TY - GEN
T1 - BINDNN
T2 - 12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016
AU - Lageman, Nathaniel
AU - Kilmer, Eric D.
AU - Walls, Robert J.
AU - McDaniel, Patrick D.
N1 - Funding Information:
Research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on.
Funding Information:
Additionally, this material is based upon work supported by the National Science Foundation under Grant Nos. CNS-1228700 and CNS-1064900. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Publisher Copyright:
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2017.
PY - 2017
Y1 - 2017
N2 - Determining if two functions taken from different compiled binaries originate from the same function in the source code has many applications to malware reverse engineering. Namely, this process allows an analyst to filter large swaths of code, removing functions that have been previously observed or those that originate in shared or trusted libraries. However, this task is challenging due to the myriad factors that influence the translation between source code and assembly instructions—the instruction stream created by a compiler is heavily influenced by a number of factors including optimizations, target platforms, and runtime constraints. In this paper, we seek to advance methods for reliably testing the equivalence of functions found in different executables. By leveraging advances in deep learning and natural language processing, we design and evaluate a novel algorithm, BinDNN, that is resilient to variations in compiler, compiler optimization level, and architecture. We show that BinDNN is effective both in isolation or in conjunction with existing approaches. In the case of the latter, we boost performance by 109% when combining BinDNN with BinDiff to compare functions across architectures. This result—an improvement of 32% for BinDNN and 185% for BinDiff—demonstrates the utility of employing multiple orthogonal approaches to function matching.
AB - Determining if two functions taken from different compiled binaries originate from the same function in the source code has many applications to malware reverse engineering. Namely, this process allows an analyst to filter large swaths of code, removing functions that have been previously observed or those that originate in shared or trusted libraries. However, this task is challenging due to the myriad factors that influence the translation between source code and assembly instructions—the instruction stream created by a compiler is heavily influenced by a number of factors including optimizations, target platforms, and runtime constraints. In this paper, we seek to advance methods for reliably testing the equivalence of functions found in different executables. By leveraging advances in deep learning and natural language processing, we design and evaluate a novel algorithm, BinDNN, that is resilient to variations in compiler, compiler optimization level, and architecture. We show that BinDNN is effective both in isolation or in conjunction with existing approaches. In the case of the latter, we boost performance by 109% when combining BinDNN with BinDiff to compare functions across architectures. This result—an improvement of 32% for BinDNN and 185% for BinDiff—demonstrates the utility of employing multiple orthogonal approaches to function matching.
UR - http://www.scopus.com/inward/record.url?scp=85021725956&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85021725956&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-59608-2_29
DO - 10.1007/978-3-319-59608-2_29
M3 - Conference contribution
AN - SCOPUS:85021725956
SN - 9783319596075
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 517
EP - 537
BT - Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings
A2 - Deng, Robert
A2 - Yegneswaran, Vinod
A2 - Weng, Jian
A2 - Ren, Kui
PB - Springer Verlag
Y2 - 10 October 2016 through 12 October 2016
ER -