BINDNN: Resilient function matching using deep learning

Nathaniel Lageman; Eric D. Kilmer; Robert J. Walls; Patrick D. McDaniel

doi:10.1007/978-3-319-59608-2_29

BINDNN: Resilient function matching using deep learning

Nathaniel Lageman, Eric D. Kilmer, Robert J. Walls, Patrick D. McDaniel

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

7 Scopus citations

Abstract

Determining if two functions taken from different compiled binaries originate from the same function in the source code has many applications to malware reverse engineering. Namely, this process allows an analyst to filter large swaths of code, removing functions that have been previously observed or those that originate in shared or trusted libraries. However, this task is challenging due to the myriad factors that influence the translation between source code and assembly instructions—the instruction stream created by a compiler is heavily influenced by a number of factors including optimizations, target platforms, and runtime constraints. In this paper, we seek to advance methods for reliably testing the equivalence of functions found in different executables. By leveraging advances in deep learning and natural language processing, we design and evaluate a novel algorithm, BinDNN, that is resilient to variations in compiler, compiler optimization level, and architecture. We show that BinDNN is effective both in isolation or in conjunction with existing approaches. In the case of the latter, we boost performance by 109% when combining BinDNN with BinDiff to compare functions across architectures. This result—an improvement of 32% for BinDNN and 185% for BinDiff—demonstrates the utility of employing multiple orthogonal approaches to function matching.

Original language	English (US)
Title of host publication	Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings
Editors	Robert Deng, Vinod Yegneswaran, Jian Weng, Kui Ren
Publisher	Springer Verlag
Pages	517-537
Number of pages	21
ISBN (Print)	9783319596075
DOIs	https://doi.org/10.1007/978-3-319-59608-2_29
State	Published - 2017
Event	12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016 - Guangzhou, China Duration: Oct 10 2016 → Oct 12 2016

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume	198 LNICST
ISSN (Print)	1867-8211

Other

Other	12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016
Country/Territory	China
City	Guangzhou
Period	10/10/16 → 10/12/16

All Science Journal Classification (ASJC) codes

Computer Networks and Communications

Access to Document

10.1007/978-3-319-59608-2_29

Cite this

Lageman, N., Kilmer, E. D., Walls, R. J., & McDaniel, P. D. (2017). BINDNN: Resilient function matching using deep learning. In R. Deng, V. Yegneswaran, J. Weng, & K. Ren (Eds.), Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings (pp. 517-537). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 198 LNICST). Springer Verlag. https://doi.org/10.1007/978-3-319-59608-2_29

Lageman, Nathaniel ; Kilmer, Eric D. ; Walls, Robert J. et al. / BINDNN : Resilient function matching using deep learning. Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. editor / Robert Deng ; Vinod Yegneswaran ; Jian Weng ; Kui Ren. Springer Verlag, 2017. pp. 517-537 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).

@inproceedings{e88498f4aa4844abb692b27b07f606c1,

title = "BINDNN: Resilient function matching using deep learning",

abstract = "Determining if two functions taken from different compiled binaries originate from the same function in the source code has many applications to malware reverse engineering. Namely, this process allows an analyst to filter large swaths of code, removing functions that have been previously observed or those that originate in shared or trusted libraries. However, this task is challenging due to the myriad factors that influence the translation between source code and assembly instructions—the instruction stream created by a compiler is heavily influenced by a number of factors including optimizations, target platforms, and runtime constraints. In this paper, we seek to advance methods for reliably testing the equivalence of functions found in different executables. By leveraging advances in deep learning and natural language processing, we design and evaluate a novel algorithm, BinDNN, that is resilient to variations in compiler, compiler optimization level, and architecture. We show that BinDNN is effective both in isolation or in conjunction with existing approaches. In the case of the latter, we boost performance by 109% when combining BinDNN with BinDiff to compare functions across architectures. This result—an improvement of 32% for BinDNN and 185% for BinDiff—demonstrates the utility of employing multiple orthogonal approaches to function matching.",

author = "Nathaniel Lageman and Kilmer, {Eric D.} and Walls, {Robert J.} and McDaniel, {Patrick D.}",

note = "Funding Information: Research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on. Funding Information: Additionally, this material is based upon work supported by the National Science Foundation under Grant Nos. CNS-1228700 and CNS-1064900. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. Publisher Copyright: {\textcopyright} ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2017.; 12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016 ; Conference date: 10-10-2016 Through 12-10-2016",

