HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps
Abstract
:1. Introduction
- HSAS-MD, a new SAS among the effective SASs, which is continuously being developed as a security compiler tool to act as a protective shield to detect malware. It depends on the PA of the IoT APP, which may automatically verify app behavior.
- HSAS-MD, a hybrid analysis which analyzes IoT Apps by extracting static and dynamic features based on model-checking techniques. It also utilizes deep learning to discover new malware and classify it to provide security, safety, and privacy by detecting any abnormal behavior.
- The evaluation of the HSAS-MD performance, which is measured by applying the proposed analyzer after enhancing CNN. The results of the proposed HSAS-MD were compared with similar SASs. HSAS-MD gave the best accuracy, precision, recall, and F-measure results.
2. Background and Basic Concepts
2.1. Security Analysis Systems (SAS) for IoT
2.1.1. Model-Checking Technique (MCT)
2.1.2. Control Flow Graph (CFG)
2.2. SmartThings Platform
2.3. Deep Learning (DL) for IoT Security
3. Related Works and Research Goals
3.1. Related Work
3.2. Research Scope and Objectives of the Proposed Analyzer
3.3. The Trigger/Actions in the Smart Home Apps’ “Third-Party App”
- -
- Triggers (Th): Cyber or physical events that devices transmit to smart homes, such as the activation of a motion sensor which triggers the rules;
- -
- Conditions (Ch): If a rule may apply, the logical predicates are evaluated on the current status of the devices. For example, a rule runs only if the system is in “home” mode;
- -
- Actions (Ah): When the conditions are satisfied, the rule changes the state of one or more devices, leading to a physical change, such as the activation of a light switch.
4. The Proposed Hybrid Security Analysis System Based on the Model-Checking Technique and Deep Learning (HSAS-MD Analyzer)
- -
- Static analysis: Start converting code to IR, extract AST, and build ICFG to make the state model, then convert the state model to the rule model form.
- -
- Dynamic analysis: Extract DGR to build CFG.
4.1. Static Analysis Phase in the Proposed HSAS-MD
4.2. Dynamic Analysis Phase in the Proposed HSAS-MD
4.3. Rule-Model Phase in the Proposed HSAS-MD
4.4. Deep-Learning (Dl) Phase in the Proposed HSAS-MD
4.5. Filtration Phase in the Proposed HSAS-MD
4.6. Model-Checking Technique in the Proposed HSAS-MD
5. Implementation, Evaluation, and Discussion of HSAS-MD
5.1. Description of Tools Used
5.2. Implementation of the Proposed HSAS-MD
5.2.1. Extracting Rule Model from Static Analysis
5.2.2. Testing the Deep-Learning “CNN Model”
5.3. Evaluation Metrics
- -
- Accuracy (ACC) is the ratio representing the number of correctly identified analyzers.
- -
- Precision (PRC) is the number of accurately predicted true positives.
- -
- Recall (RCL) is the ratio of correctly identified malware relative to the total quantity of malware.
- -
- F-Measure (F-MS) is the ratio that reflects a mixture of accuracy and the recall efficiency of the system.
5.4. Evaluation of the Proposed Analyzer
- RQ1.
- What is the accuracy, precision, recall, and F-measure of the proposed HSAS-MD compared to other analyzers?
- RQ2.
- What is the performance, according to the analysis time, to detect abnormal behavior?
- RQ3.
- What is the performance according to analysis type (static, dynamic and hybrid) in the SAS?
- RQ4.
- What is the best the static analysis phase to be used (state model, rule model, and hybrid model that combines state and rule)?
- RQ5.
- What is the verification time of CNN for detecting conflict rules?
