On the feasibility of malware authorship attribution

Saed Alrabaee, Paria Shirani, Mourad Debbabi, Lingyu Wang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

25 Citations (Scopus)

Abstract

There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.

Original languageEnglish
Title of host publicationFoundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers
EditorsJoaquin Garcia-Alfaro, Frederic Cuppens, Nora Cuppens-Boulahia, Lingyu Wang, Nadia Tawbi
PublisherSpringer Verlag
Pages256-272
Number of pages17
ISBN (Print)9783319519654
DOIs
Publication statusPublished - 2017
Externally publishedYes
Event9th International Symposium on Foundations and Practice of Security, FPS 2016 - Quebec, Canada
Duration: Oct 24 2016Oct 26 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10128 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference9th International Symposium on Foundations and Practice of Security, FPS 2016
Country/TerritoryCanada
CityQuebec
Period10/24/1610/26/16

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint

Dive into the research topics of 'On the feasibility of malware authorship attribution'. Together they form a unique fingerprint.

Cite this