标题:Matching similar functions in different versions of a malware
作者:Xiao, Yajuan ;Cao, Shoufeng ;Cao, Zhenzhong ;Wang, Fengyu ;Lin, Fengbo ;Wu, Jiayan ;Bi, Hancheng
作者机构:[Xiao, Yajuan ;Wang, Fengyu ;Lin, Fengbo ;Wu, Jiayan ;Bi, Hancheng ] School of Computer Science and Technology, Shandong University, Jinan, China;[Cao 更多
会议名称:Joint 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE TrustCom/BigDataSE/ISPA 2016
会议日期:23 August 2016 through 26 August 2016
来源:Proceedings - 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE TrustCom/BigDataSE/ISPA 2016
出版年:2016
页码:252-259
DOI:10.1109/TrustCom.2016.0071
关键词:Function feature; Function matching; Malware; Reverse analysis
摘要:Malware analysis is an important means for information security. Malicious softwares emerge endlessly, which has saddled reverse analysis with high difficulty and heavy workload. In variants of a malware, many codes are reused with or without modifications. After a long term analysis on malwares, reverse engineers have accumulated a large number of analysis results. If the analysis results can be transferred to the corresponding functions of new version software, it is of great importance for efficiency improvement and workload reduction in malware analysis. The key point in this work is to identify the similar functions in different versions of a software. In this paper, we present a new method for matching similar function pairs, termed TPM (Two-stage Profile Matching). Based on our proposed features of functions, TPM recursively matches similar function pairs by combining with call relations and our decision rules. Experimental results show that, TPM can achieve the higher average precision, compared with 3-tuple CFG method and the comparable tools such as bindiff, diaphora and PatchDiff, in our test cases. © 2016 IEEE.
收录类别:EI;SCOPUS
资源类型:会议论文;期刊论文
原文链接:https://www.scopus.com/inward/record.uri?eid=2-s2.0-85015253742&doi=10.1109%2fTrustCom.2016.0071&partnerID=40&md5=8a82d1a7c6e8e7a62e24a4bdc12d6b40
TOP