BinSlayer: accurate comparison of binary executables

Authors:
Martial Bourquin;Andy King;Edward Robbins
Affiliations:
University of Kent;University of Kent;University of Kent
Venue:
PPREW '13 Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop
Year:
2013

Citing 17
Cited 0

A shortest augmenting path algorithm for dense and sparse linear assignment problems

Computing
Manufacturing cheap, resilient, and stealthy opaque constructs

POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Software piracy prevention through diversity

Proceedings of the 4th ACM workshop on Digital rights management
Control flow based obfuscation

Proceedings of the 5th ACM workshop on Digital rights management
BinHunt: Automatically Finding Semantic Differences in Binary Programs

ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
Approximate graph edit distance computation by means of bipartite graph matching

Image and Vision Computing
Large-scale malware indexing using function-call graphs

Proceedings of the 16th ACM conference on Computer and communications security
Comparing stars: on approximating graph edit distance

Proceedings of the VLDB Endowment
A survey of graph edit distance

Pattern Analysis & Applications
Bipartite graph matching for computing the edit distance of graphs

GbRPR'07 Proceedings of the 6th IAPR-TC-15 international conference on Graph-based representations in pattern recognition
Classification of malware using structured control flow

AusPDC '10 Proceedings of the Eighth Australasian Symposium on Parallel and Distributed Computing - Volume 107
Proactive Detection of Computer Worms Using Model Checking

IEEE Transactions on Dependable and Secure Computing
Refinement-based CFG reconstruction from unstructured programs

VMCAI'11 Proceedings of the 12th international conference on Verification, model checking, and abstract interpretation
Improved call graph comparison using simulated annealing

Proceedings of the 2011 ACM Symposium on Applied Computing
Fast suboptimal algorithms for the computation of graph edit distance

SSPR'06/SPR'06 Proceedings of the 2006 joint IAPR international conference on Structural, Syntactic, and Statistical Pattern Recognition
Fast malware family detection method using control flow graphs

Proceedings of the 2011 ACM Symposium on Research in Applied Computation
Alternating control flow reconstruction

VMCAI'12 Proceedings of the 13th international conference on Verification, Model Checking, and Abstract Interpretation

Quantified Score

Hi-index	0.00

Visualization

Abstract

As the volume of malware inexorably rises, comparison of binary code is of increasing importance to security analysts as a method of automatically classifying new malware samples; purportedly new examples of malware are frequently a simple evolution of existing code, whose differences stem only from a need to avoid detection. This paper presents a polynomial algorithm for calculating the differences between two binaries, obtained by fusing the well-known BinDiff algorithm with the Hungarian algorithm for bi-partite graph matching. This significantly improves the matching accuracy. Additionally a meaningful metric of similarity is calculated, based on graph edit distance, from which an informed comparison of the binaries can be made. The accuracy of this method over the standard approach is demonstrated.