Neurlux

Jindal, Chani; Salls, Christopher; Aghakhani, Hojjat; Long, Keith R.; Kruegel, Christopher; Vigna, Giovanni

doi:10.1145/3359789.3359835

Cited by 35 publications

(5 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Penetrating the characteristics of a machine-interpretable binary code has a wide range of real-world applications including i) code clone (software plagiarism) or similarity detection [14,15,17,18,40,43,55,67,68,69,71,74], ii) malware family classification [28], detection [5,6,35], and analysis [32,36,72], iii) authorship prediction [31,37], iv) known bug discovery (code search) [7,8,9,19,38,42,51,52,57,58], v) patching analysis [20,29,64], and vi) toolchain provenance [48,56]. Most of these applications pertain to binary similarity comparison.…”

Section: Related Workmentioning

confidence: 99%

“…Recent advancements in machine learning techniques have received considerable attention for their applicability in binary analysis, addressing both effectiveness and efficiency. Malware analysis is one of popular applications: i) BinDNN [36] leverages deep neural networks (e.g., LSTM) for function matching for malware, ii) Zhang et al [72] present dynamic malware analysis with feature engineering (API calls), and iii) Neurlux [32] proposes a system that learns features automatically from a dynamic analysis report (i.e., behavioral information of malware). Code similarity detection is another active domain using a probabilistic approach.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Binary Code Representation With Well-Balanced Instruction Normalization

et al. 2023

View full text Add to dashboard Cite

The recovery of contextual meanings on a machine code is required by a wide range of binary analysis applications, such as bug discovery, malware analysis, and code clone detection. To accomplish this, advancements on binary code analysis borrow the techniques from natural language processing to automatically infer the underlying semantics of a binary, rather than replying on manual analysis. One of crucial pipelines in this process is instruction normalization, which helps to reduce the number of tokens and to avoid an out-of-vocabulary (OOV) problem. However, existing approaches often substitutes operands with a common token (e.g., callee target → FOO), inevitably resulting in the loss of important information. In this paper, we introduce well-balanced instruction normalization (WIN), a novel approach that retains rich code information while minimizing the downsides of code normalization. With large swaths of binary code, our finding shows that the instruction distribution follows Zipf's Law like a natural language, a function conveys contextually meaningful information, and the same instruction at different positions may require diverse code representations. To show the effectiveness of WIN, we present DeepSemantic that harnesses the BERT architecture with two training phases: pre-training for generic assembly code representation, and fine-tuning for building a model tailored to a specialized task. We define a downstream task of binary code similarity detection, which requires underlying code semantics. Our experimental results show that our binary similarity model with WIN outperforms two state-of-the-art binary similarity tools, DeepBinDiff and SAFE, with an average improvement of 49.8% and 15.8%, respectively.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Binary Code Representation With Well-Balanced Instruction Normalization

et al. 2023

View full text Add to dashboard Cite

show abstract

“…First, we remove the hash values from the parameters. Most of these hashes represent a certain area in memory, i.e., virtual addresses, and these virtual addresses change with different devices, so virtual addresses are not such important information for dynamic detection methods based on API sequences [29,30], and hashes are more difficult to handle compared to other parameters. Therefore, the hash values in the parameters are not processed.…”

Section: Parametersmentioning

confidence: 99%

Dynamic Malware Detection Using Parameter-Augmented Semantic Chain

Zhao,

Wang,

Kou

et al. 2023

Electronics

View full text Add to dashboard Cite

Due to the rapid development and widespread presence of malware, deep-learning-based malware detection methods have become a pivotal approach used by researchers to protect private data. Behavior-based malware detection is effective, but changes in the running environment and malware evolution can alter API calls used for detection. Most existing methods ignore API call parameters while analyzing them separately, which loses important semantic information. Therefore, considering API call parameters and their combinations can improve behavior-based malware detection. To improve the effectiveness of behavior-based malware detection systems, this paper proposes a novel API feature engineering method. The proposed method employs parameter-augmented semantic chains to improve the system’s resilience to unknown parameters and elevate the detection rate. The method entails semantically decomposing the API to derive a behavior semantic chain, which provides an initial representation of the behavior exhibited by samples. To further refine the accuracy of the behavior semantic chain in depicting the behavior, the proposed method integrates the parameters utilized by the API into the aforementioned semantic chain. Furthermore, an information compression technique is employed to minimize the loss of critical actions following truncation of API sequences. Finally, a deep learning model consisting of gated CNN, Bi-LSTM, and an attention mechanism is used to extract semantic features embedded within the API sequences and improve the overall detection accuracy. Additionally, we evaluate the proposed method on a competition dataset Datacon2019. Experiments indicate that the proposed method outperforms baselines employing vocabulary-based methods in both robustness to unknown parameters and detection rate.

show abstract

“…Modern malware-detection systems often leverage both dynamic and static analyses to determine maliciousness [8,25,44,90,93]. While in most cases an attacker would hence need to adopt countermeasures against both of these types of analyses, in other situations, such as potential attacks on end-user systems protected predominantly through static analysis based antivirus detectors [20,95], defeating a static malware detector could be sufficient for an attacker to achieve their goals.…”

Section: Attacks On Static Malware Detectionmentioning

confidence: 99%

“…Modern malware detectors, both academic (e.g., [4,44]) and commercial (e.g., [25,90]), increasingly rely on machine learning (ML) to classify executables as benign or malicious based on features such as imported libraries and API calls. In the space of static malware detection, where an executable is classified prior to its execution, recent efforts have proposed deep neural networks (DNNs) that detect malware from binaries' raw byte-level representation, with effectiveness similar to that of detectors based on hand-crafted features selected through tedious manual processing [54,76].…”

Section: Introductionmentioning

confidence: 99%

Deceiving ML-Based Friend-or-Foe Identification for Executables

Lucas¹,

Sharif²,

Bauer³

et al. 2022

Advances in Information Security

View full text Add to dashboard Cite

Deceiving an adversary who may, e.g., attempt to reconnoiter a system before launching an attack, typically involves changing the system’s behavior such that it deceives the attacker while still permitting the system to perform its intended function. We develop techniques to achieve such deception by studying a proxy problem: malware detection.Researchers and anti-virus vendors have proposed DNNs for malware detection from raw bytes that do not require manual feature engineering. In this work, we propose an attack that interweaves binary-diversification techniques and optimization frameworks to mislead such DNNs while preserving the functionality of binaries. Unlike prior attacks, ours manipulates instructions that are a functional part of the binary, which makes it particularly challenging to defend against. We evaluated our attack against three DNNs in white- and black-box settings and found that it often achieved success rates near 100%. Moreover, we found that our attack can fool some commercial anti-viruses, in certain cases with a success rate of 85%. We explored several defenses, both new and old, and identified some that can foil over 80% of our evasion attempts. However, these defenses may still be susceptible to evasion by attacks, and so we advocate for augmenting malware-detection systems with methods that do not rely on machine learning.

show abstract

Neurlux

Cited by 35 publications

References 33 publications

Binary Code Representation With Well-Balanced Instruction Normalization

Binary Code Representation With Well-Balanced Instruction Normalization

Dynamic Malware Detection Using Parameter-Augmented Semantic Chain

Deceiving ML-Based Friend-or-Foe Identification for Executables

Contact Info

Product

Resources

About