TY - GEN
T1 - On the feasibility of malware authorship attribution
AU - Alrabaee, Saed
AU - Shirani, Paria
AU - Debbabi, Mourad
AU - Wang, Lingyu
N1 - Publisher Copyright:
© Springer International Publishing AG 2017.
PY - 2017
Y1 - 2017
N2 - There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.
AB - There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.
UR - http://www.scopus.com/inward/record.url?scp=85009471649&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85009471649&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-51966-1_17
DO - 10.1007/978-3-319-51966-1_17
M3 - Conference contribution
AN - SCOPUS:85009471649
SN - 9783319519654
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 256
EP - 272
BT - Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers
A2 - Garcia-Alfaro, Joaquin
A2 - Cuppens, Frederic
A2 - Cuppens-Boulahia, Nora
A2 - Wang, Lingyu
A2 - Tawbi, Nadia
PB - Springer Verlag
T2 - 9th International Symposium on Foundations and Practice of Security, FPS 2016
Y2 - 24 October 2016 through 26 October 2016
ER -