6. Conclusions, Limitations, and Future Research Trends
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Abbreviations
Symbol | Description |
APP | Application |
AST | Abstract Syntax Tree |
BCE | Binary Cross-Entropy |
CFG | Control Flow Graph |
CNN | Convolutional Neural Networks |
DCR | Device Capability Reference |
DGR | Dependency Graph Representation |
DL | Deep Learning |
ICFG | Inter-procedural control flow graph |
IR | Intermediate Representation |
MCT | Model-Checking Technique |
PA | Program Analysis |
SAS | Security Analysis Systems |
LTL | Linear Temporal Logic |
CTL | Computing Tree Logic |
SMT | Satisfiability Modulo Theories |
References
- Al-Garadi, M.A.; Mohamed, A.; Al-Ali, A.K.; Du, X.; Ali, I.; Guizani, M. A survey of machine and deep learning methods for internet of things (IoT) security. IEEE Commun. Surv. Tutor. 2020, 22, 1646–1685. [Google Scholar] [CrossRef] [Green Version]
- Atlam, H.F.; Wills, G.B. IoT security, privacy, safety and ethics. In Digital Twin Technologies and Smart Cities 2020; Springer: Cham, Switzerland, 2020; pp. 123–149. [Google Scholar] [CrossRef]
- Sengupta, J.; Ruj, S.; Bit, S.D. A comprehensive survey on attacks, security issues and blockchain solutions for IoT and IIoT. J. Netw. Comput. Appl. 2020, 149, 102481. [Google Scholar] [CrossRef]
- Nguyen, D.T.; Song, C.; Qian, Z.; Krishnamurthy, S.V.; Colbert, E.J.; McDaniel, P. IotSan: Fortifying the Safety of IoT Sys-tems. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies 2018, Heraklion, Greece, 4–7 December 2018; pp. 191–203. [Google Scholar] [CrossRef] [Green Version]
- Celik, Z.B.; Fernandes, E.; Pauley, E.; Tan, G.; McDaniel, P. Program analysis of commodity IoT applications for security and privacy: Challenges and opportunities. ACM Comput. Surv. (CSUR) 2019, 52, 1–30. [Google Scholar] [CrossRef] [Green Version]
- Alhanahnah, M.; Stevens, C.; Bagheri, H. Scalable Analysis of Interaction Threats in IoT Systems. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, 18–22 July 2020; pp. 272–285. [Google Scholar] [CrossRef]
- Wang, T.; Bhuiyan, M.Z.A.; Wang, G.; Qi, L.; Wu, J.; Hayajneh, T. Preserving balance between privacy and data integrity in edge-assisted Internet of Things. IEEE Internet Things J. 2019, 7, 2679–2689. [Google Scholar] [CrossRef]
- Morgan, S. 2019 Cybersecurity almanac: 100 facts, figures, predictions and statistics. Cybercrime Magazine, 6 February 2019. [Google Scholar]
- Nobakht, M.; Sui, Y.; Seneviratne, A.; Hu, W. PGFit: Static permission analysis of health and fitness apps in IoT programming frameworks. J. Netw. Comput. Appl. 2020, 152, 102509. [Google Scholar] [CrossRef]
- Celik, Z.B.; McDaniel, P.; Tan, G. Soteria: Automated Iot Safety and Security Analysis. In Proceedings of the 2018 {USENIX} Annual Technical Conference, ({USENIX}{ATC} 18), Boston, MA, USA, 11–13 July 2018; pp. 147–158. [Google Scholar]
- Wang, Q.; Hassan, W.U.; Bates, A.; Gunter, C. Fear and Logging in the Internet of Things. In Proceedings of the Network and Distributed Systems Symposium, San Diego, CA, USA, 18–21 February 2018. [Google Scholar] [CrossRef]
- Celik, Z.B.; Tan, G.; McDaniel, P.D. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In Proceedings of the NDSS, San Diego, CA, USA, 24–27 February 2019. [Google Scholar] [CrossRef]
- Tian, Y.; Zhang, N.; Lin, Y.H.; Wang, X.; Ur, B.; Guo, X.; Tague, P. Smartauth: User-Centered Authorization for the Internet of Things. In Proceedings of the 26th {USENIX} Security Symposium ({USENIX} Security 17), Vancouver, BC, Canada, 5 May 2017; pp. 361–378. [Google Scholar]
- Chen, J.; Diao, W.; Zhao, Q.; Zuo, C.; Lin, Z.; Wang, X.; Lau, W.C.; Sun, M.; Yang, R.; Zhang, K. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-Based Fuzzing. In Proceedings of the NDSS, San Diego, CA, USA, 18–21 February 2018. [Google Scholar] [CrossRef]
- Roundy, K.A.; Miller, B.P. Hybrid analysis and control of malware. In International Workshop on Recent Advances in Intrusion Detection; Springer: Berlin/Heidelberg, Germany, 2010; pp. 317–338. [Google Scholar] [CrossRef]
- Community, S. Samsung Smartthings Applications. Available online: https://github.com/SmartThingsCommunity/SmartThingsPublic (accessed on 27 December 2021).
