BINDNN: Resilient function matching using deep learning

Nathaniel Lageman, Eric D. Kilmer, Robert J. Walls, Patrick D. McDaniel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Scopus citations

Abstract

Determining if two functions taken from different compiled binaries originate from the same function in the source code has many applications to malware reverse engineering. Namely, this process allows an analyst to filter large swaths of code, removing functions that have been previously observed or those that originate in shared or trusted libraries. However, this task is challenging due to the myriad factors that influence the translation between source code and assembly instructions—the instruction stream created by a compiler is heavily influenced by a number of factors including optimizations, target platforms, and runtime constraints. In this paper, we seek to advance methods for reliably testing the equivalence of functions found in different executables. By leveraging advances in deep learning and natural language processing, we design and evaluate a novel algorithm, BinDNN, that is resilient to variations in compiler, compiler optimization level, and architecture. We show that BinDNN is effective both in isolation or in conjunction with existing approaches. In the case of the latter, we boost performance by 109% when combining BinDNN with BinDiff to compare functions across architectures. This result—an improvement of 32% for BinDNN and 185% for BinDiff—demonstrates the utility of employing multiple orthogonal approaches to function matching.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings
EditorsRobert Deng, Vinod Yegneswaran, Jian Weng, Kui Ren
PublisherSpringer Verlag
Pages517-537
Number of pages21
ISBN (Print)9783319596075
DOIs
StatePublished - 2017
Event12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016 - Guangzhou, China
Duration: Oct 10 2016Oct 12 2016

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume198 LNICST
ISSN (Print)1867-8211

Other

Other12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016
Country/TerritoryChina
CityGuangzhou
Period10/10/1610/12/16

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'BINDNN: Resilient function matching using deep learning'. Together they form a unique fingerprint.

Cite this