Hao Wang,Wenjie Qu,Gilad Katz,Wenyu Zhu,Zeyu Gao,Han Qiu,Jianwei Zhuge,Chao Zhang

DOI: https://doi.org/10.1145/3533767.3534367

2022-01-01

Abstract:Binary code similarity detection (BCSD) has important applications in various fields such as vulnerabilities detection, software component analysis, and reverse engineering. Recent studies have shown that deep neural networks (DNNs) can comprehend instructions or control-flow graphs (CFG) of binary code and support BCSD. In this study, we propose a novel Transformer-based approach, namely jTrans, to learn representations of binary code. It is the first solution that embeds control flow information of binary code into Transformer-based language models, by using a novel jump-aware representation of the analyzed binaries and a newly-designed pre-training task. Additionally, we release to the community a newly-created large dataset of binaries, BinaryCorp, which is the most diverse to date. Evaluation results show that jTrans outperforms state-of-the-art (SOTA) approaches on this more challenging dataset by 30.5% (i.e., from 32.0% to 62.5%). In a real-world task of known vulnerability searching, jTrans achieves a recall that is 2X higher than existing SOTA baselines.

Wenyu Zhu,Hao Wang,Yuchen Zhou,Jiaming Wang,Zihan Sha,Zeyu Gao,Chao Zhang

2023-08-24

Abstract:Binary Code Embedding (BCE) has important applications in various reverse engineering tasks such as binary code similarity detection, type recovery, control-flow recovery and data-flow analysis. Recent studies have shown that the Transformer model can comprehend the semantics of binary code to support downstream tasks. However, existing models overlooked the prior knowledge of assembly language. In this paper, we propose a novel Transformer-based approach, namely kTrans, to generate knowledge-aware binary code embedding. By feeding explicit knowledge as additional inputs to the Transformer, and fusing implicit knowledge with a novel pre-training task, kTrans provides a new perspective to incorporating domain knowledge into a Transformer framework. We inspect the generated embeddings with outlier detection and visualization, and also apply kTrans to 3 downstream tasks: Binary Code Similarity Detection (BCSD), Function Type Recovery (FTR) and Indirect Call Recognition (ICR). Evaluation results show that kTrans can generate high-quality binary code embeddings, and outperforms state-of-the-art (SOTA) approaches on downstream tasks by 5.2%, 6.8%, and 12.6% respectively. kTrans is publicly available at: <a class="link-external link-https" href="https://github.com/Learner0x5a/kTrans-release" rel="external noopener nofollow">this https URL</a>

Software Engineering,Artificial Intelligence,Cryptography and Security

Chensen Huang,Guibo Zhu,Guojing Ge,Taihao Li,Jinqiao Wang

DOI: https://doi.org/10.48550/arXiv.2306.14168

2023-06-25

Abstract:Binary code similarity detection (BCSD) has various applications, including but not limited to vulnerability detection, plagiarism detection, and malware detection. Previous research efforts mainly focus on transforming binary code to assembly code strings using reverse compilation and then using pre-trained deep learning models with large parameters to obtain feature representation vector of binary code. While these models have proven to be effective in representing binary code, their large parameter size leads to considerable computational expenses during both training and inference. In this paper, we present a lightweight neural network, called FastBCSD, that employs a dynamic instruction vector encoding method and takes only assembly code as input feature to achieve comparable accuracy to the pre-training models while reducing the computational resources and time cost. On the BinaryCorp dataset, our method achieves a similar average MRR score to the state-of-the-art pre-training-based method (jTrans), while on the BinaryCorp 3M dataset, our method even outperforms the latest technology by 0.01. Notably, FastBCSD has a much smaller parameter size (13.4M) compared to jTrans (87.88M), and its latency time is 1/5 of jTrans on NVIDIA GTX 1080Ti.