- Apple. HomeKit. Available online: https://developer.apple.com/homekit/ (accessed on 27 December 2021).
- Amazon. Alexa. Available online: https://developer.amazon.com/alexa (accessed on 27 December 2021).
- Alam, T. A reliable Communication Framework and Its Use in Internet of Things (IoT). SSRN 2018, 450–456. [Google Scholar] [CrossRef]
- De Prado, A.G.; Ortiz, G.; Boubeta-Puig, J. CARED-SOA: A Context-Aware Event-Driven Service-Oriented Architecture. IEEE Access 2017, 5, 4646–4663. [Google Scholar] [CrossRef]
- Su, T.; Fu, Z.; Pu, G.; He, J.; Su, Z. Combining symbolic execution and model checking for data flow testing. In Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Florence, Italy, 16–24 May 2015; Volume 1, pp. 654–665. [Google Scholar]
- Souri, A.; Norouzi, M. A state-of-the-art survey on formal verification of the internet of things applications. J. Serv. Sci. Res. 2019, 11, 47–67. [Google Scholar] [CrossRef]
- Aslan, Ö.A.; Samet, R. A comprehensive review on malware detection approaches. IEEE Access 2020, 8, 6249–6271. [Google Scholar] [CrossRef]
- Clarke, E.M.; Henzinger, T.A.; Veith, H.; Bloem, R. (Eds.) Handbook of Model Checking; Springer: Cham, Switzerland, 2018; Volume 10. [Google Scholar]
- Jiang, L.; Rewcastle, R.; Denny, P.; Tempero, E. CompareCFG: Providing Visual Feedback on Code Quality Using Control Flow Graphs. In Proceedings of the 2020 ACM Conference on Innovation and Technology in Computer Science Education, Online, 17–19 June 2020; pp. 493–499. [Google Scholar]
- Das, M.; Lerner, S.; Seigle, M. ESP: Path-Sensitive Program Verification in Polynomial Time. In Proceedings of the ACM SIG-PLAN 2002 Conference on Programming Language Design and Implementation, Berlin, Germany, 17–19 June 2002; pp. 57–68. [Google Scholar]
- Fernandes, E.; Jung, J.; Prakash, A. Security Analysis of Emerging Smart Home Applications. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2016; pp. 636–654. [Google Scholar] [CrossRef]
- Liu, J.; Shen, S.; Yue, G.; Han, R.; Li, H. A stochastic evolutionary coalition game model of secure and dependable virtual service in sensor-cloud. Appl. Soft Comput. 2015, 30, 123–135. [Google Scholar] [CrossRef]
- Sun, P. Security and privacy protection in cloud computing: Discussions and challenges. J. Netw. Comput. Appl. 2020, 160, 102642. [Google Scholar] [CrossRef]
- Amanullah, M.A.; Habeeb, R.A.A.; Nasaruddin, F.H.; Gani, A.; Ahmed, E.; Nainar, A.S.M.; Akim, N.M.; Imran, M. Deep learning and big data technologies for IoT security. Comput. Commun. 2020, 151, 495–517. [Google Scholar] [CrossRef]
- Diro, A.A.; Chilamkurti, N. Distributed attack detection scheme using deep learning approach for Internet of Things. Future Gener. Comput. Syst. 2018, 82, 761–768. [Google Scholar] [CrossRef]
- Al-Dujaili, A.; Huang, A.; Hemberg, E.; O’Reilly, U.M. Adversarial Deep Learning for Robust Detection of Binary Encoded Malware. In Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 24 May 2018; pp. 76–82. [Google Scholar] [CrossRef] [Green Version]
