More Web Proxy on the site http://driver.im/

Article

BinEye: Towards Efficient Binary Authorship Characterization Using Deep Learning

Authors:

ElMouatez Billah Karbab,

Mourad DebbabiAuthors Info & Claims

Computer Security – ESORICS 2019: 24th European Symposium on Research in Computer Security, Luxembourg, September 23–27, 2019, Proceedings, Part II

Pages 47 - 67

https://doi.org/10.1007/978-3-030-29962-0_3

Published: 23 September 2019 Publication History

Abstract

In this paper, we present BinEye, an innovative tool which trains a system of three convolutional neural networks to characterize the authors of program binaries based on novel sets of features. The first set of features is obtained by converting an executable binary code into a gray image; the second by transforming each executable into a series of bytecode; and the third by representing each function in terms of its opcodes. By leveraging advances in deep learning, we are then able to characterize a large set of authors. This is accomplished even without the missing features and despite the complications arising from compilation. In fact, BinEye does not require any prior knowledge of the target binary. More important, an analysis of the model provides a satisfying explanation of the results obtained: BinEye is able to auto-learn each author’s coding style and thus characterize the authors of program binaries. We evaluated BinEye on large datasets extracted from selected open-source C++ projects in GitHub, Google Code Jam events, and several programming projects, comparing it wiexperimental results demonstrate that BinEye characterizes a larger number of authors with a significantly higher accuracy (above 90%). We also employed it in the context of several case studies. When applied to Zeus and Citadel, BinEye found that this pair might be associated with common authors. For other packages, BinEye demonstrated its ability to identify the presence of multiple authors in binary code.

References

[1]

Alrabaee S, Shirani P, Wang L, and Debbabi M Fossil: a resilient and efficient system for identifying foss functions in malware binaries ACM Trans. Priv. Secur. (TOPS) 2018 21 2 8

[2]

Techniqal report, Resource 207: Kaspersky Lab Research proves that Stuxnet and Flame developers are connected. http://www.kaspersky.com/about/news/virus/2012/

[3]

Big Game Hunting: Nation-state malware research, BlackHat (2015). https://www.blackhat.com/docs/us-15/materials/us-15-MarquisBoire-Big-Game-Hunting-The-Peculiarities-Of-Nation-State-Malware-Research.pdf

[4]

Citizen Lab. University of Toronto, Canada (2015). https://citizenlab.org/

[5]

Caliskan-Islam, A., et al.: De-anonymizing programmers via code stylometry. In: USENIX (2015)

[6]

Frantzeskou Georgia, MacDonell Stephen G., and Stamatatos Efstathios Source Code Authorship Analysis For Supporting the Cybercrime Investigation Process Handbook of Research on Computational Forensics, Digital Crime, and Investigation 2010 470-495

[7]

Alrabaee S, Saleem N, Preda S, Wang L, and Debbabi M Oba2: an onion approach to binary code authorship attribution Digit. Invest. 2014 11 S94-S103

[8]

Alrabaee S, Wang L, and Debbabi M On the feasibility of binary authorship characterization Digit. Invest. 2019 28 S3-S11

Digital Library

[9]

Caliskan-Islam, A., et al.: When coding style survives compilation: de-anonymizing programmers from executable binaries, arXiv preprint arXiv:1512.08546 (2015)

[10]

Rosenblum N, Zhu X, and Miller BP Atluri V and Diaz C Who wrote this code? Identifying the authors of program binaries Computer Security – ESORICS 2011 2011 Heidelberg Springer 172-189

[11]

Kirat, D., Nataraj, L., Vigna, G., Manjunath, B.: Sigmal: a static signal processing based malware triage. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 89–98. ACM (2013)

[12]

Oliva A and Torralba A Modeling the shape of the scene: a holistic representation of the spatial envelope Int. J. Comput. Vis. 2001 42 3 145-175

Digital Library

[13]

Wei Y et al. HCP: a flexible CNN framework for multi-label image classification IEEE Trans. Pattern Anal. Mach. Intell. 2016 38 9 1901-1907

Digital Library

[14]

HexRays: IDA Pro (2011). https://www.hex-rays.com/products/ida/index.shtml. Accessed Feb 2016

[15]

Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: IEEE Euro S&P (2017)

[16]

Farnstrom F, Lewis J, and Elkan C Scalability for clustering algorithms revisited ACM SIGKDD Explor. Newsl. 2000 2 1 51-57

Digital Library

[17]

PEfile (2012). http://code.google.com/p/pefile/. Accessed Nov 2016

[18]

Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)

[19]

Daugman JG Complete discrete 2-D gabor transforms by neural networks for image analysis and compression IEEE Trans. Acoust. Speech Signal Process. 1988 36 7 1169-1179

[20]

Karbab EB, Debbabi M, Derhab A, and Mouheb D MalDozer: automatic framework for android malware detection using deep learning Digit. Invest. 2018 24 S48-S59

[21]

Huang, G., Liu, Z., Weinberger, K.Q., van der Maaten, L.: Densely connected convolutional networks, arXiv preprint arXiv:1608.06993 (2016)

[22]

Kim, Y.: Convolutional neural networks for sentence classification, CoRR (2014)

[23]

