The Internet of Things (IoT) integrates a wide range of devices into a network to provide intelligent services. The lack of security mechanisms in such systems can cause an exposure of sensitive private data. Moreover, a networks of compromised IoT devices can allow adversaries the ability to bring down crucial systems. Indeed, adversaries have exploited software vulnerabilities in these devices for their benefit, and to execute various malicious intents. Therefore, understanding the software of these emerging systems is of the utmost importance. Building towards this goal, in this dissertation, we undertake a comprehensive analysis of the IoT software by employing different analysis techniques. To analyze the emerging IoT software systems, we first perform an in-depth and thorough analysis of the IoT binaries through static analysis. Through efficient and scalable static analysis, we extract artifacts that highlight the dynamics of the malware. In particular, by analyzing the strings, functions, and Control Flow Graphs (CFGs) of the IoT malware, we uncover their execution strategy, unique textual characteristics, and network dependencies. Additionally, through analysis of CFGs, we show the ability to approximate the main function. Using the extracted static artifacts, we design an effective malware detector. Noting that IoT malware have increased their sophistication and impact, the static approaches are prone to obfuscation that aims to evade analysis attempts. Acknowledging these attempts and to mitigate such threats, it is essential to profile the shared and exclusive behavior of these threats, such that they are easily achievable and aware of the capabilities of the widely-used IoT devices. To that end, we introduce MALInformer, an integrated dynamic and static analysis framework to analyze Linux-based IoT software and identify behavioral patterns for effective threat profiling. Leveraging an iterative signatures selection method, by taking into account the normalized frequency, cardinality, and programs covered by the signatures, MALInformer identifies distinctive and interpretable behaviors for every threat category. The static and dynamic analyses show the exploitability of the emerging systems. These weaknesses are typically reported to vulnerability databases along with the information that enable their reproduction and subsequent patching in other and related software. These weaknesses are assigned a Common Vulnerabilities and Exposures (CVE) number. We explore the quality of the reports in the National Vulnerability Database (NVD), unveiling their inconsistencies which we eventually fix. We then conduct case studies, including a large-scale evaluation of the cost of software vulnerabilities, revealing that the consumer product, software, and the finance industry are more likely to be negatively impacted by vulnerabilities. Overall, our work builds tools to analyze and detect the IoT malware and extract behavior unique to malware families. Additionally, our consistent NVD streamlines vulnerability management in emerging internet-connected systems, highlighting the economics aspects of vulnerabilities.


If this is your thesis or dissertation, and want to learn how to access it or for more information about readership statistics, contact us at STARS@ucf.edu

Graduation Date





Mohaisen, David


Doctor of Philosophy (Ph.D.)


College of Engineering and Computer Science


Computer Science

Degree Program

Computer Science









Release Date

August 2024

Length of Campus-only Access

3 years

Access Status

Doctoral Dissertation (Campus-only Access)

Restricted to the UCF community until August 2024; it will then be open access.