标题：Matching Similar Functions in Different Versions of a Malware
作者：Xiao, Yajuan; Cao, Shoufeng; Cao, Zhenzhong; Wang, Fengyu; Lin, Fengbo; Wu, Jiayan; Bi, Hancheng
作者机构：[Xiao, Yajuan; Wang, Fengyu; Lin, Fengbo; Wu, Jiayan; Bi, Hancheng] Shandong Univ, Sch Comp Sci & Technol, Jinan, Peoples R China.; [Cao, Shoufeng] 更多
会议名称：15th IEEE Int Conf on Trust, Security and Privacy in Comp and Commun / 10th IEEE Int Conf on Big Data Science and Engineering / 14th IEEE Int Symposium on Parallel and Distributed Proc with Applicat (IEEE Trustcom/BigDataSE/ISPA)
会议日期：AUG 23-26, 2016
来源：2016 IEEE TRUSTCOM/BIGDATASE/ISPA
关键词：reverse analysis; Malware; function feature; function matching
摘要：Malware analysis is an important means for information security. Malicious softwares emerge endlessly, which has saddled reverse analysis with high difficulty and heavy workload. In variants of a malware, many codes are reused with or without modifications. After a long term analysis on malwares, reverse engineers have accumulated a large number of analysis results. If the analysis results can be transferred to the corresponding functions of new version software, it is of great importance for efficiency improvement and workload reduction in malware analysis. The key point in this work is to identify the similar functions in different versions of a software. In this paper, we present a new method for matching similar function pairs, termed TPM (Two-stage Profile Matching). Based on our proposed features of functions, TPM recursively matches similar function pairs by combining with call relations and our decision rules. Experimental results show that, TPM can achieve the higher average precision, compared with 3-tuple CFG method and the comparable tools such as bindiff, diaphora and PatchDiff, in our test cases.