Cryptography and Security

Guangming Liu,Xin Zhou,Jianmin Pang,Feng Yue,Wenfu Liu,Junchao Wang

DOI: https://doi.org/10.3390/electronics12071722

IF: 2.9

2023-04-05

Electronics

Abstract:Binary code similarity detection is used to calculate the code similarity of a pair of binary functions or files, through a certain calculation method and judgment method. It is a fundamental task in the field of computer binary security. Traditional methods of similarity detection usually use graph matching algorithms, but these methods have poor performance and unsatisfactory effects. Recently, graph neural networks have become an effective method for analyzing graph embeddings in natural language processing. Although these methods are effective, the existing methods still do not sufficiently learn the information of the binary code. To solve this problem, we propose Codeformer, an iterative model of a graph neural network (GNN)-nested Transformer. The model uses a Transformer to obtain an embedding vector of the basic block and uses the GNN to update the embedding vector of each basic block of the control flow graph (CFG). Codeformer iteratively executes basic block embedding to learn abundant global information and finally uses the GNN to aggregate all the basic blocks of a function. We conducted experiments on the OpenSSL, Clamav and Curl datasets. The evaluation results show that our method outperforms the state-of-the-art models.

engineering, electrical & electronic,computer science, information systems,physics, applied

Shuai Jiang,Cai Fu,Shuai He,Jianqiang Lv,Lansheng Han,Hong Hu

DOI: https://doi.org/10.1109/tse.2024.3411072

2024-01-01

Abstract:Binary Code Similarity Detection (BCSD) is a fundamental binary analysis technique in the area of software security. Recently, advanced deep learning algorithms are integrated into BCSD platforms to achieve superior performance on well-known benchmarks. However, real-world large programs embed more complex diversities due to different compilers, various optimization levels, multiple architectures and even obfuscations. Existing BCSD solutions suffer from low accuracy issues in such complicated real-world application scenarios. In this paper, we propose BinCola, a novel Transformer-based dual diversity-sensitive contrastive learning framework that comprehensively considers the diversity of compiler options and candidate functions in the real-world application scenarios and employs the attention mechanism to fuse multi-granularity function features for enhancing generality and scalability. BinCola simultaneously compares multiple candidate functions across various compilation option scenarios to learn the differences caused by distinct compiler options and different candidate functions. We evaluate BinCola&#x0027;s performance in a variety of ways, including binary similarity detection and real-world vulnerability search in multiple application scenarios. The results demonstrate that BinCola achieves superior performance compared to state-of-the-art (SOTA) methods, with improvements of 2.80%, 33.62%, 22.41%, and 34.25% in cross-architecture, cross-optimization level, cross-compiler, and cross-obfuscation scenarios, respectively.

Xiuwei Shang,Li Hu,Shaoyin Cheng,Guoqiang Chen,Benlong Wu,Weiming Zhang,Nenghai Yu

2024-10-24

Abstract:Binary Code Similarity Detection (BCSD) plays a crucial role in numerous fields, including vulnerability detection, malware analysis, and code reuse identification. As IoT devices proliferate and rapidly evolve, their highly heterogeneous hardware architectures and complex compilation settings, coupled with the demand for large-scale function retrieval in practical applications, put forward higher requirements for BCSD methods. In this paper, we propose IRBinDiff, which mitigates compilation differences by leveraging LLVM-IR with higher-level semantic abstraction, and integrates a pre-trained language model with a graph neural network to capture both semantic and structural information from different perspectives. By introducing momentum contrastive learning, it effectively enhances retrieval capabilities in large-scale candidate function sets, distinguishing between subtle function similarities and differences. Our extensive experiments, conducted under varied compilation settings, demonstrate that IRBinDiff outperforms other leading BCSD methods in both One-to-one comparison and One-to-many search scenarios.

