查看文章

IoT malware that infects IoT devices is rampant. Most IoT malware variants are generated by changing various behaviors such as an attack method based on existing malware families. Nearly all antivirus software only identifies the malware family's name; thus, we cannot acquire further details about differences between malware behaviors. In this paper, we propose a graph-based method for confirming differences in malware behaviors and investigating the actual conditions of malware variants. The proposed method first extracts a sequence of function calls from a binary file of malware and represents the sequence to a directed graph, which we refer to as a function call sequence graph (FCSG). Next, the method automatically checks if the FCSG matches signature-FCSGs, which are manually generated as small-scale FCSGs representing malicious behaviors of known malware such as a function of attacks and …