ShellCore: Automating Malicious IoT Software Detection by Using Shell Commands Representation

TL;DR

This paper introduces ShellCore, a neural network-based system that detects malicious Linux shell commands in IoT malware with over 99% accuracy, enhancing security for IoT devices.

Contribution

It presents the first comprehensive analysis of malicious shell commands in IoT malware and develops a high-accuracy detection model using deep learning techniques.

Findings

ShellCore achieves over 99% accuracy in detecting malicious commands.

The dataset includes malicious commands from 2,891 IoT malware samples.

Deep learning models outperform traditional approaches in this context.

Abstract

The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform a variety of functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to IoT devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., DDoS. In this work, we provide a first look at shell commands used in Linux-based IoT malware towards detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, ShellCore, to detect malicious shell commands. Namely, we collected a large dataset of shell commands, including malicious commands extracted from 2,891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with term- and character-level features, ShellCore is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e., binaries).