Software Engineering

Iftakhar Ahmad,Lannan Luo

2024-04-30

Abstract:Binary code analysis has immense importance in the research domain of software security. Today, software is very often compiled for various Instruction Set Architectures (ISAs). As a result, cross-architecture binary code analysis has become an emerging problem. Recently, deep learning-based binary analysis has shown promising success. It is widely known that training a deep learning model requires a massive amount of data. However, for some low-resource ISAs, an adequate amount of data is hard to find, preventing deep learning from being widely adopted for binary analysis. To overcome the data scarcity problem and facilitate cross-architecture binary code analysis, we propose to apply the ideas and techniques in Neural Machine Translation (NMT) to binary code analysis. Our insight is that a binary, after disassembly, is represented in some assembly language. Given a binary in a low-resource ISA, we translate it to a binary in a high-resource ISA (e.g., x86). Then we can use a model that has been trained on the high-resource ISA to test the translated binary. We have implemented the model called UNSUPERBINTRANS, and conducted experiments to evaluate its performance. Specifically, we conducted two downstream tasks, including code similarity detection and vulnerability discovery. In both tasks, we achieved high accuracies.

Software Engineering,Cryptography and Security

Bingchang Liu,Wei Huo,Chao Zhang,Wenchao Li,Feng Li,Aihua Piao,Wei Zou

DOI: https://doi.org/10.1145/3238147.3238199

2018-01-01

Abstract:Binary code similarity detection (BCSD) has many applications, including patch analysis, plagiarism detection, malware detection, and vulnerability search etc. Existing solutions usually perform comparisons over specific syntactic features extracted from binary code, based on expert knowledge. They have either high performance overheads or low detection accuracy. Moreover, few solutions are suitable for detecting similarities between cross-version binaries, which may not only diverge in syntactic structures but also diverge slightly in semantics. In this paper, we propose a solution α Diff, employing three semantic features, to address the cross-version BCSD challenge. It first extracts the intra-function feature of each binary function using a deep neural network (DNN). The DNN works directly on raw bytes of each function, rather than features (e.g., syntactic structures) provided by experts. α Diff further analyzes the function call graph of each binary, which are relatively stable in cross-version binaries, and extracts the inter-function and inter-module features. Then, a distance is computed based on these three features and used for BCSD. We have implemented a prototype of α Diff, and evaluated it on a dataset with about 2.5 million samples. The result shows that α Diff outperforms state-of-the-art static solutions by over 10 percentages on average in different BCSD settings.

Zhenhao Luo,Pengfei Wang,Wei Xie,Xu Zhou,Baosheng Wang

DOI: https://doi.org/10.3390/s23187789

2023-09-11

Abstract:Binary code similarity detection (BCSD) plays a crucial role in various computer security applications, including vulnerability detection, malware detection, and software component analysis. With the development of the Internet of Things (IoT), there are many binaries from different instruction architecture sets, which require BCSD approaches robust against different architectures. In this study, we propose a novel IoT-oriented binary code similarity detection approach. Our approach leverages a customized transformer-based language model with disentangled attention to capture relative position information. To mitigate out-of-vocabulary (OOV) challenges in the language model, we introduce a base-token prediction pre-training task aimed at capturing basic semantics for unseen tokens. During function embedding generation, we integrate directed jumps, data dependency, and address adjacency to capture multiple block relations. We then assign different weights to different relations and use multi-layer Graph Convolutional Networks (GCN) to generate function embeddings. We implemented the prototype of IoTSim. Our experimental results show that our proposed block relation matrix improves IoTSim with large margins. With a pool size of 103, IoTSim achieves a recall@1 of 0.903 across architectures, outperforming the state-of-the-art approaches Trex, SAFE, and PalmTree.

