Corpus ID: 38805778

Automated Attacker Correlation for Malicious Code

  title={Automated Attacker Correlation for Malicious Code},
  author={Thomas Dullien and Ero Carrera and Soeren-Meyer Eppler and Sebastian Porst},
Abstract : Correlating attacks can be specifically problematic in the digital domain. It is a common scenario that the only real "trace" of an attack that can be obtained is executable code. As such, executable code of malicious software forms one of the primary pieces of evidence that need to be examined in order to establish correlation between seemingly independent events/attacks. Due to the high technical sophistication required for building advanced and stealthy persistent backdoors… Expand
Assembly Code Clone Detection for Malware Binaries
An assembly code clone detection system is presented and its performance is evaluated in terms of accuracy, efficiency, scalability, and feasibility of finding clones on assembly code decompiled from both Microsoft Windows 7 DLL files and real-life malware binary files. Expand
Identifying Shared Software Components to Support Malware Forensics
The technique provides an automated method to find between malware code functional relationships that may be used to establish evolutionary relationships and aid in forensics. Expand
Scalable code clone search for malware analysis
Experimental results on real-life malware binaries suggest that the proposed methods can effectively identify assembly code clones with the consideration of different scenarios of code mutations, and allow malware analysts to discover both exact and inexact clones at different token normalization levels. Expand
Binary Code Reuse Detection for Reverse Engineering and Malware Analysis
A fuzzy matching approach to compare two functions, which suggests that, given a large assembly code repository with millions of functions, BinSequence is efficient and can attain high quality similarity ranking of assembly functions with an accuracy above 90% within seconds. Expand
Scalable Framework for Accurate Binary Code Comparison
A framework for comparison of binary files is presented that is scalable due to parallelization of functions matching process and generation of PDGs and CGs and shows that in most cases more than 95% functions are truly matched. Expand
BinClone: Detecting Code Clones in Malware
An assembly code clone detection system called BinClone is developed to identify the code clone fragments from a collection of malware binaries with the goals of improving the recall rate and facilitating malware analysis. Expand
Function matching between binary executables: efficient algorithms and features
REveal is presented, a prototype tool which implements a binary diffing algorithm and an associated set of features, extracted from a binary’s CG and CFGs, and successfully partitions the malware corpus into clusters consisting of samples of the same malware family. Expand
ICT Systems Security and Privacy Protection: 35th IFIP TC 11 International Conference, SEC 2020, Maribor, Slovenia, September 21–23, 2020, Proceedings
This paper presents two new microarchitectural covert channel attacks using the memory controller that allow a privileged adversary to leak information in a native environment and an extension to cross-VM scenarios for unprivileged adversaries. Expand
BinType: A Scalable Type Inference Tool for Compiled C Programs
BinType is a static analysis-based, scalable, precise and conservative tool that works directly on x86 assembly to automatically reveal type information of variables and function arguments that is 45% more precise than TIE (NDSS’11) on a dataset 3.5 times larger, and orders of magnitude faster than its underlying algorithm. Expand
Efficient features for function matching between binary executables
  • Chariton Karamitas, A. Kehagias
  • Computer Science
  • 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER)
  • 2018
A set of carefully chosen features are provided, extracted from a binary's CG and CFG, which can be used by BinDiff algorithm variants to build a set of initial exact matches with minimal false positives and propagate approximate matching information using, for example, a nearest-neighbor scheme. Expand


Graph-based comparison of Executable Objects ( English Version )
Résumé A method to construct an optimal isomorphism between the sets of instructions, sets of basic blocks and sets of functions in two differing but similar executables is presented. ThisExpand
Large-scale malware indexing using function-call graphs
An efficient method to compute graph similarity that exploits structural and instruction-level information in the underlying malware programs, and a multi-resolution indexing scheme that uses a computationally economical feature vector for early pruning and resorts to a more accurate but computationally more expensive graph similarity function only when it needs to pinpoint the most similar neighbors. Expand
Structural Comparison of Executable Objects
A method to heuristically construct an isomorphism between the sets of functions in two similar but differing versions of the same executable file has multiple practical applications, specifically the ability to detect programmatic changes between the two executable versions. Expand
Digital genome mapping: ad-vanced binary malware analysis
This paper elaborates on how to use graph theory to aid the analysis of malware, using graphs and extensions with the popular Interactive Disassembler Pro package, in order to reduce the time needed to understand the structure of complex malware. Expand
Shin . Large - scale malware indexing using functioncall graphs
  • 2009
Automated structural classification of malware
  • In Proceedings of the RSA Conference
  • 2008
Comparing binaries with graph isomorphism
  • 2003
More fun with graphs
  • In Blackhat Federal 2003,
  • 2003
Improving binary comparison More fun with graphs