- Lopez-Martin, M.; Sanchez-Esguevillas, A.; Arribas, J.I.; Carro, B. Supervised contrastive learning over prototype-label em-beddings for network intrusion detection. Inf. Fusion 2022, 79, 200–228. [Google Scholar] [CrossRef]
- Lopez-Martin, M.; Sanchez-Esguevillas, A.; Arribas, J.I.; Carro, B. Network Intrusion Detection Based on Extended RBF Neural Network With Offline Reinforcement Learning. IEEE Access 2021, 9, 153153–153170. [Google Scholar] [CrossRef]
- Kang, H.J.; Sim, S.Q.; Lo, D. IoTBox: Sandbox Mining to Prevent Interaction Threats in IoT Systems. In Proceedings of the 2021 14th IEEE Conference on Software Testing, Verification and Validation (ICST), Porto de Galinhas, Brazil, 12–16 April 2021; pp. 182–193. [Google Scholar] [CrossRef]
- Moser, A.; Kruegel, C.; Kirda, E. Limits of Static Analysis for Malware Detection. In Proceedings of theTwenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, USA, 10–14 December 2007; pp. 421–430. [Google Scholar] [CrossRef]
- Wang, B.; Dou, Y.; Sang, Y.; Zhang, Y.; Huang, J. IoTCMal: Towards a Hybrid IoT Honeypot for Capturing and Analyzing Malware. In Proceedings of the ICC 2020-2020 IEEE International Conference on Communications (ICC), Virtual Conference, 7–11 June 2020; pp. 1–7. [Google Scholar] [CrossRef]
- Islam, R.; Tian, R.; Batten, L.M.; Versteeg, S. Classification of malware based on integrated static and dynamic features. J. Netw. Comput. Appl. 2013, 36, 646–656. [Google Scholar] [CrossRef]
- Gibert, D.; Mateu, C.; Planes, J. The rise of machine learning for detection and classification of malware: Research develop-ments, trends and challenges. J. Netw. Comput. Appl. 2020, 153, 102526. [Google Scholar] [CrossRef]
- Burnap, P.; French, R.; Turner, F.; Jones, K. Malware classification using self organizing feature maps and machine activity data. Comput. Secur. 2018, 73, 399–410. [Google Scholar] [CrossRef]
- Hamza, A.A.; Abdel-Halim, I.T.; Sobh, M.A.; Bahaa-Eldin, A.M. A survey and taxonomy of program analysis for IoT plat-forms. Ain Shams Eng. J. 2021, 12, 3725–3736. [Google Scholar] [CrossRef]
- Alasmary, H.; Abusnaina, A.; Jang, R.; Abuhamad, M.; Anwar, A.; Nyang, D.; Mohaisen, D. Soteria: Detecting Adversarial Examples in Control Flow Graph-Based Malware Classifiers. In Proceedings of the 2020 IEEE 40th International Conference on Distributed Computing Systems (ICDCS), Singapore, 29 November–1 December 2020; pp. 888–898. [Google Scholar] [CrossRef]
- Fang, Z.; Fu, H.; Gu, T.; Qian, Z.; Jaeger, T.; Hu, P.; Mohapatra, P. A Model Checking-Based Security Analysis Framework for IoT Systems. High-Confid. Comput. 2021, 1, 100004. [Google Scholar] [CrossRef]
- Liang, C.J.M.; Karlsson, B.F.; Lane, N.D.; Zhao, F.; Zhang, J.; Pan, Z.; Li, Z.; Yu, Y. SIFT: Building an Internet of Safe Things. In Proceedings of the 14th International Conference on Information Processing in Sensor Networks 2015, New York, NY, USA, 13–16 April 2015; pp. 298–309. [Google Scholar] [CrossRef]
- Wang, Q.; Datta, P.; Yang, W.; Liu, S.; Bates, A.; Gunter, C.A. Charting the Attack Surface of Trigger-Action Iot Platforms. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019; pp. 1439–1453. [Google Scholar] [CrossRef]