year = "2017",

doi = "10.1007/978-3-319-59608-2_29",

language = "English (US)",

isbn = "9783319596075",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",

publisher = "Springer Verlag",

pages = "517--537",

editor = "Robert Deng and Vinod Yegneswaran and Jian Weng and Kui Ren",

booktitle = "Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings",

address = "Germany",

}

Lageman, N, Kilmer, ED, Walls, RJ & McDaniel, PD 2017, BINDNN: Resilient function matching using deep learning. in R Deng, V Yegneswaran, J Weng & K Ren (eds), Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 198 LNICST, Springer Verlag, pp. 517-537, 12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016, Guangzhou, China, 10/10/16. https://doi.org/10.1007/978-3-319-59608-2_29

BINDNN: Resilient function matching using deep learning. / Lageman, Nathaniel; Kilmer, Eric D.; Walls, Robert J. et al.
Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. ed. / Robert Deng; Vinod Yegneswaran; Jian Weng; Kui Ren. Springer Verlag, 2017. p. 517-537 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 198 LNICST).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - BINDNN

T2 - 12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016

AU - Lageman, Nathaniel

AU - Kilmer, Eric D.

AU - Walls, Robert J.

AU - McDaniel, Patrick D.

N1 - Funding Information: Research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on. Funding Information: Additionally, this material is based upon work supported by the National Science Foundation under Grant Nos. CNS-1228700 and CNS-1064900. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. Publisher Copyright: © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2017.

PY - 2017

Y1 - 2017

N2 - Determining if two functions taken from different compiled binaries originate from the same function in the source code has many applications to malware reverse engineering. Namely, this process allows an analyst to filter large swaths of code, removing functions that have been previously observed or those that originate in shared or trusted libraries. However, this task is challenging due to the myriad factors that influence the translation between source code and assembly instructions—the instruction stream created by a compiler is heavily influenced by a number of factors including optimizations, target platforms, and runtime constraints. In this paper, we seek to advance methods for reliably testing the equivalence of functions found in different executables. By leveraging advances in deep learning and natural language processing, we design and evaluate a novel algorithm, BinDNN, that is resilient to variations in compiler, compiler optimization level, and architecture. We show that BinDNN is effective both in isolation or in conjunction with existing approaches. In the case of the latter, we boost performance by 109% when combining BinDNN with BinDiff to compare functions across architectures. This result—an improvement of 32% for BinDNN and 185% for BinDiff—demonstrates the utility of employing multiple orthogonal approaches to function matching.

AB - Determining if two functions taken from different compiled binaries originate from the same function in the source code has many applications to malware reverse engineering. Namely, this process allows an analyst to filter large swaths of code, removing functions that have been previously observed or those that originate in shared or trusted libraries. However, this task is challenging due to the myriad factors that influence the translation between source code and assembly instructions—the instruction stream created by a compiler is heavily influenced by a number of factors including optimizations, target platforms, and runtime constraints. In this paper, we seek to advance methods for reliably testing the equivalence of functions found in different executables. By leveraging advances in deep learning and natural language processing, we design and evaluate a novel algorithm, BinDNN, that is resilient to variations in compiler, compiler optimization level, and architecture. We show that BinDNN is effective both in isolation or in conjunction with existing approaches. In the case of the latter, we boost performance by 109% when combining BinDNN with BinDiff to compare functions across architectures. This result—an improvement of 32% for BinDNN and 185% for BinDiff—demonstrates the utility of employing multiple orthogonal approaches to function matching.

UR - http://www.scopus.com/inward/record.url?scp=85021725956&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85021725956&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-59608-2_29

DO - 10.1007/978-3-319-59608-2_29

M3 - Conference contribution

AN - SCOPUS:85021725956

SN - 9783319596075

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 517

EP - 537

BT - Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings

A2 - Deng, Robert

A2 - Yegneswaran, Vinod

A2 - Weng, Jian

A2 - Ren, Kui

PB - Springer Verlag

Y2 - 10 October 2016 through 12 October 2016

ER -

Lageman N, Kilmer ED, Walls RJ, McDaniel PD. BINDNN: Resilient function matching using deep learning. In Deng R, Yegneswaran V, Weng J, Ren K, editors, Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. Springer Verlag. 2017. p. 517-537. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). doi: 10.1007/978-3-319-59608-2_29

BINDNN: Resilient function matching using deep learning

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this