A Brief Introduction

Growing numbers of advanced malware-based attacks against governments and corporations, for political, financial and scienti fic gains, have taken security breaches to the next level. In response to such attacks, both academia and industry have investigated techniques to model and reconstruct these attacks and to defend against them. While such efforts have been all useful in mitigating the effects of modern attacks, automated malware code reuse inspection and campaign attribution have received less attention. We have developed an automated system, called SCRUTINIZER, to identify code reuse in malware via a novel machine learning-based encoding mechanism at the function-level. By creating a large knowledge base of previously observed and tagged malware campaigns, we can compare unknown samples against this knowledge base and determine how much overlap exists. SCRUTINIZER leverages an unsupervised learning approach to filter out irrelevant functions before code reuse detection. It provides two valuable capabilities. First, it identifies ties between an unknown sample and those malware specimens that are known to be used by a specific campaign. Second, it inspects if specific tools or functionalities are used by a campaign.


Contributions

  • An automated tool to detect code reuse in advanced malware
  • A filtering mechanism to identify and discard irrelevant functions (i.e., those functions that are common in both malware and benign samples) before similarity analysis
  • A system to automatically assign unknown binaries to previously known APT campaigns


Publications

SCRUTINIZER: Detecting Code Reuse in Malware via Decompilation and Machine Learning
O. Mirzaei, R. Vasilenko, E. Kirda, L. Lu, A. Kharraz
International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Online (July 2021) [PDF] [BibTex] [Slides]


Source Codes and Relevant Data

Please, read the access instructions in my Github profile in here.


News and Updates

SCRUTINIZER updates are accessible either from my Twitter account or from my news archive.