- Yu, Y.; Liu, J. TAPInspector: Safety and Liveness Verification of Concurrent Trigger-Action IoT Systems. arXiv 2021, arXiv:2102.01468. [Google Scholar]
- Sun, P.; Garcia, L.; Salles-Loustau, G.; Zonouz, S. Hybrid Firmware Analysis for Known Mobile and Iot Security Vulnerabilities. In Proceedings of the 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Valencia, Spain, 29 June–2 July 2020; pp. 373–384. [Google Scholar] [CrossRef]
- Ibrhim, H.; Hassan, H.; Nabil, E. A conflicts’ classification for IoT-based services: A comparative survey. PeerJ Comput. Sci. 2021, 7, e480. [Google Scholar] [CrossRef] [PubMed]
- Li, L.; Bissyandé, T.F.; Papadakis, M.; Rasthofer, S.; Bartel, A.; Octeau, D.; Klein, J.; Traon, L. Static analysis of android apps: A systematic literature review. Inf. Softw. Technol. 2017, 88, 67–95. [Google Scholar] [CrossRef] [Green Version]
- Rocha, C.; Meseguer, J.; Muñoz, C. Rewriting modulo SMT and open system analysis. J. Log. Algebraic Methods Program. 2017, 86, 269–297. [Google Scholar] [CrossRef] [Green Version]
- Pnueli, A. The Temporal Logic of Programs. In Proceedings of the 18th Annual Symposium on Foundations of Computer Science, Providence, RI, USA, 31 October–2 November 1977; pp. 46–57. [Google Scholar] [CrossRef]
- Kim, Y. Convolutional Neural Networks for Sentence Classification. In Proceedings of the EMNLP, Doha, Qatar, 25 October 2014; pp. 1746–1751. [Google Scholar]
- Jin, R.; Lu, L.; Lee, J.; Usman, A. Multi-Representational convolutional neural networks for text classification. Comput. Intell. 2019, 35, 599–609. [Google Scholar] [CrossRef]
- Zhang, X.; Zhao, J.; LeCun, Y. Character-level convolutional networks for text classification. Adv. Neural Inf. Process. Syst. 2015, 28, 649–657. [Google Scholar]
- Lu, W.; Duan, Y.; Song, Y. Self-Attention-Based Convolutional Neural Networks for Sentence Classification. In Proceedings of the 2020 IEEE 6th International Conference on Computer and Communications (ICCC), Chengdu, China, 11–14 December 2020; pp. 2065–2069. [Google Scholar]
- Young, T.; Hazarika, D.; Poria, S.; Cambria, E. Recent trends in deep learning based natural language processing. IEEE Comput. Intell. Mag. 2018, 13, 55–75. [Google Scholar] [CrossRef]
- Meseguer, J. Conditional rewriting logic as a unified model of concurrency. Theor. Comput. Sci. 1992, 96, 73–155. [Google Scholar] [CrossRef] [Green Version]
- Liu, S.; Ölveczky, P.C.; Zhang, M.; Wang, Q.; Meseguer, J. Automatic analysis of consistency properties of distributed trans-action systems in Maude. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems; Springer: Cham, Switzerland, 2019; pp. 40–57. [Google Scholar] [CrossRef] [Green Version]
- El Maarabani, M.; Cavalli, A.; Hwang, I.; Zaïdi, F. Verification of Interoperability Security Policies by Model Checking. In Proceedings of the 2011 IEEE 13th International Symposium on High-Assurance Systems Engineering, Boca Raton, FL, USA, 10–12 November 2011; pp. 376–381. [Google Scholar] [CrossRef] [Green Version]
- IoTMAL Benchmark App Repository. Available online: https://github.com/IoTBench/IoTBench-test-suite (accessed on 27 December 2021).
