ML trained on such an extended training set and show that it remains high both for the original malware samples and for the adversarial samples.
PATRIoTA: A Similarity-based IoT Malware Detection Method Robust Against Adversarial Samples
J. Sandor and R. Nagy and L. Buttyán
IEEE International Conference on Edge Computing and Communications (EDGE), 2023.
Bibtex
| Abstract
| PDF
| Link
@inproceedings {
author = {Jozsef Sandor and Roland Nagy and Levente Buttyán},
title = {PATRIoTA: A Similarity-based IoT Malware Detection Method Robust Against Adversarial Samples},
booktitle = {IEEE International Conference on Edge Computing and Communications (EDGE)},
year = {2023},
howpublished = "\url{https://ieeexplore.ieee.org/document/10234259}"
}
Keywords
Internet-of-Things; malware detection; binary similarity; locality-sensitive hashing; robustness against adver- sarial samples.
Abstract
Detecting malware targeting IoT devices has became an important challenge with the recent emergence of IoT botnets. Gateways at the edge between the Internet and IoT devices deployed in the field are particularly well-positioned for the task of malware detection, as malware typically spreads over the Internet and resource-constrained field devices may not have the means to protect themselves. Hence, we believe that, among other things, edge intelligence should also include effective and efficient IoT malware detection. A recently proposed similarity- based IoT malware detection method, called SIMBIoTA, would be suitable in this context, but its robustness against adversarial malware samples has been shown to be rather weak. In this paper, we propose PATRIoTA, a similarity-based IoT malware detection method inspired by SIMBIoTA, but being significantly more robust than SIMBIoTA is. We describe the operation of PATRIoTA, and compare its malware detection performance and robustness against adversarial samples to that of SIMBIoTA. We show that PATRIoTA outperforms SIMBIoTA with respect to both measures.
2022
SIMBIoTA++: Improved Similarity-based IoT Malware Detection
L. Buttyán and R. Nagy and D. Papp
IEEE 2nd Conference on Information Technology and Data Science (CITDS), 2022.
Bibtex
| Abstract
| PDF
| Link
@inproceedings {
author = {Levente Buttyán and Roland Nagy and Dorottya Papp},
title = {SIMBIoTA++: Improved Similarity-based IoT Malware Detection},
booktitle = {IEEE 2nd Conference on Information Technology and Data Science (CITDS)},
year = {2022},
howpublished = "\url{https://ieeexplore.ieee.org/abstract/document/9914145}"
}
Keywords
Internet of Things, malware detection, similarity hashing, graph theory, dominating set algorithm
Abstract
The Internet of Things is quickly developing and it enables exciting new applications, but at the same time, it also brings new security risks. In particular, embedded IoT devices may be subject to malware infection, undermining the trustworthiness of IoT systems. Malware detection on IoT devices is challenging due to their resource constraints, and antivirus tools developed for desktop PCs and servers are not directly applicable for them. In an earlier paper, we proposed a lightweight antivirus solution for IoT devices, called SIMBIoTA. In this paper, we propose SIMBIoTA++, an improvement on SIMBIoTA in terms of resource requirements. We also present a graph theory and measurement-based argument for selecting an appropriate similarity threshold, which is a key parameter in both SIMBIoTA and SIMBIoTA++.
SIMBIoTA-ML: Light-weight, Machine Learning-based Malware Detection for Embedded IoT Devices
D. Papp and G. Ács and R. Nagy and L. Buttyán
International Conference on Internet of Things, Big Data and Security (IoTBDS), 2022.
Bibtex
| Abstract
| PDF
@conference {
author = {Dorottya Papp and Gergely Ács and Roland Nagy and Levente Buttyán},
title = {SIMBIoTA-ML: Light-weight, Machine Learning-based Malware Detection for Embedded IoT Devices},
booktitle = {International Conference on Internet of Things, Big Data and Security (IoTBDS)},
year = {2022}
}
Keywords
IoT, embedded systems, malware detection, machine learning
Abstract
Embedded devices are increasingly connected to the Internet to provide new and innovative applications in many domains. However, these devices can also contain security vulnerabilities, which allow attackers to compromise them using malware. In this paper, we present SIMBIoTA-ML, a light-weight antivirus solution that enables embedded IoT devices to take advantage of machine learning-based malware detection. We show that SIMBIoTA-ML can respect the resource constraints of embedded IoT devices, and it has a true positive malware detection rate of ca. 95%, while having a low false positive detection rate at the same time. In addition, the detection process of SIMBIoTA-ML has a near-constant running time, which allows IoT developers to better estimate the delay introduced by scanning a file for malware, a property that is advantageous in real-time applications, notably in the domain of cyber-physical systems.