Bingchang Liu,Wei Huo,Chao Zhang,Wenchao Li,Feng Li,Aihua Piao,Wei Zou

DOI: https://doi.org/10.1145/3238147.3238199

IF: 1.677

2018-01-01

Automated Software Engineering

Abstract:Binary code similarity detection (BCSD) has many applications, including patch analysis, plagiarism detection, malware detection, and vulnerability search etc. Existing solutions usually perform comparisons over specific syntactic features extracted from binary code, based on expert knowledge. They have either high performance overheads or low detection accuracy. Moreover, few solutions are suitable for detecting similarities between cross-version binaries, which may not only diverge in syntactic structures but also diverge slightly in semantics. In this paper, we propose a solution $\\alpha$ Diff, employing three semantic features, to address the cross-version BCSD challenge. It first extracts the intra-function feature of each binary function using a deep neural network (DNN). The DNN works directly on raw bytes of each function, rather than features (e.g., syntactic structures) provided by experts. $\\alpha$ Diff further analyzes the function call graph of each binary, which are relatively stable in cross-version binaries, and extracts the inter-function and inter-module features. Then, a distance is computed based on these three features and used for BCSD. We have implemented a prototype of $\\alpha$ Diff, and evaluated it on a dataset with about 2.5 million samples. The result shows that $\\alpha$ Diff outperforms state-of-the-art static solutions by over 10 percentages on average in different BCSD settings.

Hao Wang,Zeyu Gao,Chao Zhang,Mingyang Sun,Yuchen Zhou,Han Qiu,Xi Xiao

2024-02-29

Abstract:Binary code similarity detection (BCSD) is a fundamental technique for various application. Many BCSD solutions have been proposed recently, which mostly are embedding-based, but have shown limited accuracy and efficiency especially when the volume of target binaries to search is large. To address this issue, we propose a cost-effective BCSD framework, CEBin, which fuses embedding-based and comparison-based approaches to significantly improve accuracy while minimizing overheads. Specifically, CEBin utilizes a refined embedding-based approach to extract features of target code, which efficiently narrows down the scope of candidate similar code and boosts performance. Then, it utilizes a comparison-based approach that performs a pairwise comparison on the candidates to capture more nuanced and complex relationships, which greatly improves the accuracy of similarity detection. By bridging the gap between embedding-based and comparison-based approaches, CEBin is able to provide an effective and efficient solution for detecting similar code (including vulnerable ones) in large-scale software ecosystems. Experimental results on three well-known datasets demonstrate the superiority of CEBin over existing state-of-the-art (SOTA) baselines. To further evaluate the usefulness of BCSD in real world, we construct a large-scale benchmark of vulnerability, offering the first precise evaluation scheme to assess BCSD methods for the 1-day vulnerability detection task. CEBin could identify the similar function from millions of candidate functions in just a few seconds and achieves an impressive recall rate of $85.46\%$ on this more practical but challenging task, which are several order of magnitudes faster and $4.07\times$ better than the best SOTA baseline. Our code is available at

Software Engineering,Cryptography and Security

Sungmin Han,Miju Kim,Jaesik Kang,Kwangsoo Kim,Seungwoon Lee,Sangkyun Lee

DOI: https://doi.org/10.1109/access.2024.3474857

IF: 3.9

2024-10-19

IEEE Access

Abstract:The growing complexity and volume of modern software have led to an increase in source code vulnerabilities, posing significant security risks. In response, deep learning-based automated source code vulnerability detection methods, particularly those utilizing source code similarity analysis, have recently emerged as promising solutions. However, existing similarity-based source code vulnerability detection methods frequently fail to fully utilize information from the hierarchical structure of source code and are often computationally expensive, limiting their practicality in real-world scenarios. In this paper, we introduce XTransformer, a novel deep learning-based source code vulnerability detector tailored for comparing target source code against archived vulnerable codes across various levels of the source code's hierarchical structure by leveraging extra cross-attention imposed on the transformer architecture. Additionally, we propose a specialized training strategy based on supervised contrastive learning to improve XTransformer's ability to effectively learn and differentiate between vulnerable and non-vulnerable source codes. Comprehensive experiments demonstrate that XTransformer outperforms current state-of-the-art methods across different datasets and code lengths while significantly reducing the inference time compared to other similarity-based methods that utilize hierarchical information from source code.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zian Su,Xiangzhe Xu,Ziyang Huang,Kaiyuan Zhang,Xiangyu Zhang