- Chen, S.; Xi, J.; Chen, Y.; Zhao, J. Association Mining of Near Misses in Hydropower Engineering Construction Based on Convolutional Neural Network Text Classification. Comput. Intell. Neurosci. 2022, 2022, 4851615. [Google Scholar] [CrossRef]
- Liu, Y.; Li, P.; Hu, X. Combining context-relevant features with multi-stage attention network for short text classification. Comput. Speech Lang. 2022, 71, 101268. [Google Scholar] [CrossRef]
- Ahmed, M.; Chakraborty, P.; Choudhury, T. Bangla Document Categorization Using Deep RNN Model with Attention Mechanism. In Cyber Intelligence and Information Retrieval; Springer: Singapore, 2022; pp. 137–147. [Google Scholar]
Ref. | SAS. Name | Analysis Type | Analysis Technique | The Main Work | Advantages | Limitations |
---|---|---|---|---|---|---|
[17] | Soteria | Static | Model-Checking | Extracts a state model from the code of an IoT application to verify if an application or multi-app system respects security, safety, and functional properties. | SOTERIA analysis on MALIOT indicated it was accurate at recognizing 17 of 20 separate property violations in those 17 apps. | 1: The use of call diagnosis by reflection. 2: Dynamic device permissions and app configurations. |
[34] | IoTCOM | Static | Model-Checking | Explains how to construct a flexible model extractor that utilizes static analysis algorithms to identify the behavior of IoT apps automatically. | IoTCOM reduces the violation detection time by 92.1% | Depends on all static and dynamic features, which may include unnecessary features. |
[5] | IotSan | Static | Model-Checking | Employs the model-checking approach to identify the causes of cyber vulnerabilities and provides actual precedents to clarify such triggers. | Recognizes 147 vulnerabilities. Can identify possible security violations | 1: The checker of the Spin model cannot manage a file size more significant than that of the Promela code. 2: The G2J translator does not recognize heterogeneous sets. |
[19] | IoTGuard | Dynamic | Code-Instrumentation | Works in three phases: (a) execution of a code instrumentor; (b) storing data of the apps in a dynamic model; (c) detection of IoT security on the dynamic model | IoTGuard introduces 11 single measures, then blocks 16 in 6 (17.1%) Smart-Things, then 5 (16.6%) IFTTT apps. | Enables a user to define policies through IOTGUARD’s GPL. |
[30] | PATCH EC-KO | Hybrid | Deep-Learning | Optimizes deep learning and hybrid static-dynamic binary analysis to execute multi-platform binary code similarity analysis to identify vulnerabilities without high-precision source code access. | The PATCHECKO differential engine identifies between still-vulnerable functions and those set with an accuracy of 96%. | The accuracy is not a high ratio. |
[21] | IOTFUZZER | Dynamic | Taint-Tracking and Machine-learning | IOTFUZZER, which aims at identifying vulnerabilities to memory corruption in IoT devices without accessing their firmware images. | IOTFUZZER successfully found 15 vulnerabilities of memory corruption (which include eight newly discovered vulnerabilities). | 1: Scope of testing. 2: Connection mode 3: Cloud relay 4: Result judgments 5: Result accuracy |
[7] | Soteria2 | Static | Convolutional Neural network | A random walk-based traversal method for feature extraction employs both density-based and level-based CFG labels to achieve consistent representation. | Soteria achieves a 97.79% accuracy rate for detecting AEs and 99.91% accuracy of malware groups | 1: CFG does not necessarily reflect the actual code. 2: Obtaining a CFG representation cannot be performed under obfuscation |
No. | Slot Names | Description |
---|---|---|
1 | Rule (Rh) | (trigger) (condition) (action) |
2 | Trigger (Th) | (capabilities) (attribute) (value) |
