A Novel Framework to Classify Malware in MIPS Architecture-Based IoT Devices

Malware on devices connected to the Internet via the Internet of Things (IoT) is evolving and is a core component of the fourth industrial revolution. IoT devices use the MIPS architecture with a large proportion running on embedded Linux operating systems, but the automatic analysis of IoT malware has not been resolved. We proposed a framework to classify malware in IoT devices by using MIPS-based system behavior (system call—syscall) obtained from our F-Sandbox passive process and machine learning techniques. The F-Sandbox is a new type for IoT sandbox, automatically created from the real firmware of the specialized IoT devices, inheriting the specialized environment in the real firmware, therefore creating a diverse environment for sandboxing as an important characteristic of IoT sandbox. This framework classifies five families of IoT malware with F1-Weight = 97.44%.