Accurate Comparison of Binary Executables
نویسندگان
چکیده
As the volume of malware inexorably rises, comparison of binary code is of increasing importance to security analysts as a method of automatically classifying new malware samples; purportedly new examples of malware are frequently a simple evolution of existing code, whose differences stem only from a need to avoid detection. This paper presents a polynomial algorithm for calculating the differences between two binaries, obtained by fusing the well-known BinDiff algorithm with the Hungarian algorithm for bi-partite graph matching. This significantly improves the matching accuracy. Additionally a meaningful metric of similarity is calculated, based on graph edit distance, from which an informed comparison of the binaries can be made. The accuracy of this method over the standard approach is demonstrated.
منابع مشابه
Detecting Packed Executables Based on Raw Binary Data
Packing an executable originally referred to the compression of the file to reduce its size on disk. Nowadays, packing also introduces encryption and anti-debug techniques to protect executables from reverse engineering. This explains why packers are extensively used in creating new malware variants which are not detected by traditional signature-based anti-malware tools. Although universal unp...
متن کاملA scalable multi-level feature extraction technique to detect malicious executables
We present a scalable and multi-level feature extraction technique to detect malicious executables. We propose a novel combination of three different kinds of features at different levels of abstraction. These are binary n-grams, assembly instruction sequences, and Dynamic Link Library (DLL) function calls; extracted from binary executables, disassembled executables, and executable headers, res...
متن کاملUsing Reflection to Reduce the Size of .NET Executables
This article presents an object-oriented technique for reducing the size of .NET executables. Current binary compressors cannot be used to pack .NET executables because .NET makes use of a specially modified PE file format. We will rely on reflection capabilities supported by .NET to pack .NET binaries using pure C# code. The solution is general and can be used with any .NET executable, no matt...
متن کاملA compiler level intermediate representation based binary analysis system and its applications
Title of Dissertation: A COMPILER LEVEL INTERMEDIATE REPRESENTATION BASED BINARY ANALYSIS SYSTEM AND ITS APPLICATIONS Kapil Anand, Doctor of Philosophy, 2013 Dissertation directed by: Professor Rajeev Barua Department of Electrical and Computer Engineering Analyzing and optimizing programs from their executables has received a lot of attention recently in the research community. There has been ...
متن کاملIntraprocedural Static Slicing of Binary Executables
Program slicing is a technique for determining the set of statements of a program that potentially affect the value of a variable at some point in the program. Intra and interprocedural slicing of high-level languages has greatly been studied in the literature; both static and dynamic techniques have been used to aid in the debugging, maintenance, parallelization, program integration, and dataa...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2012