2024-10-31

Abstract:Human-Oriented Binary Reverse Engineering (HOBRE) lies at the intersection of binary and source code, aiming to lift binary code to human-readable content relevant to source code, thereby bridging the binary-source semantic gap. Recent advancements in uni-modal code model pre-training, particularly in generative Source Code Foundation Models (SCFMs) and binary understanding models, have laid the groundwork for transfer learning applicable to HOBRE. However, existing approaches for HOBRE rely heavily on uni-modal models like SCFMs for supervised fine-tuning or general LLMs for prompting, resulting in sub-optimal performance. Inspired by recent progress in large multi-modal models, we propose that it is possible to harness the strengths of uni-modal code models from both sides to bridge the semantic gap effectively. In this paper, we introduce a novel probe-and-recover framework that incorporates a binary-source encoder-decoder model and black-box LLMs for binary analysis. Our approach leverages the pre-trained knowledge within SCFMs to synthesize relevant, symbol-rich code fragments as context. This additional context enables black-box LLMs to enhance recovery accuracy. We demonstrate significant improvements in zero-shot binary summarization and binary function name recovery, with a 10.3% relative gain in CHRF and a 16.7% relative gain in a GPT4-based metric for summarization, as well as a 6.7% and 7.4% absolute increase in token-level precision and recall for name recovery, respectively. These results highlight the effectiveness of our approach in automating and improving binary code analysis.

Software Engineering,Artificial Intelligence

Yuhao Jia,Zhicheng Yu,Zhen Hong

DOI: https://doi.org/10.1371/journal.pone.0305299

IF: 3.7

2024-06-12

PLoS ONE

Abstract:Binary code similarity detection plays a crucial role in various applications within binary security, including vulnerability detection, malicious software analysis, etc. However, existing methods suffer from limited differentiation in binary embedding representations across different compilation environments, lacking dynamic high-level semantics. Moreover, current approaches often neglect multi-level semantic feature extraction, thereby failing to acquire precise semantic information about the binary code. To address these limitations, this paper introduces a novel detection solution called BinBcla. This method employs an enhanced pre-training model to generate instruction embeddings with dynamic semantics for binary functions. Subsequently, multi-feature fusion technique is utilized to extract local semantic information and long-distance global features from the code, respectively, employing self-attention to comprehend the structure information of the code. Finally, an improved cosine similarity method is employed to learn relationships among all elements of the distance vectors, thereby enhancing the model's robustness to new sample functions. Experiments are conducted across different architectures, compilers, and optimization levels. The results indicate that BinBcla achieves higher accuracy, precision and F1 score compared to existing methods.

multidisciplinary sciences

Zihan Sha,Chao Zhang,Hao Wang,Zeyu Gao,Bolun Zhang,Yang Lan,Hui Shu

DOI: https://doi.org/10.1007/s10664-024-10593-y

IF: 3.762

2024-11-28

Empirical Software Engineering

Abstract:Pre-trained models have witnessed significant progress in nature language (including source code) and binary code comprehension. However, none of them are suitable for binary functionality classification (BFC). In this paper, we present the first pre-trained model-based solution to BFC, namely PromeTrans , by fusing the knowledge of pre-trained models. Specifically, it overcomes the token size limitation of pre-trained models with a novel function outlining scheme and utilizes existing pre-trained assembly language models (AsmLMs) to generate embeddings for binary functions. Then, it utilizes a Graph Attention Network (GAT) to aggregate function embeddings following the call graph into a functionality embedding for each function. Lastly, it leverages existing pre-trained large natural language models (LLMs, e.g., GPT-3.5) to classify the functionality of source code functions and align the labels to binary functions. Based on the functionality embedding provided by AsmLMs and GAT and the functionality label knowledge provided by LLMs, a simple multi-layer perceptron (MLP) model is trained to classify the functionality of binary functions. Our prototype PromeTrans yields state-of-the-art (SOTA) performance on various datasets and achieves low overhead. PromeTrans also exhibits exceptional results in real-world applications (e.g., malware analysis). Additionally, by analyzing PromeTrans 's training history, we confirm the quality of knowledge transferred from LLMs is high. It shows that transferring knowledge from pre-trained models has a strong potential to bootstrap binary program comprehension tasks beyond BFC.

