- Title
- Identifying cross-version function similarity using contextual features
- Creator
- Black, Paul; Gondal, Iqbal; Vamplew, Peter; Lakhotia, Arun
- Date
- 2020
- Type
- Text; Conference paper
- Identifier
- http://researchonline.federation.edu.au/vital/access/HandleResolver/1959.17/179558
- Identifier
- vital:15608
- Identifier
-
https://doi.org/10.1109/TrustCom50675.2020.00110
- Identifier
- ISBN:9781665403924 (ISBN)
- Abstract
- The identification of similar functions in malware assists analysis by supporting the exclusion of functions that have been previously analysed, allows the identification of new variants, supports authorship attribution, and the analysis of malware phylogeny. A function's context is a set comprising the function itself and all the program functions that may be executed when this function is called. Contextual features consist of data that is extracted from the functions contained in the function context. This paper presents a novel technique called Cross Version Contextual Function Similarity (CVCFS) to identify function pairs in two programs using features based on both individual functions and function context. The CVCFS technique uses Support Vector Machine (SVM) machine learning of function similarity features to pre-filter function pairs and then applies an edit distance technique using function semantics to reduce false positives. A case study is provided where individual and contextual features are extracted from three versions of Zeus malware. The SVM pre-filtering, followed by the use of an edit distance technique to filter false positives, gives a function pair identification accuracy of 85 percent. © 2020 IEEE.
- Publisher
- Institute of Electrical and Electronics Engineers Inc.
- Relation
- 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2020 p. 810-818
- Rights
- All metadata describing materials held in, or linked to, the repository is freely available under a CC0 licence
- Rights
- Copyright ©2020 IEEE
- Rights
- 9343225
- Subject
- Binary similarity; Function similarity; Machine learning; Malware evolution; Malware similarity; Zeus malware
- Reviewed
- Funder
- This research was funded in part through the Internet Commerce Security Laboratory (ICSL), which is a joint venture with research partners Westpac, IBM, and Federation University Australia. Paul Black is supported by an Australian Government Research Training Program (RTP) Fee-Offset Scholarship through Federation University Australia.
- Hits: 1139
- Visitors: 1074
- Downloads: 0
Thumbnail | File | Description | Size | Format |
---|