Open AccessProceedings Article10.1145/2976749.2989041

POSTER: Identifying Dynamic Data Structures in Malware

- 24 Oct 2016

- pp 1772-1774

TL;DR: A new type recovery for binaries based on machine learning is proposed, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation to identify dynamic data structures present in malware samples.

Abstract: As the complexity of malware grows, so does the necessity of employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification. Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator (DSI), we analyze data structures in Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we propose a new type recovery for binaries based on machine learning, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation.

AI Agents for this Paper

Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps

Most frequently asked questions

1. What contributions have the authors mentioned in the paper "Poster: identifying dynamic data structures in malware" ?

The authors report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification.. Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator ( DSI ), the authors analyze data structures in Carberp and AgoBot malware.. To tackle this, the authors propose a new type recovery for binaries based on machine learning, which uses Howard ’ s types to guide the search and DSI ’ s memory abstraction for hypothesis evaluation.

Citations

10.48550/arxiv.1811.11819

Unsupervised Meta-Learning for Few-Shot Image Classification

Siavash Khodadadeh, +2 more

TL;DR: This paper proposes UMTRA, an unsupervised, model-agnostic meta-learning algorithm for few-shot image classification, leveraging unlabeled images and random sampling/augmentation to create synthetic tasks, achieving state-of-the-art performance on Omniglot and Mini-Imagenet benchmarks.

...read moreread less

Proceedings Article•10.1109/ASE.2017.8115646

DSIbin: identifying dynamic data structures in C/C++ binaries

Thomas Rupprecht, +5 more

- 30 Oct 2017

TL;DR: DSIbin, a combination of DSI and the type excavator Howard for the inspection of C/C++ binaries is presented and it is demonstrated via benchmarking that DSIbin detects data structures with high precision.

...read moreread less

10.1109/tnnls.2021.3135460

Deep Clustering Analysis Via Dual Variational Autoencoder with Spherical Latent Embeddings.

Lin Yang, +2 more

TL;DR: This paper proposes a novel deep clustering method, DSVAE, using a dual variational autoencoder with spherical latent embeddings, leveraging a von Mises-Fisher mixture model prior and an augmented loss function for robust clustering on benchmark datasets.

...read moreread less

References

•Proceedings Article•10.1184/R1/6469466.V1

TIE: Principled Reverse Engineering of Types in Binary Programs

JongHyup Lee, +2 more

- 01 Feb 2011

TL;DR: Novel techniques for reverse engineering data type abstractions from binary programs are developed and a novel type reconstruction system based upon binary code analysis is developed that is both more accurate and more precise at recovering high-level types than existing mechanisms.

...read moreread less

243

•Proceedings Article

Automatic Reverse Engineering of Data Structures from Binary Execution.

Zhiqiang Lin, +2 more

- 01 Jan 2010

TL;DR: In this article, a reverse-engineering technique is proposed to automatically reveal program data structures from binaries based on dynamic analysis, where each memory location accessed by the program is tagged with a timestamped type attribute.

...read moreread less

175

Journal Article•10.1145/2896499

Type Inference on Executables

Juan Caballero, +1 more

- 02 May 2016

- ACM Computing Surveys

TL;DR: This article systematize the area of binary code type inference according to its most important dimensions: the applications that motivate its importance, the approaches used, the types that those approaches infer, the implementation of those approaches, and how the inference results are evaluated.

...read moreread less

Proceedings Article•10.1145/1669112.1669122

DDT: design and evaluation of a dynamic program analysis for optimizing data structure usage

Changhee Jung, +1 more

- 12 Dec 2009

TL;DR: The design and application of DDT are presented, a new program analysis tool that automatically identifies data structures within an application that is highly accurate across several different implementations of standard data structures, enabling aggressive optimizations in many situations.

...read moreread less

Proceedings Article•10.1145/1111583.1111585

Recursive data structure profiling

Easwaran Raman, +1 more

- 12 Jun 2005

TL;DR: A method for collecting RDS profile without requiring any high-level program representation or type information is described, which achieves this with manageable space and time overhead on a mixture of pointer intensive benchmarks from the SPEC, Olden and other benchmark suites.

...read moreread less

...

Expand

POSTER: Identifying Dynamic Data Structures in Malware

Chat with Paper

AI Agents for this Paper

Most frequently asked questions

1. What contributions have the authors mentioned in the paper "Poster: identifying dynamic data structures in malware" ?

Citations

Unsupervised Meta-Learning for Few-Shot Image Classification

DSIbin: identifying dynamic data structures in C/C++ binaries

Deep Clustering Analysis Via Dual Variational Autoencoder with Spherical Latent Embeddings.

References

TIE: Principled Reverse Engineering of Types in Binary Programs

Automatic Reverse Engineering of Data Structures from Binary Execution.

Type Inference on Executables

DDT: design and evaluation of a dynamic program analysis for optimizing data structure usage

Recursive data structure profiling

Related Papers (5)

iPanda: A comprehensive malware analysis tool

Malware analysis using reverse engineering and data mining tools

Malware Fingerprinting under Uncertainty

Malware Detection by Static Checking and Dynamic Analysis of Executables

MalInsight: A systematic profiling based malware detection framework