Title :
BinClone: Detecting Code Clones in Malware
Author :
Farhadi, Mohammad Reza ; Fung, Benjamin C. M. ; Charland, Philippe ; Debbabi, Mourad
Author_Institution :
Inf. Syst. Eng., Concordia Univ., Montreal, QC, Canada
fDate :
June 30 2014-July 2 2014
Abstract :
To gain an in-depth understanding of the behaviour of a malware, reverse engineers have to disassemble the malware, analyze the resulting assembly code, and then archive the commented assembly code in a malware repository for future reference. In this paper, we have developed an assembly code clone detection system called BinClone to identify the code clone fragments from a collection of malware binaries with the following major contributions. First, we introduce two deterministic clone detection methods with the goals of improving the recall rate and facilitating malware analysis. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we evaluate our proposed clone detection methods on real-life malware binaries. To the best of our knowledge, this is the first work that studies the problem of assembly code clone detection for malware analysis.
Keywords :
invasive software; program diagnostics; reverse engineering; Bin Clone; BinClone; assembly code analysis; assembly code clone detection system; code clone fragment identification; commented assembly code archiving; deterministic clone detection method; inexact clone discovery; malware analysis; malware behaviour understanding; malware binaries; malware disassembly; malware repository; recall rate; reverse engineers; token normalization level; Assembly; Cloning; Detectors; Feature extraction; Malware; Registers; Vectors; Assembly Code Clone Detection; Binary Analysis; Malware Analysis; Reverse Engineering;
Conference_Titel :
Software Security and Reliability (SERE), 2014 Eighth International Conference on
Conference_Location :
San Francisco, CA
Print_ISBN :
978-1-4799-4296-1
DOI :
10.1109/SERE.2014.21