Mikolov, T., Sutskever, I., et al.: Distributed representations of words and phrases and their compositionality. In: NIPS Neural Information Processing Systems (2013)

[24]

Pennington, J., Socher, R., et al.: GloVe: global vectors for word representation. In: Conference on Empirical Methods in Natural Language Processing (2014)

[25]

Hamerly, G., Elkan, C., et al.: Learning the k in k-means. In: NIPS, vol. 3, pp. 281–288 (2003)

[26]

The Scalable Native Graph Database (2015). http://neo4j.com/

[27]

The Gephi plugin for nneo4j (2015). https://marketplace.gephi.org/plugin/neo4j-graph-database-support/

[28]

The GitHub repository (2016). https://github.com/

[29]

The Google Code Jam (2008–2015). http://code.google.com/codejam/

[30]

The materials supplement for the paper. Who Wrote This Code? Identifying the Authors of Program Binaries. http://pages.cs.wisc.edu/~dnater/esorics-supp/

[31]

Programmer De-anonymization from Binary Executables (2015). https://github.com/calaylin/bda

[32]

Hex-Ray decompiler (2015). https://www.hex-rays.com/products/decompiler/

[33]

Refactoring tool (2016). https://www.devexpress.com/Products/CodeRush/. Accessed Feb 2017

[34]

C++ refactoring tools for visual studio (2016). http://www.wholetomato.com/. Accessed Feb 2016

[35]

Tigress is a diversifying virtualizer/obfuscator for the C language (2016). http://tigress.cs.arizona.edu/

[36]

Junod, P., Rinaldini, J., Wehrli, J., Michielin, J.: Obfuscator-LLVM: software protection for the masses. In: Proceedings of the 1st International Workshop on Software Protection, pp. 3–9. IEEE Press (2015)

[37]

Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and Anti-VM technologies (2012)

Cited By

Ou WDing SZulkernine MLi LLabrosse S(2024)VeriBin: A Malware Authorship Verification Approach for APT Tracking through Explainable and Functionality-Debiasing Adversarial Representation LearningACM Transactions on Privacy and Security10.1145/366990127:3(1-37)Online publication date: 16-Aug-2024
https://dl.acm.org/doi/10.1145/3669901
Gray JSgandurra DCavallaro LBlasco Alis J(2024)Identifying Authorship in Malicious Binaries: Features, Challenges & DatasetsACM Computing Surveys10.1145/365397356:8(1-36)Online publication date: 30-Apr-2024
https://dl.acm.org/doi/10.1145/3653973
Karbab EDebbabi MDerhab AMouheb D(2020)Scalable and robust unsupervised android malware fingerprinting using community-based network partitioningComputers and Security10.1016/j.cose.2020.10196597:COnline publication date: 1-Oct-2020
https://dl.acm.org/doi/10.1016/j.cose.2020.101965

Index Terms

Index terms have been assigned to the content through auto-classification.

Recommendations

On the feasibility of binary authorship characterization
Abstract
This work aims to develop an automatic tool that can perform the laborious and error-prone reverse engineering task of binary authorship characterization, i.e., determining clues related to the author(s) of a piece of binary code. ...
Decoupling coding habits from functionality for effective binary authorship attribution

Binary authorship attribution refers to the process of identifying the author of a given anonymous binary file based on stylistic characteristics. It aims to automate the laborious and error-prone reverse engineering task of discovering information ...
On non-antipodal binary completely regular codes

Binary non-antipodal completely regular codes are characterized. Using a result on nonexistence of nontrivial binary perfect codes, it is concluded that there are no unknown nontrivial non-antipodal completely regular binary codes with minimum distance ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

Computer Security – ESORICS 2019: 24th European Symposium on Research in Computer Security, Luxembourg, September 23–27, 2019, Proceedings, Part II

Sep 2019

639 pages

ISBN:978-3-030-29961-3

DOI:10.1007/978-3-030-29962-0

Editors:
Kazue Sako
NEC Corporation, Kawasaki, Japan
,
Steve Schneider
University of Surrey, Guildford, UK
,
Peter Y. A. Ryan
University of Luxembourg, Esch-sur-Alzette, Luxembourg

© Springer Nature Switzerland AG 2019.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 23 September 2019

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ou WDing SZulkernine MLi LLabrosse S(2024)VeriBin: A Malware Authorship Verification Approach for APT Tracking through Explainable and Functionality-Debiasing Adversarial Representation LearningACM Transactions on Privacy and Security10.1145/366990127:3(1-37)Online publication date: 16-Aug-2024
https://dl.acm.org/doi/10.1145/3669901
Gray JSgandurra DCavallaro LBlasco Alis J(2024)Identifying Authorship in Malicious Binaries: Features, Challenges & DatasetsACM Computing Surveys10.1145/365397356:8(1-36)Online publication date: 30-Apr-2024
https://dl.acm.org/doi/10.1145/3653973
Karbab EDebbabi MDerhab AMouheb D(2020)Scalable and robust unsupervised android malware fingerprinting using community-based network partitioningComputers and Security10.1016/j.cose.2020.10196597:COnline publication date: 1-Oct-2020
https://dl.acm.org/doi/10.1016/j.cose.2020.101965

View Options

View options

Figures

Tables

Media

View Table of Conten