On the feasibility of malware authorship attribution

Saed Alrabaee; Paria Shirani; Mourad Debbabi; Lingyu Wang

doi:10.1007/978-3-319-51966-1_17

On the feasibility of malware authorship attribution

Saed Alrabaee, Paria Shirani, Mourad Debbabi, Lingyu Wang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

25 Citations (Scopus)

Abstract

There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.

Original language	English
Title of host publication	Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers
Editors	Joaquin Garcia-Alfaro, Frederic Cuppens, Nora Cuppens-Boulahia, Lingyu Wang, Nadia Tawbi
Publisher	Springer Verlag
Pages	256-272
Number of pages	17
ISBN (Print)	9783319519654
DOIs	https://doi.org/10.1007/978-3-319-51966-1_17
Publication status	Published - 2017
Externally published	Yes
Event	9th International Symposium on Foundations and Practice of Security, FPS 2016 - Quebec, Canada Duration: Oct 24 2016 → Oct 26 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10128 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th International Symposium on Foundations and Practice of Security, FPS 2016
Country/Territory	Canada
City	Quebec
Period	10/24/16 → 10/26/16

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-319-51966-1_17

Cite this

Alrabaee, S., Shirani, P., Debbabi, M., & Wang, L. (2017). On the feasibility of malware authorship attribution. In J. Garcia-Alfaro, F. Cuppens, N. Cuppens-Boulahia, L. Wang, & N. Tawbi (Eds.), Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers (pp. 256-272). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10128 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-51966-1_17

On the feasibility of malware authorship attribution. / Alrabaee, Saed; Shirani, Paria; Debbabi, Mourad et al.
Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. ed. / Joaquin Garcia-Alfaro; Frederic Cuppens; Nora Cuppens-Boulahia; Lingyu Wang; Nadia Tawbi. Springer Verlag, 2017. p. 256-272 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10128 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Alrabaee, S, Shirani, P, Debbabi, M & Wang, L 2017, On the feasibility of malware authorship attribution. in J Garcia-Alfaro, F Cuppens, N Cuppens-Boulahia, L Wang & N Tawbi (eds), Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10128 LNCS, Springer Verlag, pp. 256-272, 9th International Symposium on Foundations and Practice of Security, FPS 2016, Quebec, Canada, 10/24/16. https://doi.org/10.1007/978-3-319-51966-1_17

Alrabaee S, Shirani P, Debbabi M, Wang L. On the feasibility of malware authorship attribution. In Garcia-Alfaro J, Cuppens F, Cuppens-Boulahia N, Wang L, Tawbi N, editors, Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. Springer Verlag. 2017. p. 256-272. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-51966-1_17

Alrabaee, Saed ; Shirani, Paria ; Debbabi, Mourad et al. / On the feasibility of malware authorship attribution. Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. editor / Joaquin Garcia-Alfaro ; Frederic Cuppens ; Nora Cuppens-Boulahia ; Lingyu Wang ; Nadia Tawbi. Springer Verlag, 2017. pp. 256-272 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{d8492eb5946c4d73ad82d1773c90ff36,

title = "On the feasibility of malware authorship attribution",

abstract = "There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.",

author = "Saed Alrabaee and Paria Shirani and Mourad Debbabi and Lingyu Wang",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 9th International Symposium on Foundations and Practice of Security, FPS 2016 ; Conference date: 24-10-2016 Through 26-10-2016",

year = "2017",

doi = "10.1007/978-3-319-51966-1_17",

language = "English",

isbn = "9783319519654",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "256--272",

editor = "Joaquin Garcia-Alfaro and Frederic Cuppens and Nora Cuppens-Boulahia and Lingyu Wang and Nadia Tawbi",

booktitle = "Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers",

}

TY - GEN

T1 - On the feasibility of malware authorship attribution

AU - Alrabaee, Saed

AU - Shirani, Paria

AU - Debbabi, Mourad

AU - Wang, Lingyu

N1 - Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017

Y1 - 2017

N2 - There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.

AB - There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.

UR - http://www.scopus.com/inward/record.url?scp=85009471649&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85009471649&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-51966-1_17

DO - 10.1007/978-3-319-51966-1_17

M3 - Conference contribution

AN - SCOPUS:85009471649

SN - 9783319519654

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 256

EP - 272

BT - Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers

A2 - Garcia-Alfaro, Joaquin

A2 - Cuppens, Frederic

A2 - Cuppens-Boulahia, Nora

A2 - Wang, Lingyu

A2 - Tawbi, Nadia

PB - Springer Verlag

T2 - 9th International Symposium on Foundations and Practice of Security, FPS 2016

Y2 - 24 October 2016 through 26 October 2016

ER -

On the feasibility of malware authorship attribution

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this