Digital Library[ Search Result ]
Neural Networks using Opcode Frequency to Identify Combinations of Obfuscation Techniques
Youjeong Noh, Jeongwoo Kim, Eun-Sun Cho
http://doi.org/10.5626/JOK.2024.51.4.293
The outcome of deobfuscation with the aim of elucidating to understand the structure of malware is highly dependent on the analyst"s capabilities, as it requires the use of multiple heuristics. Researchers have proposed various methods for automated analysis to detect which obfuscation techniques have been applied to programs. However, the existing works have reasoned about obfuscation through classification methods, which do not consider sequential code transformations caused by obfuscation or the fact that multiple categories of obfuscation can be applied to a program independently. The current paper therefore proposes a multi-label classification model for obfuscation type detection and a model for inferring the last obfuscation type when multiple obfuscations have been applied. We implemented a deep learning-based obfuscation type detection model using the opcode frequency of instructions frequency for O-LLVM (Obfuscator-LLVM)[8] obfuscation, and our proposed model was shown to achieve high performance obfuscation detection.
Binary Vulnerability Analysis Framework Combining Static and Dynamic Analyses
Seoksu Lee, Wonchan Oh, Sunnyeo Park, Eun-Sun Cho, In Sung Baek
http://doi.org/10.5626/JOK.2018.45.12.1217
Binary program analyses are considered harder than source level analyses, due to the lack of semantic information. Thus, experts frequently combine multiple tools in analyzing binary programs. However, such analysis tools require different prerequisites like various formats of information to deliver based on various working environments, so that even qualified experts would have difficulties in integrating multiple analysis tools. This paper proposes a framework to allow the combination of different analysis tools with various characteristics. The proposed framework aims to integrate a static anlysis and a dynamic analysis which might need different execution environments and other prerequisites. We have also provided prototypes built with realworld tools including IDA Pro and angr, based on the proposed framework, so as to demonstrate its feasibility and performance improvement.
Efficient Similarity Analysis Methods for Same Open Source Functions in Different Versions
http://doi.org/10.5626/JOK.2017.44.10.1019
Binary similarity analysis is used in vulnerability analysis, malicious code analysis, and plagiarism detection. Proving that a function is equal to a well-known safe functions of different versions through similarity analysis can help to improve the efficiency of the binary code analysis of malicious behavior as well as the efficiency of vulnerability analysis. However, few studies have been carried out on similarity analysis of the same function of different versions. In this paper, we analyze the similarity of function units through various methods based on extractable function information from binary code, and find a way to analyze efficiently with less time. In particular, we perform a comparative analysis of the different versions of the OpenSSL library to determine the way in which similar functions are detected even when the versions differ.
Search
Journal of KIISE
- ISSN : 2383-630X(Print)
- ISSN : 2383-6296(Electronic)
- KCI Accredited Journal
Editorial Office
- Tel. +82-2-588-9240
- Fax. +82-2-521-1352
- E-mail. chwoo@kiise.or.kr