Abstract
In this paper, we present BinEye, an innovative tool which trains a system of three convolutional neural networks to characterize the authors of program binaries based on novel sets of features. The first set of features is obtained by converting an executable binary code into a gray image; the second by transforming each executable into a series of bytecode; and the third by representing each function in terms of its opcodes. By leveraging advances in deep learning, we are then able to characterize a large set of authors. This is accomplished even without the missing features and despite the complications arising from compilation. In fact, BinEye does not require any prior knowledge of the target binary. More important, an analysis of the model provides a satisfying explanation of the results obtained: BinEye is able to auto-learn each author’s coding style and thus characterize the authors of program binaries. We evaluated BinEye on large datasets extracted from selected open-source C++ projects in GitHub, Google Code Jam events, and several programming projects, comparing it wiexperimental results demonstrate that BinEye characterizes a larger number of authors with a significantly higher accuracy (above 90%). We also employed it in the context of several case studies. When applied to Zeus and Citadel, BinEye found that this pair might be associated with common authors. For other packages, BinEye demonstrated its ability to identify the presence of multiple authors in binary code.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alrabaee, S., Shirani, P., Wang, L., Debbabi, M.: Fossil: a resilient and efficient system for identifying foss functions in malware binaries. ACM Trans. Priv. Secur. (TOPS) 21(2), 8 (2018)
Techniqal report, Resource 207: Kaspersky Lab Research proves that Stuxnet and Flame developers are connected. http://www.kaspersky.com/about/news/virus/2012/
Big Game Hunting: Nation-state malware research, BlackHat (2015). https://www.blackhat.com/docs/us-15/materials/us-15-MarquisBoire-Big-Game-Hunting-The-Peculiarities-Of-Nation-State-Malware-Research.pdf
Citizen Lab. University of Toronto, Canada (2015). https://citizenlab.org/
Caliskan-Islam, A., et al.: De-anonymizing programmers via code stylometry. In: USENIX (2015)
Frantzeskou, G.: Source code authorship analysis for supporting the cybercrime investigation process, pp. 470–495 (2004)
Alrabaee, S., Saleem, N., Preda, S., Wang, L., Debbabi, M.: Oba2: an onion approach to binary code authorship attribution. Digit. Invest. 11, S94–S103 (2014)
Alrabaee, S., Wang, L., Debbabi, M.: On the feasibility of binary authorship characterization. Digit. Invest. 28, S3–S11 (2019)
Caliskan-Islam, A., et al.: When coding style survives compilation: de-anonymizing programmers from executable binaries, arXiv preprint arXiv:1512.08546 (2015)
Rosenblum, N., Zhu, X., Miller, B.P.: Who wrote this code? Identifying the authors of program binaries. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 172–189. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_10
Kirat, D., Nataraj, L., Vigna, G., Manjunath, B.: Sigmal: a static signal processing based malware triage. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 89–98. ACM (2013)
Oliva, A., Torralba, A.: Modeling the shape of the scene: a holistic representation of the spatial envelope. Int. J. Comput. Vis. 42(3), 145–175 (2001)
Wei, Y., et al.: HCP: a flexible CNN framework for multi-label image classification. IEEE Trans. Pattern Anal. Mach. Intell. 38(9), 1901–1907 (2016)
HexRays: IDA Pro (2011). https://www.hex-rays.com/products/ida/index.shtml. Accessed Feb 2016
Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: IEEE Euro S&P (2017)
Farnstrom, F., Lewis, J., Elkan, C.: Scalability for clustering algorithms revisited. ACM SIGKDD Explor. Newsl. 2(1), 51–57 (2000)
PEfile (2012). http://code.google.com/p/pefile/. Accessed Nov 2016
Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)
Daugman, J.G.: Complete discrete 2-D gabor transforms by neural networks for image analysis and compression. IEEE Trans. Acoust. Speech Signal Process. 36(7), 1169–1179 (1988)
Karbab, E.B., Debbabi, M., Derhab, A., Mouheb, D.: MalDozer: automatic framework for android malware detection using deep learning. Digit. Invest. 24, S48–S59 (2018)
Huang, G., Liu, Z., Weinberger, K.Q., van der Maaten, L.: Densely connected convolutional networks, arXiv preprint arXiv:1608.06993 (2016)
Kim, Y.: Convolutional neural networks for sentence classification, CoRR (2014)
Mikolov, T., Sutskever, I., et al.: Distributed representations of words and phrases and their compositionality. In: NIPS Neural Information Processing Systems (2013)
Pennington, J., Socher, R., et al.: GloVe: global vectors for word representation. In: Conference on Empirical Methods in Natural Language Processing (2014)
Hamerly, G., Elkan, C., et al.: Learning the k in k-means. In: NIPS, vol. 3, pp. 281–288 (2003)
The Scalable Native Graph Database (2015). http://neo4j.com/
The Gephi plugin for nneo4j (2015). https://marketplace.gephi.org/plugin/neo4j-graph-database-support/
The GitHub repository (2016). https://github.com/
The Google Code Jam (2008–2015). http://code.google.com/codejam/
The materials supplement for the paper. Who Wrote This Code? Identifying the Authors of Program Binaries. http://pages.cs.wisc.edu/~dnater/esorics-supp/
Programmer De-anonymization from Binary Executables (2015). https://github.com/calaylin/bda
Hex-Ray decompiler (2015). https://www.hex-rays.com/products/decompiler/
Refactoring tool (2016). https://www.devexpress.com/Products/CodeRush/. Accessed Feb 2017
C++ refactoring tools for visual studio (2016). http://www.wholetomato.com/. Accessed Feb 2016
Tigress is a diversifying virtualizer/obfuscator for the C language (2016). http://tigress.cs.arizona.edu/
Junod, P., Rinaldini, J., Wehrli, J., Michielin, J.: Obfuscator-LLVM: software protection for the masses. In: Proceedings of the 1st International Workshop on Software Protection, pp. 3–9. IEEE Press (2015)
Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and Anti-VM technologies (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Alrabaee, S., Karbab, E.B., Wang, L., Debbabi, M. (2019). BinEye: Towards Efficient Binary Authorship Characterization Using Deep Learning. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)