LAUSR

In the last few years, attackers have been shifting aggressively to the IoT devices in industrial Internet of things (IIoT). Particularly, IoT botnet has been emerging as the most urgent issue in IoT security. The main approaches for IoT botnet detection are static, dynamic, and hybrid analysis. Static analysis is the process of parsing files without executing them, while dynamic analysis, in contrast, executes them in a controlled and monitored environment (i.e., sandbox, simulator, and emulator) to record system’s changes for further investigation. In this article, we present a novel and advanced method for IoT botnet detection using dynamic analysis to improve graph-based features, which are generated based on static analysis. Specifically, dynamic analysis is used to collect printable string information that appears during the execution of the samples. Then, we use the printable string information to traverse the graph, which is obtained based on the static analysis, effectively, and ultimately acquiring graph-based features that can distinguish benign and malicious samples. In order to estimate the efficacy and superiority of the proposed hybrid approach, we conduct the experiment on a dataset of 8330 executable samples, including 5531 IoT botnet samples and 2799 IoT benign samples. Our approach achieves an accuracy of 98.1% and 91.99% for detecting and classifying IoT botnet, respectively. These results show that our approach has outperformed other existing contemporary counterpart methods in the aspects of accuracy and complexity. In addition, our experiments also demonstrate that hybrid graph-based features for IoT botnet family classification can further improve static or dynamic features’ performance individually.