Samples belonging to the same malware family tend to be similar at the binary level, which makes similarity-based malware detection possible. Some similarity-based IoT malware detection methods have been developed in the recent years in the CrySyS Lab of BME, and the main goal of this project is to perform a comprehensive comparative analysis of their performances. More specifically, the IoT malware detectors that should be studied in this project are SIMBIoTA, SIMBIoTA++, and SIMBIoTA-ML with different machine learning models, and the performance metrics of interest are the F1-score of malware detection, the speed of detection, and the size of the model used for detection.

The specific tasks of the student include the following:

Overview on the motivation and challenges of malware detection in the IoT domain;

Understanding the operation of SIMBIoTA, SIMBIoTA++, and SIMBIoTA-ML;

Preparation of a suitable dataset to be used in the project containing malicious and benign ELF binaries;

Selection of optimal parameters for SIMBIoTA, SIMBIoTA++, and SIMBIoTA-ML with different machine learning models, including at least logistic regression, adaboost, SVM, and random forest;

Designing the methods to measure and compare the F1-score, the speed, and the memory footprint of SIMBIoTA, SIMBIoTA++, and SIMBIoTA-ML with different machine learning models, all using their optimal parameters;

Performing an extensive measurement campaign and evaluating the obtained results.