BinClone – Detecting Code Clones in Malware

PDF

Authors
  1. Farhadi, M.R.
  2. Fung, B.C.M.
  3. Charland, P.
  4. Debbabi, M.
Corporate Authors
Defence Research and Development Canada, Valcartier Research Centre, Quebec QC (CAN);CONCORDIA UNIV, MONTREAL QUE (CAN) INSTITUTE FOR INFORMATION SYSTEMS ENGINEERING;McGill Univ, Montreal QUE (CAN)
Abstract
To gain an in-depth understanding of the behaviour of a malware, reverse engineers have to disassemble the malware, analyze the resulting assembly code, and then archive the commented assembly code in a malware repository for future reference. In this paper, we have developed an assembly code clone detection system called BinClone to identify the code clone fragments from a collection of malware binaries with the following major contributions. First, we introduce two deterministic clone detection methods with the goals of improving the recall rate and facilitating malware analysis. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we evaluate our proposed clone detection methods on real-life malware binaries. To the best of our knowledge, this is the first work that studies the problem of assembly code clone detection for malware analysis.
Keywords
reverse engineering;malware analysis;code clone detection
Report Number
DRDC-RDDC-2014-P77 — External Literature
Date of publication
21 Oct 2014
Number of Pages
10
DSTKIM No
CA039663
CANDIS No
800686
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: