Internet-Wide Analysis, Characterization, and Family Attribution of IoT Malware: A Comprehensive Longitudinal Study
Why this work is in the frame
A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.
Bibliographic record
Abstract
This study presents a large-scale empirical analysis of real-life Internet-of-Things (IoT) malware by conducting a comprehensive analysis of 160,000 malicious executables detected by specialized IoT honeypots over five years. Our findings contribute to improving the knowledge of IoT malware characteristics and inter-relationships, which in return, contribute towards strengthening cybersecurity measures for IoT threat detection/mitigation. To achieve these goals, we leverage various malware analysis techniques to extract useful information from the executable files. Our analysis demonstrate that in contrast to non-IoT malware, we were able to extract unsolicited IP addresses and command strings from the majority of the analyzed IoT malware binaries using off-the-shelf de-obfuscation techniques/tools. Additionally, by correlating the extracted information and performing consequent similarity analysis using NLP-based features, we were able to reveal closely related samples with shared implementation across the adversarial infrastructure. Thus, contributing to labeling previously unseen/unknown IoT malware samples while uncovering emerging, possibly new variants. Finally, given such findings, we discuss the applications of a real-time IoT honeypot, which enables capturing real-time commands from malware-infected IoT devices while enabling timely and effective IoT-malware detection, analysis, labeling, and mitigation.
Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.
Full frame distilled prediction
Teacher imitationNot calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.
Codex and Gemma teacher scores by category
| Category | Codex | Gemma |
|---|---|---|
| Metaresearch | 0.000 | 0.000 |
| Meta-epidemiology (narrow) | 0.000 | 0.000 |
| Meta-epidemiology (broad) | 0.000 | 0.000 |
| Bibliometrics | 0.001 | 0.001 |
| Science and technology studies | 0.000 | 0.000 |
| Scholarly communication | 0.000 | 0.000 |
| Open science | 0.000 | 0.000 |
| Research integrity | 0.000 | 0.000 |
| Insufficient payload (model declined to judge) | 0.000 | 0.000 |
Machine scores (provisional)
The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.
Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.
score_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it