computer science, software engineering

DOI: https://doi.org/10.1007/s44196-023-00206-9

IF: 2.259

2023-03-18

International Journal of Computational Intelligence Systems

Abstract:Binary code similarity detection (BCSD) is a task of detecting similarity of binary functions which are not available to the corresponding source code. It has been widely utilized to facilitate various kinds of crucial security analysis in software engineering. Because of the complexity of the program compilation process, identifying binary code similarity presents tough challenges. The most sensible binary similarity detector relies on a robust vector representation of binary code. However, few BCSD approaches are suitable to form vector representations for analyzing similarities between binaries, which may not only diverge in semantics but also in structures. And the existing solutions which only depend on hands-on feature engineering to form feature vectors, fail to take into consideration the relationships between instructions. To resolve these problems, we propose a novel and unified approach called DeepDual-SD that aims to combine the dual attributes (semantic and structural attribute). More specifically, DeepDual-SD consists of two branches, in which one text-based feature representation is driven by semantic attribute learning to exploit instruction semantics, another graph-based feature representation for structural attribute learning to investigate structural differences. Meanwhile deep embedding (DE) technology is utilized to map this information into low-dimensional vector representation. In addition, to get together the dual attributes, a fusion mechanism based on gate architecture is designed for learning to pay proper attention between the two attribute-aware embeddings. Experimental verifications are conducted on Openssl and Debian datasets for several tasks, including cross-compiler, cross-architecture and cross-version scenarios. The results demonstrate that our method outperforms the state-of-the-art BCSD methods in different scenarios in terms of detection accuracy.

computer science, artificial intelligence, interdisciplinary applications

Li Liu,Shen Wang,Xunzhi Jiang

DOI: https://doi.org/10.1016/j.ins.2024.121605

IF: 8.1

2024-11-06

Information Sciences

Abstract:The widespread reuse of open-source code amplifies the impact of vulnerabilities. Current vulnerability detection methods predominantly rely on binary code similarity comparisons, which involve disassembling to obtain assembly code or control flow graphs. These methods depend on specific disassembly tools and complex preprocessing, limiting their applicability and detection speed. This paper proposes UniBin, a vulnerability detection method based on the multi-layer Transformer encoder. By employing bidirectional LM, unidirectional LM, and sequence-to-sequence LM tasks on both binary and assembly code during the pre-training phase, UniBin learns richer semantic information from binary machine code, enabling efficient similarity comparison without disassembly and mitigating the limitations of disassembly. We cross-compile 55 widely used open-source C projects as datasets. After 52 hours of pre-training and 8 hours of fine-tuning, UniBin reaches an average accuracy of 98.3% in similarity detection across compilation conditions, outperforming the state-of-the-art method. For search tasks across optimization options with a pool size of 1000, the Recall@1 metric improves by 28.2% (from 67.9% to 87.1%). UniBin eliminates dependency on specific disassembly tools and improves end-to-end binary analysis speed by over 36%. In real-world vulnerability detection tasks, UniBin detects all vulnerability functions with the lowest false positive rate of 0.16%.

computer science, information systems

Ahmed Elnaggar,Wei Ding,Llion Jones,Tom Gibbs,Tamas Feher,Christoph Angerer,Silvia Severini,Florian Matthes,Burkhard Rost

