A GNN-Based Adversarial Internet of Things Malware Detection Framework for Critical Infrastructure: Studying Gafgyt, Mirai and Tsunami Campaigns

Significant advancement in Deep learning (DL) has turned it into an integral part of robust approaches for addressing cybersecurity problems in both current and aging infrastructures. Control Flow Graphs (CFGs) have demonstrated their effectiveness as leading choices that result in high-performing classifiers among various data representations used by DL-based models. Recently, Graph Neural Networks (GNNs) have made breakthroughs in the graph domain, and before long, they were jointly used with CFGs to train performant malware classifiers. However, graph-based adversarial attacks have caused suspicion about the predictions these graph-based malware classifiers make, and few studies have investigated detecting such attacks. Therefore, this paper proposes a novel GNN-based adversarial detector for identifying adversarial CFGs with higher efficacy than the previous work. This adversarial detector is placed in a data pipeline before a GNN-based malware classifier. In this paper, we solve the adversarial detection problem as an anomaly detection scenario and train the adversarial detector to learn the normal data distribution. Our GNN-based adversarial detector detects 98.96% of all adversarial CFGs, which is 1.17% higher than the previous method, with a 5.95% lower False Positive Rate (FPR). In the most hazardous category of the attack, where the attacker intends to render a malicious example as a benign input, we achieve a 4.85% boost compared to the previous competitors.