3 | Condition (Ch) | (capabilities) (attribute) (value) |
4 | Action (Ah) | (capabilities) (attribute) (value) |
5 | Event | (subject) (attribute) |
6 | Constraint | logical expression | null |
Application Name | Capabilities | Rule No. | Triggers | Conditions | Actions |
---|---|---|---|---|---|
AutoLockafter Xminutes | lock1 + state | R0 | capabilities = app_AutoLockafterXminutes.lock1 | capabilities = app_AutoLockafterXminutes.lock1 | attribute = app_AutoLockafterXminutes.state |
attribute = cap_lock_attr_lock | attribute = cap_lock_attr_lock | attribute = cap_runIn_attr_runIn | |||
no value | value = cap_lock_attr_lock_val_locked | value = cap_runIn_attr_runIn_val_on | |||
R1 | no triggers | capabilities = app_AutoLockafterXminutes.state | attribute = app_AutoLockafterXminutes.lock1 | ||
attribute = cap_state_attr_runIn | attribute = cap_lock_attr_lock | ||||
value = cap_state_attr_runIn_val_on | value = cap_lock_attr_lock_val_lock | ||||
AutoLockDoorsv2 | lock1 + state | R0 | capabilities = app_AutoLockDoorsv2.lock1 | capabilities = app_AutoLockDoorsv2.lock1 | attribute = app_AutoLockDoorsv2.state |
attribute = cap_lock_attr_lock | attribute = cap_lock_attr_lock | attribute = cap_runIn_attr_runIn | |||
no value | value = cap_lock_attr_lock_val-cap_lock_attr_lock_val_locked | value = cap_runIn_attr_runIn_val_on | |||
R1 | no triggers | capabilities = app_AutoLockDoorsv2.state | attribute = app_AutoLockDoorsv2.lock1 | ||
attribute = cap_runIn_attr_runIn | attribute = cap_lock_attr_lock | ||||
value = cap_runIn_attr_runIn_val_on | value = cap_lock_attr_lock_val_locked | ||||
DoorAutoLock | lock1 + state | R0 | capabilities = app_DoorAutoLock.lock1 | capabilities = app_DoorAutoLock.lock1 | attribute = app_DoorAutoLock.state |
attribute = cap_lock_attr_lock | attribute = cap_lock_attr_lock | attribute = cap_runIn_attr_runIn | |||
no value | value = cap_lock_attr_lock_val_unlocked | value = cap_runIn_attr_runIn_val_on | |||
R1 | no triggers | capabilities = app_DoorAutoLock.state | attribute = app_DoorAutoLock.lock1 | ||
attribute = cap_runIn_attr_runIn | attribute = cap_lock_attr_lock | ||||
value = cap_runIn_attr_runIn_val_on | value = cap_lock_attr_lock_val_locked | ||||
DoorsUnlocked | presence1 + lock1 | R0 | capabilities = app_DoorsUnlocked.presence1 | capabilities = app_DoorsUnlocked.presence1 | attribute = app_DoorsUnlocked.lock1 |
attribute = cap_presenceSensor_attr_presence | attribute = cap_presenceSensor_attr_presence | attribute = cap_lock_attr_lock | |||
no value | value = cap_presenceSensor_attr_presence_val_null | value = cap_lock_attr_lock_val_lock | |||
IfFloodTurnValveOff | alarm + valve | R0 | capabilities = app_IfFloodTurnValveOff.alarm | capabilities = app_IfFloodTurnValveOff.valve | attribute = app_IfFloodTurnValveOff.valve |
attribute = cap_waterSensor_attr_water | attribute = cap_valve_attr_any | attribute = cap_valve_attr_valve | |||
value = cap_waterSensor_attr_water_val_wet | value = cap_valve_attr_any_val_no_value | value = cap_valve_attr_valve_val_closed | |||
ItsTooCold | temperatureSensor1 + switch1 | R0 | capabilities = app_ItsTooCold.temperatureSensor1 | capabilities = app_ItsTooCold.temperatureSensor1 | attribute = app_ItsTooCold.switch1 |
attribute = cap_temperatureMeasurement_attr_temperature | attribute = cap_temperatureMeasurement_attr_temperature | attribute = cap_switch_attr_switch | |||
no value | value = range_0//cap_temperatureMeasurement_attr_temperature_val_lte_tooCold | value = cap_switch_attr_switch_val_on | |||
LightOnCold | temperatureSensor1+ switch1 | R0 | capabilities = app_LightOnCold.temperatureSensor1 | capabilities = app_LightOnCold.temperatureSensor1 | attribute = app_LightOnCold.switch1 |
attribute = cap_temperatureMeasurement_attr_temperature | attribute = cap_temperatureMeasurement_attr_temperature | attribute = cap_switch_attr_switch | |||
