Abstract
Reverse analysis is a necessary but manually dependent technique to comprehend the working principle of new malware. The cross-platform binary recognition facilitates the work of reverse engineers by identifying those duplicated or known parts compiled from various platforms. However, existing approaches mainly rely on raw function bytes or cosine embedding representation, which have either low binary recognition accuracy or high binary search overheads on real-world binary recognition tasks. In this paper, we propose a lightweight neural network-based approach to generate the Euclidean embedding (i.e., a numeric vector), based on the control flow graph and callee’s interface information of each binary function, and classify the embedding vectors with an Euclidean distance sensitive artificial neural network. We implement a prototype called FuncNet, and evaluate it on real-world projects with 1980 binaries, about 2 million function pairs. The experiment result shows that its accuracy outperforms state-of-the-art solutions by over 13% on average and the binary search on big datasets can be done with constant time complexity.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
High performance, open source, cross platform CryptoNight CPU/GPU miners: https://xmrig.com/.
- 2.
Details could be found at: https://github.com/delia0204/FuncNet.
References
Khoo, W.M., Mycroft, A., Anderson, R.: Rendezvous: a search engine for binary code. In: Proceedings of the 10th Working Conference on Mining Software Repositories (MSR) (2013)
Ding, S.H.H., Fung, B.C.M., Charland, P.: Kam1n0: MapReduce-based assembly clone search for reverse engineering. In: The 22nd ACM SIGKDD International Conference. ACM (2016)
Saebjornsen, A.: Detecting fine-grained similarity in binaries. Dissertations & Theses - Gradworks (2014)
Eschweiler, S., Yakdan, K., Gerhards-Padilla, E.: discovRE: efficient cross-architecture identification of bugs in binary code. In: NDSS (2016)
Feng, Q., et al.: Scalable graph-based bug search for firmware images. In: ACM SIGSAC Conference on Computer and Communications Security. ACM (2016)
Xu, X., et al.: Neural network-based graph embedding for cross-platform binary code similarity detection. In: ACM SIGSAC Conference on Computer and Communications Security. ACM (2017)
Ding, S.H.H., Fung, B.C.M., Charland, P.: Asm2Vec: boosting static representation robustness for binary clone search against code obfuscation and compiler optimization. In: 2019 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society (2019)
Egele, M., et al.: Blanket execution: dynamic similarity testing for program binaries and components. In: USENIX Conference on Security Symposium. USENIX Association (2014)
Pewny, J., et al.: Cross-architecture bug search in binary executables. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 709–724. IEEE Computer Society (2015)
Chandramohan, M., et al.: BinGo: cross-architecture cross-OS binary search. In: ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 678–689. ACM (2016)
Hu, Y., et al.: Binary code clone detection across architectures and compiling configurations. In: 2017 IEEE/ACM 25th International Conference on Program Comprehension (ICPC). IEEE Computer Society (2017)
George, E.D., Tara, N.S., Geoffrey, E.H.: Improving deep neural networks for LVCSR using rectified linear units and dropout. In: IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 8609–8613. IEEE (2013)
Liu, B., et al.: Cross-version binary code similarity detection with DNN. In: Proceedings of the 2018 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE 2018) (2018)
Gao, J., Yang, X., Fu, Y., Jiang, Y., Shi, H., Sun, J.: VulSeeker-pro: enhanced semantic learning based binary vulnerability seeker with emulation. In: Proceedings of the 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018) (2018)
zynamics. BinDiff. https://www.zynamics.com/bindiff.html
The IDA Pro Disassembler and Debugger (2015). http://www.datarescue.com/idabase/
Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: techniques and implications. In: IEEE Symposium on Security and Privacy 2008 (SP 2008), pp. 143–157. IEEE (2008)
Schroff, F., Kalenichenko, D., Philbin, J.: FaceNet: a unified embedding for face recognition and clustering. In: 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). IEEE Computer Society (2015)
Dai, H., Dai, B., Song, L.: Discriminative embeddings of latent variable models for structured data. In: International Conference on Machine Learning (2016)
Vettigli, G.: MiniSom: minimalistic and numpy-based implementation of the self organizing map (2018). https://github.com/JustGlowing/minisom
Kohonen, T.: Self-organized formation of topologically correct feature maps. Biol. Cybern. 43(1), 59–69 (1982)
Luo, L., Ming, J., Wu, D., Liu, P., Zhu, S.: Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 389–400. ACM (2014)
Luo, L., Ming, J., Dinghao, W., Liu, P., Zhu, S.: Semantics-based obfuscation-resilient binary code similarity comparison with applications to software and algorithm plagiarism detection. IEEE Trans. Softw. Eng. 43(12), 1157–1177 (2017)
Abadi, M., et al.: TensorFlow: a system for large-scale machine learning (2016)
Blokhin, K., Saxe, J., Mentis, D.: Malware similarity identification using call graph based system call subsequence features. In: IEEE International Conference on Distributed Computing Systems Workshops (2013)
Oh Song, H., Xiang, Y., Jegelka, S., Savarese, S.: Deep metric learning via lifted structured feature embedding. In: 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4004–4012. IEEE (2016)
Kohonen, T.: Self-Organizing Maps, 3rd edn. Springer, Berlin (2001). https://doi.org/10.1007/978-3-642-97966-8
Acknowledgements
We would like to thank Can Yang, Yuchen Wei, and the anonymous reviewers for their constructive comments. This work is supported by the Chinese Academy of Sciences Key Laboratory of Network Assessment Technology, and Beijing Key Laboratory of Network Security and Protection Technology, as well as Chinese National Natural Science Foundation (U1836209, 61602470, 61802394), Strategic Priority Research Program of the CAS (XDC02040100, XDC02030200, XDC02020200), National Key Research and Development Program of China (2016QY071405), the Program of Beijing Municipal Science and Technology Commission (No. D181100000618004).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Luo, M., Yang, C., Gong, X., Yu, L. (2019). FuncNet: A Euclidean Embedding Approach for Lightweight Cross-platform Binary Recognition. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-37228-6_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37227-9
Online ISBN: 978-3-030-37228-6
eBook Packages: Computer ScienceComputer Science (R0)