Research On Key Technologies Of IoT Threat Intelligence Mining Based On Malware Analysis

In order to deal with the increasingly severe Internet of Things malware attacks,it is necessary to conduct detailed analysis of the malware and obtain effective threat intelligence,thereby enhancing the detection and early warning capabilities of Io T attacks.This article is oriented to the needs of Io T threat intelligence,and researches on key technologies of threat intelligence mining from the perspective of malware analysis and lightweight Io T abnormal traffic detection.The main work and innovations of this article are summarized as follows:(1)In view of the low detection rate of Internet of Things malicious samples,the complex architecture of the Internet of Things malware,the difficulty of extracting benign samples for training,and the time-consuming and resources-consuming problems of dynamic analysis and detection,a ensemble learning based Internet of Things malware classification(ELIMC)algorithm is proposed.Firstly,with the help of static analysis tools,the universal static features of executable and linkable formats(ELF)and opcodes of different architecture samples were extracted.Secondely,in the malware classification stage,in view of the lack of precision of traditional classifiers in the classification of relatively small family samples,a ensemble learning based Internet of Things malware classification algorithm is proposed,which integrates traditional classifiers togather and calculate the confidence of the classification results according to the precision of the classifiers for each family,so as to obtain the final classification results.Finally,Experimental results show that the proposed ELIMC algorithm can effectively classify and identify large-scale Internet of Things malware,and significantly improve the classification precision of malware families with a relatively small proportion.On the basis of the previous research on the classification of Io T malware,an ELIMC based Io T malware threat intelligence generation(ELIMC-IMTIG)method is proposed.The ELIMCIMTIG method combines static analysis,dynamic analysis and regular expression search technology to effectively extract threat indicators in Io T malware and generate threat intelligence in the STIX standard format.Finally,an example of threat intelligence generated using the ELIMC-IMTIG method is given,and its value is analyzed in detail.(2)Aiming at the objective problem of insufficient resources for anomaly detection in the smart home Internet of Things,a kernel density estimation-based lightweight Io T anomaly traffic detection(KDE-LIATD)algorithm is proposed.Firstly,the KDE-LIATD algorithm uses a Gaussian kernel density estimation method to estimate the probability density function and corresponding probability density of each dimension feature value of the normal samples in the training set.then,a kernel density estimation-based feature selection algorithm(KDE-FS)is proposed to obtain features that contribute significantly to anomaly detection,thereby reducing the feature dimension while improving the accuracy of anomaly detection.Finally,the cubic spline interpolation method is used to calculate the anomaly evaluation value of the test sample and perform anomaly detection.This strategy greatly reduces the computational overhead and storage overhead required to calculate the anomaly evaluation value of the test sample using the kernel density estimation method.Simulation experiment results show that the KDE-LIATD algorithm has strong robustness and strong compatibility for anomaly traffic detection of heterogeneous Io T devices,and can effectively detect abnormal traffic in smart home Io T bot nets.On the basis of the previous research on the detection of Io T abnormal traffic,an Io T abnormal traffic threat intelligence generation(IATTIG)method is proposed.The IATTIG method classifies the main content of the abnormal traffic of the Internet of Things botnet according to the protocol.By analyzing the Io T abnormal traffic,the cyber observable objects in each protocol are extracted,and the Io T abnormal traffic threat intelligence in STIX format is generated.Finally,an example of threat intelligence generated using the IATTIG method is given,and its application value in detecting and warning Io T cyber threats is discussed in detail.