Home Platform-Independent Recognition of Procedures in Binaries Based on Simple Characteristics
Article
Licensed
Unlicensed Requires Authentication

Platform-Independent Recognition of Procedures in Binaries Based on Simple Characteristics

  • Sebastian Eschweiler and Elmar Gerhards-Padilla
Published/Copyright: March 20, 2012
it - Information Technology
From the journal it - Information Technology Volume 54 Issue 2

Abstract

Malware analysts are more and more overstrained by today´s flood of malware. Hence, the need for automated tools to assist malware analysis becomes apparent. A common approach of malware analysis is reverse engineering its components, namely (sub-)procedures. We present and evaluate simple procedure characteristics such as the number of instructions for their robustness with respect to different compilers, compilation options and even across operating systems. We identify robust characteristics and apply standard machine learning algorithms based on these characteristics to automatically identify already known procedures in new malware. This prevents analysts from repeatedly reversing known procedures.

Zusammenfassung

Malware-Analysten werden täglich von neuer Malware überflutet, was den Bedarf an automatisierten Werkzeugen deutlich macht. Üblicherweise wird Malware analysiert, indem die Teilkomponenten, also (Unter-)Prozeduren untersucht werden. In der vorliegenden Arbeit werden einfache Prozedur-Charakteristiken wie die Anzahl der Instruktionen vorgestellt und auf ihre Robustheit bezüglich verschiedener Compiler, Compiler-Optionen und sogar betriebssystemübergreifend untersucht. Robuste Charakteristiken werden Standard-Maschinenlernverfahren zugeführt, um automatisiert bereits analysierte Prozeduren in neuer Malware zu erkennen. Hierdurch muss der Analyst die bereits erkannten Prozeduren nicht erneut manuell untersuchen.

Keywords: reverse engineering; malware; machine learning
* Correspondence address: Fraunhofer FKIE, Research Group Cyber Defense, Friedrich-Ebert-Allee 144, 53113 Bonn,
Published Online: 2012-03-20
Published in Print: 2012-04

© by Oldenbourg Wissenschaftsverlag, Bonn, Germany

Articles in the same Issue

  1. Reactive Security
  2. Reverse Code Engineering — State of the Art and Countermeasures
  3. Platform-Independent Recognition of Procedures in Binaries Based on Simple Characteristics
  4. Modeling and Describing Misuse Scenarios Using Signature-Nets and Event Description Language
  5. Anomaly Detection at “supersonic” Speed
  6. Experiments with P2P Botnet Detection
  7. Automatic Adaptation of User Interfaces to Cultural Preferences
https://doi.org/10.1524/itit.2012.0665
Keywords for this article
reverse engineering; malware; machine learning

Articles in the same Issue

  1. Reactive Security
  2. Reverse Code Engineering — State of the Art and Countermeasures
  3. Platform-Independent Recognition of Procedures in Binaries Based on Simple Characteristics
  4. Modeling and Describing Misuse Scenarios Using Signature-Nets and Event Description Language
  5. Anomaly Detection at “supersonic” Speed
  6. Experiments with P2P Botnet Detection
  7. Automatic Adaptation of User Interfaces to Cultural Preferences
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 26.9.2025 from https://www.degruyterbrill.com/document/doi/10.1524/itit.2012.0665/html
Scroll to top button