English

ShellCore: Automating Malicious IoT Software Detection by Using Shell Commands Representation

Cryptography and Security 2021-03-29 v1

Abstract

The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform a variety of functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to IoT devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., DDoS. In this work, we provide a first look at shell commands used in Linux-based IoT malware towards detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, ShellCore, to detect malicious shell commands. Namely, we collected a large dataset of shell commands, including malicious commands extracted from 2,891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with term- and character-level features, ShellCore is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e., binaries).

Keywords

Cite

@article{arxiv.2103.14221,
  title  = {ShellCore: Automating Malicious IoT Software Detection by Using Shell Commands Representation},
  author = {Hisham Alasmary and Afsah Anwar and Ahmed Abusnaina and Abdulrahman Alabduljabbar and Mohammad Abuhamad and An Wang and DaeHun Nyang and Amro Awad and David Mohaisen},
  journal= {arXiv preprint arXiv:2103.14221},
  year   = {2021}
}
R2 v1 2026-06-24T00:34:31.211Z