- Title
- Function similarity using family context
- Creator
- Black, Paul; Gondal, Iqbal; Vamplew, Peter; Lakhotia, Arun
- Date
- 2020
- Type
- Text; Journal article
- Identifier
- http://researchonline.federation.edu.au/vital/access/HandleResolver/1959.17/174061
- Identifier
- vital:14754
- Identifier
-
https://doi.org/10.3390/electronics9071163
- Identifier
- ISBN:
- Abstract
- Finding changed and similar functions between a pair of binaries is an important problem in malware attribution and for the identification of new malware capabilities. This paper presents a new technique called Function Similarity using Family Context (FSFC) for this problem. FSFC trains a Support Vector Machine (SVM) model using pairs of similar functions from two program variants. This method improves upon previous research called Cross Version Contextual Function Similarity (CVCFS) e epresenting a function using features extracted not just from the function itself, but also, from other functions with which it has a caller and callee relationship. We present the results of an initial experiment that shows that the use of additional features from the context of a function significantly decreases the false positive rate, obviating the need for a separate pass for cleaning false positives. The more surprising and unexpected finding is that the SVM model produced by FSFC can abstract function similarity features from one pair of program variants to find similar functions in an unrelated pair of program variants. If validated by a larger study, this new property leads to the possibility of creating generic similar function classifiers that can be packaged and distributed in reverse engineering tools such as IDA Pro and Ghidra.; This research was performed in the Internet Commerce Security Lab (ICSL), which is a joint venture with research partners Westpac, IBM, and Federation University Australia.
- Publisher
- MDPI AG
- Relation
- Electronics Vol. 9, no. 7 (Jul 2020), p. 20
- Rights
- http://creativecommons.org/licenses/by/4.0/
- Rights
- Copyright © 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license
- Rights
- Open Access
- Rights
- This metadata is freely available under a CCO license
- Subject
- 0906 Electrical and Electronic Engineering; Malware similarity; Malware evolution; Function similarity; Binary; Similarity; Zeus malware; ISFB malware; Machine learning
- Full Text
- Reviewed
- Funder
- This research was performed in the Internet Commerce Security Lab (ICSL), which is a joint venture with research partners Westpac, IBM, and Federation University Australia.
- Hits: 3716
- Visitors: 3766
- Downloads: 182
Thumbnail | File | Description | Size | Format | |||
---|---|---|---|---|---|---|---|
View Details Download | SOURCE1 | Published | 405 KB | Adobe Acrobat PDF | View Details Download |