2021
Rootkit Detection on Embedded IoT Devices
R. Nagy and K. Németh and D. Papp and L. Buttyán
Acta Cybernetica, 2021.
Bibtex
| Abstract
| PDF
@article {
author = {Roland Nagy and Krisztián Németh and Dorottya Papp and Levente Buttyán},
title = {Rootkit Detection on Embedded IoT Devices},
journal = {Acta Cybernetica},
year = {2021}
}
Keywords
embedded systems, Internet of Things, security, malware
Abstract
IoT systems are subject to cyber attacks, including infecting embedded IoT devices with rootkits. Rootkits are malicious software that typically run with elevated privileges, which makes their detection challenging. In this paper, we address this challenge: we propose a rootkit detection approach for embedded IoT devices that takes advantage of a trusted execution environ- ment (TEE), which is often supported on popular IoT platforms, such as ARM based embedded boards. The TEE provides an isolated environment for our rootkit detection algorithms, and prevents the rootkit from interfering with their execution even if the rootkit has root privileges on the untrusted part of the IoT device. Our rootkit detection algorithms identify modifications made by the rootkit to the code of the operating system kernel, to system pro- grams, and to data influencing the control flow (e.g., hooking system calls), as well as inconsistencies created by the rootkit in certain kernel data struc- tures (e.g., those responsible to handle process related information). We also propose algorithms to detect rootkit components in the persistent storage of the device. Besides describing our approach and algorithms in details, we also report on a prototype implementation and on the evaluation of our design and implementation, which is based on testing our prototype with rootkits that we developed for this purpose.
T-RAID: TEE-based Remote Attestation for IoT Devices
R. Nagy and M. Bak and D. Papp and L. Buttyán
Euro-CYBERSEC, Nice, France, 2021.
Bibtex
| Abstract
| PDF
@conference {
author = {Roland Nagy and Marton Bak and Dorottya Papp and Levente Buttyán},
title = {T-RAID: TEE-based Remote Attestation for IoT Devices},
booktitle = {Euro-CYBERSEC, Nice, France},
year = {2021}
}
Keywords
Internet of Things, embedded systems, malware, remote attestation, Trusted Execution Environment
Abstract
The Internet of Things (IoT) consists of network-connected embedded devices that enable a multitude of new applications, but also create new risks. In particular, embedded IoT devices can be infected by malware. Operators of IoT systems not only need malware detection tools, but also scalable methods to reliably and remotely verify malware freedom of their IoT devices. In this paper, we address this problem by proposing T-RAID, a remote attestation scheme for IoT devices that takes advantage of the security guarantees provided by a Trusted Execution Environment running on each device.
2020
Rootkit Detection on Embedded IoT Devices
R. Nagy and L. Buttyán
Conference of PhD Students in Computer Science (CSCS), 2020.
Bibtex
| Abstract
| PDF
@conference {
author = {Roland Nagy and Levente Buttyán},
title = {Rootkit Detection on Embedded IoT Devices},
booktitle = {Conference of PhD Students in Computer Science (CSCS)},
year = {2020}
}
Abstract
Rootkits are malicious programs that try to maintain their presence on infected computers while remaining invisible. They have been used to attack traditional computers (PCs and servers), but they may also target embedded IoT devices. In this work, we propose a rootkit detection approach for such embedded IoT devices, where the detection mechanism is executed in an isolated execution environment that protects it from manipulation by the rootkit. Our rootkit detection approach is focused on detecting Direct Kernel Object Manipu- lation (DKOM) and it is based on detecting inconsistencies caused by the presence of a rootkit in various Linux kernel data structures such as the process list, the process tree, and different scheduling queues. We also report on the current status of our implementation using OP-TEE, an open source Trusted Execution Environment.