Function similarity using family context

Black, Paul; Gondal, Iqbal; Vamplew, Peter; Lakhotia, Arun

Title: Function similarity using family context
Creator: Black, Paul; Gondal, Iqbal; Vamplew, Peter; Lakhotia, Arun
Date: 2020
Type: Text; Journal article
Identifier: http://researchonline.federation.edu.au/vital/access/HandleResolver/1959.17/174061
Identifier: vital:14754
Identifier: https://doi.org/10.3390/electronics9071163
Identifier: ISBN:
Abstract: Finding changed and similar functions between a pair of binaries is an important problem in malware attribution and for the identification of new malware capabilities. This paper presents a new technique called Function Similarity using Family Context (FSFC) for this problem. FSFC trains a Support Vector Machine (SVM) model using pairs of similar functions from two program variants. This method improves upon previous research called Cross Version Contextual Function Similarity (CVCFS) e epresenting a function using features extracted not just from the function itself, but also, from other functions with which it has a caller and callee relationship. We present the results of an initial experiment that shows that the use of additional features from the context of a function significantly decreases the false positive rate, obviating the need for a separate pass for cleaning false positives. The more surprising and unexpected finding is that the SVM model produced by FSFC can abstract function similarity features from one pair of program variants to find similar functions in an unrelated pair of program variants. If validated by a larger study, this new property leads to the possibility of creating generic similar function classifiers that can be packaged and distributed in reverse engineering tools such as IDA Pro and Ghidra.; This research was performed in the Internet Commerce Security Lab (ICSL), which is a joint venture with research partners Westpac, IBM, and Federation University Australia.
Publisher: MDPI AG
Relation: Electronics Vol. 9, no. 7 (Jul 2020), p. 20
Rights: http://creativecommons.org/licenses/by/4.0/
Rights: Copyright © 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license
Rights: Open Access
Rights: This metadata is freely available under a CCO license
Subject: 0906 Electrical and Electronic Engineering; Malware similarity; Malware evolution; Function similarity; Binary; Similarity; Zeus malware; ISFB malware; Machine learning
Full Text
Reviewed
Funder: This research was performed in the Internet Commerce Security Lab (ICSL), which is a joint venture with research partners Westpac, IBM, and Federation University Australia.

Hits: 1816
Visitors: 1889
Downloads: 157

		Thumbnail	File	Description	Size	Format
View Details Download			SOURCE1	Published	405 KB	Adobe Acrobat PDF	View Details Download