Fine-grained static detection of obfuscation transforms using ensemble-learning and semantic reasoning

Tofighi-Shirazi, Ramtine; Asavoae, Irina Mariuca; Elbaz-Vincent, Philippe

doi:10.1145/3371307.3371313

Cited by 5 publications

(3 citation statements)

References 55 publications

(53 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Even though obfuscation can hide semantics very well, there can still be some hints left. Existing obfuscation detection work has high accuracy [13,[33][34][35][36][37]. us, we are motivated to employ a classifier to detect which basic block is obfuscated.…”

Section: Obfuscated Instructions Detectormentioning

confidence: 99%

See 1 more Smart Citation

Input-Output Example-Guided Data Deobfuscation on Binary

Zhao

Tang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Data obfuscation is usually used by malicious software to avoid detection and reverse analysis. When analyzing the malware, such obfuscations have to be removed to restore the program into an easier understandable form (deobfuscation). The deobfuscation based on program synthesis provides a good solution for treating the target program as a black box. Thus, deobfuscation becomes a problem of finding the shortest instruction sequence to synthesize a program with the same input-output behavior as the target program. Existing work has two limitations: assuming that obfuscated code snippets in the target program are known and using a stochastic search algorithm resulting in low efficiency. In this paper, we propose fine-grained obfuscation detection for locating obfuscated code snippets by machine learning. Besides, we also combine the program synthesis and a heuristic search algorithm of Nested Monte Carlo Search. We have applied a prototype implementation of our ideas to data obfuscation in different tools, including OLLVM and Tigress. Our experimental results suggest that this approach is highly effective in locating and deobfuscating the binaries with data obfuscation, with an accuracy of at least 90.34%. Compared with the state-of-the-art deobfuscation technique, our approach’s efficiency has increased by 75%, with the success rate increasing by 5%.

show abstract

Section: Obfuscated Instructions Detectormentioning

confidence: 99%

“…But they do not discuss locating the obfuscated code snippet. Tofighi et al [33] present a fine-grained detection framework of obfuscation transformations and constructions. Compared with this work, the same thing is that both of us consider the locating of obfuscated code snippets.…”

Section: Related Workmentioning

confidence: 99%

Input-Output Example-Guided Data Deobfuscation on Binary

Zhao

Tang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…In traditional binary code analysis methods, most researchers use symbolic execution to combat code deobfuscation. For instance, Tofighi-Shirazi et al [1] proposed DoSE, which can improve the deobfuscation technique based on dynamic symbolic execution by statically eliminating obfuscation transformations, and remove two-way opaque constructs by semantic equivalence. While Xu et al [2] adopted the multi-granularity symbolic execution method to simplify the trace snippets for partially virtualized binary code, and achieved encouraging experimental results at that time.…”

Section: Introductionmentioning

confidence: 99%

DFSGraph: Data Flow Semantic Model for Intermediate Representation Programs Based on Graph Network

Tang¹,

Shan²,

Zhang³

et al. 2022

Electronics

View full text Add to dashboard Cite

With the improvement of software copyright protection awareness, code obfuscation technology plays a crucial role in protecting key code segments. As the obfuscation technology becomes more and more complex and diverse, it has spawned a large number of malware variants, which make it easy to evade the detection of anti-virus software. Malicious code detection mainly depends on binary code similarity analysis. However, the existing software analysis technologies are difficult to deal with the growing complex obfuscation technologies. To solve this problem, this paper proposes a new obfuscation-resilient program analysis method, which is based on the data flow transformation relationship of the intermediate representation and the graph network model. In our approach, we first construct the data transformation graph based on LLVM IR. Then, we design a novel intermediate language representation model based on graph networks, named DFSGraph, to learn the data flow semantics from DTG. DFSGraph can detect the similarity of obfuscated code by extracting the semantic information of program data flow without deobfuscation. Extensive experiments prove that our approach is more accurate than existing deobfuscation tools when searching for similar functions from obfuscated code.

show abstract