no value | Value = cap_temperatureMeasurement_attr_temperature_val_lte_tooCold | value = cap_switch_attr_switch_val_on | |||
Motion TriggersLock | motion1 + lock1 | R0 | capabilities = app_MotionTriggersLock.motion1 | capabilities = app_MotionTriggersLock.lock1 | attribute = app_MotionTriggersLock.lock1 |
attribute = cap_motionSensor_attr_motion | attribute = cap_lock_attr_lock | attribute = cap_lock_attr_lock | |||
value = cap_motionSensor_attr_motion_val_active | value = cap_lock_attr_lock_val_locked | value = cap_lock_attr_lock_val_unlocked | |||
DelayedCommandExecution | contact1 + switch1 | R0 | capabilities = app_DelayedCommandExecution.contact1 | capabilities = app_DelayedCommandExecution.contact1 | attribute = app_DelayedCommandExecution.switch1 |
attribute = cap_contactSensor_attr_contact | attribute = cap_contactSensor_attr_contact | attribute = cap_switch_attr_switch | |||
no value | value = cap_contactSensor_attr_contact_val_open | value = cap_switch_attr_switch_val_on | |||
R1 | capabilities = app_DelayedCommandExecution.contact1 | capabilities = app_DelayedCommandExecution.contact1 | attribute = app_DelayedCommandExecution.switch1 | ||
attribute = cap_contactSensor_attr_contact | |||||
attribute = cap_contactSensor_attr_contact | value = cap_contactSensor_attr_contact_val -cap_contactSensor_attr_contact_val_open | attribute = cap_switch_attr_switch | |||
capabilities = app_DelayedCommandExecution.contact1 | |||||
no value | attribute = cap_contactSensor_attr_contact | value = cap_switch_attr_switch_val_off | |||
value = cap_contactSensor_attr_contact_val_closed | |||||
UnlockitWhenitOpens | contact1 + Lock1 | R0 | capabilities = app_UnlockitWhenitOpens.contact1 | capabilities = app_UnlockitWhenitOpens.contact1 | attribute = app_UnlockitWhenitOpens.lock1 |
attribute = cap_contactSensor_attr_contact | attribute = cap_contactSensor_attr_contact | attribute = cap_lock_attr_lock | |||
no value | value = cap_contactSensor_attr_contact_val_open | value = cap_lock_attr_lock_val_unlock |
Indicator | Description |
---|---|
True positive (TP) | The number of malware samples was detected correctly and labeled as malware. |
True negative (TN) | The number of benign samples was correctly detected and labeled as benign. |
False positive (FP) | The number of benign samples was wrong and labeled as malicious. |
False negative (FN) | The number of malware samples was wrong and labeled as benign. |
Paper | SAS Analyzers | Analysis Technique | Analysis Type | Static Analysis Model |
---|---|---|---|---|
[10] | Soteria | MCT | Static | State |
[4] | IotSan | MCT | Static | State |
[43] | ForeSee | MCT | Static | State |
[6] | IoTCOM | MCT | Static | Rule |
[44] | SIFT | MCT | Static | Rule |
[45] | iRuler | MCT & NLP | Static | Rule |
[46] | TAPInspector | MCT & Slicing | Static | Rule |
This Paper | HSAS-MD | MCT &CNN | Static & Dynamic | State & Rule |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Hamza, A.A.; Abdel Halim, I.T.; Sobh, M.A.; Bahaa-Eldin, A.M. HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps. Sensors 2022, 22, 1079. https://doi.org/10.3390/s22031079
Hamza AA, Abdel Halim IT, Sobh MA, Bahaa-Eldin AM. HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps. Sensors. 2022; 22(3):1079. https://doi.org/10.3390/s22031079
Chicago/Turabian StyleHamza, Alyaa A., Islam Tharwat Abdel Halim, Mohamed A. Sobh, and Ayman M. Bahaa-Eldin. 2022. "HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps" Sensors 22, no. 3: 1079. https://doi.org/10.3390/s22031079
APA StyleHamza, A. A., Abdel Halim, I. T., Sobh, M. A., & Bahaa-Eldin, A. M. (2022). HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps. Sensors, 22(3), 1079. https://doi.org/10.3390/s22031079