2021-05-12

Abstract:Currently, a growing number of mature natural language processing applications make people's life more convenient. Such applications are built by source code - the language in software engineering. However, the applications for understanding source code language to ease the software engineering process are under-researched. Simultaneously, the transformer model, especially its combination with transfer learning, has been proven to be a powerful technique for natural language processing tasks. These breakthroughs point out a promising direction for process source code and crack software engineering tasks. This paper describes CodeTrans - an encoder-decoder transformer model for tasks in the software engineering domain, that explores the effectiveness of encoder-decoder transformer models for six software engineering tasks, including thirteen sub-tasks. Moreover, we have investigated the effect of different training strategies, including single-task learning, transfer learning, multi-task learning, and multi-task learning with fine-tuning. CodeTrans outperforms the state-of-the-art models on all the tasks. To expedite future works in the software engineering domain, we have published our pre-trained models of CodeTrans. <a class="link-external link-https" href="https://github.com/agemagician/CodeTrans" rel="external noopener nofollow">this https URL</a>

Software Engineering,Artificial Intelligence,Computation and Language,Machine Learning,Programming Languages

Bing Xia,Jianmin Pang,Xin Zhou,Zheng Shan,Junchao Wang,Feng Yue

DOI: https://doi.org/10.1038/s41598-023-42769-9

IF: 4.6

2023-09-22

Scientific Reports

Abstract:Binary code similarity analysis is widely used in the field of vulnerability search where source code may not be available to detect whether two binary functions are similar or not. Based on deep learning and natural processing techniques, several approaches have been proposed to perform cross-platform binary code similarity analysis using control flow graphs. However, existing schemes suffer from the shortcomings of large differences in instruction syntaxes across different target platforms, inability to align control flow graph nodes, and less introduction of high-level semantics of stability, which pose challenges for identifying similar computations between binary functions of different platforms generated from the same source code. We argue that extracting stable, platform-independent semantics can improve model accuracy, and a cross-platform binary function similarity comparison model N_Match is proposed. The model elevates different platform instructions to the same semantic space to shield their underlying platform instruction differences, uses graph embedding technology to learn the stability semantics of neighbors, extracts high-level knowledge of naming function to alleviate the differences brought about by cross-platform and cross-optimization levels, and combines the stable graph structure as well as the stable, platform-independent API knowledge of naming function to represent the final semantics of functions. The experimental results show that the model accuracy of N_Match outperforms the baseline model in terms of cross-platform, cross-optimization level, and industrial scenarios. In the vulnerability search experiment, N_Match significantly improves hit@N, the mAP exceeds the current graph embedding model by 66%. In addition, we also give several interesting observations from the experiments. The code and model are publicly available at https://www.github.com/CSecurityZhongYuan/Binary-Name_Match.

multidisciplinary sciences

Yan Wang,Peng Jia,Cheng Huang,Jiayong Liu,Peisong He

DOI: https://doi.org/10.1155/2021/9954520

IF: 1.968

2021-08-10

Security and Communication Networks

Abstract:Binary code similarity comparison is the technique that determines if two functions are similar by only considering their compiled form, which has many applications, including clone detection, malware classification, and vulnerability discovery. However, it is challenging to design a robust code similarity comparison engine since different compilation settings that make logically similar assembly functions appear to be very different. Moreover, existing approaches suffer from high-performance overheads, lower robustness, or poor scalability. In this paper, a novel solution HBinSim is proposed by employing the multiview features of the function to address these challenges. It first extracts the syntactic and semantic features of each basic block by static analysis. HBinSim further analyzes the function and constructs a syntactic attribute control flow graph and a semantic attribute control flow graph for each function. Then, a hierarchical attention graph embedding network is designed for graph-structured data processing. The network model has a hierarchical structure that mirrors the hierarchical structure of the function. It has three levels of attention mechanisms applied at the instruction, basic block, and function level, enabling it to attend differentially to more and less critical content when constructing the function representation. We conduct extensive experiments to evaluate its effectiveness and efficiency. The results show that our tool outperforms the state-of-the-art binary code similarity comparison tools by a large margin against compilation diversity clone searching. A real-world vulnerabilities search case further demonstrates the usefulness of our system.

computer science, information systems,telecommunications