Skip to main content
SpringerLink
Log in

BinEye: Towards Efficient Binary Authorship Characterization Using Deep Learning

  • Conference paper
  • First Online:
Computer Security – ESORICS 2019 (ESORICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11736))

Included in the following conference series:

Abstract

In this paper, we present BinEye, an innovative tool which trains a system of three convolutional neural networks to characterize the authors of program binaries based on novel sets of features. The first set of features is obtained by converting an executable binary code into a gray image; the second by transforming each executable into a series of bytecode; and the third by representing each function in terms of its opcodes. By leveraging advances in deep learning, we are then able to characterize a large set of authors. This is accomplished even without the missing features and despite the complications arising from compilation. In fact, BinEye does not require any prior knowledge of the target binary. More important, an analysis of the model provides a satisfying explanation of the results obtained: BinEye is able to auto-learn each author’s coding style and thus characterize the authors of program binaries. We evaluated BinEye on large datasets extracted from selected open-source C++ projects in GitHub, Google Code Jam events, and several programming projects, comparing it wiexperimental results demonstrate that BinEye characterizes a larger number of authors with a significantly higher accuracy (above 90%). We also employed it in the context of several case studies. When applied to Zeus and Citadel, BinEye found that this pair might be associated with common authors. For other packages, BinEye demonstrated its ability to identify the presence of multiple authors in binary code.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alrabaee, S., Shirani, P., Wang, L., Debbabi, M.: Fossil: a resilient and efficient system for identifying foss functions in malware binaries. ACM Trans. Priv. Secur. (TOPS) 21(2), 8 (2018)

    Google Scholar 

  2. Techniqal report, Resource 207: Kaspersky Lab Research proves that Stuxnet and Flame developers are connected. http://www.kaspersky.com/about/news/virus/2012/

  3. Big Game Hunting: Nation-state malware research, BlackHat (2015). https://www.blackhat.com/docs/us-15/materials/us-15-MarquisBoire-Big-Game-Hunting-The-Peculiarities-Of-Nation-State-Malware-Research.pdf

  4. Citizen Lab. University of Toronto, Canada (2015). https://citizenlab.org/

  5. Caliskan-Islam, A., et al.: De-anonymizing programmers via code stylometry. In: USENIX (2015)

    Google Scholar 

  6. Frantzeskou, G.: Source code authorship analysis for supporting the cybercrime investigation process, pp. 470–495 (2004)

    Chapter  Google Scholar 

  7. Alrabaee, S., Saleem, N., Preda, S., Wang, L., Debbabi, M.: Oba2: an onion approach to binary code authorship attribution. Digit. Invest. 11, S94–S103 (2014)

    Article  Google Scholar 

  8. Alrabaee, S., Wang, L., Debbabi, M.: On the feasibility of binary authorship characterization. Digit. Invest. 28, S3–S11 (2019)

    Article  Google Scholar 

  9. Caliskan-Islam, A., et al.: When coding style survives compilation: de-anonymizing programmers from executable binaries, arXiv preprint arXiv:1512.08546 (2015)

  10. Rosenblum, N., Zhu, X., Miller, B.P.: Who wrote this code? Identifying the authors of program binaries. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 172–189. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_10

    Chapter  Google Scholar 

  11. Kirat, D., Nataraj, L., Vigna, G., Manjunath, B.: Sigmal: a static signal processing based malware triage. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 89–98. ACM (2013)

    Google Scholar 

  12. Oliva, A., Torralba, A.: Modeling the shape of the scene: a holistic representation of the spatial envelope. Int. J. Comput. Vis. 42(3), 145–175 (2001)

    Article  Google Scholar 

  13. Wei, Y., et al.: HCP: a flexible CNN framework for multi-label image classification. IEEE Trans. Pattern Anal. Mach. Intell. 38(9), 1901–1907 (2016)

    Article  Google Scholar 

  14. HexRays: IDA Pro (2011). https://www.hex-rays.com/products/ida/index.shtml. Accessed Feb 2016

  15. Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: IEEE Euro S&P (2017)

    Google Scholar 

  16. Farnstrom, F., Lewis, J., Elkan, C.: Scalability for clustering algorithms revisited. ACM SIGKDD Explor. Newsl. 2(1), 51–57 (2000)

    Article  Google Scholar 

  17. PEfile (2012). http://code.google.com/p/pefile/. Accessed Nov 2016

  18. Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)

    Google Scholar 

  19. Daugman, J.G.: Complete discrete 2-D gabor transforms by neural networks for image analysis and compression. IEEE Trans. Acoust. Speech Signal Process. 36(7), 1169–1179 (1988)

    Article  Google Scholar 

  20. Karbab, E.B., Debbabi, M., Derhab, A., Mouheb, D.: MalDozer: automatic framework for android malware detection using deep learning. Digit. Invest. 24, S48–S59 (2018)

    Article  Google Scholar 

  21. Huang, G., Liu, Z., Weinberger, K.Q., van der Maaten, L.: Densely connected convolutional networks, arXiv preprint arXiv:1608.06993 (2016)

  22. Kim, Y.: Convolutional neural networks for sentence classification, CoRR (2014)

    Google Scholar 

  23. Mikolov, T., Sutskever, I., et al.: Distributed representations of words and phrases and their compositionality. In: NIPS Neural Information Processing Systems (2013)

    Google Scholar 

  24. Pennington, J., Socher, R., et al.: GloVe: global vectors for word representation. In: Conference on Empirical Methods in Natural Language Processing (2014)

    Google Scholar 

  25. Hamerly, G., Elkan, C., et al.: Learning the k in k-means. In: NIPS, vol. 3, pp. 281–288 (2003)

    Google Scholar 

  26. The Scalable Native Graph Database (2015). http://neo4j.com/

  27. The Gephi plugin for nneo4j (2015). https://marketplace.gephi.org/plugin/neo4j-graph-database-support/

  28. The GitHub repository (2016). https://github.com/

  29. The Google Code Jam (2008–2015). http://code.google.com/codejam/

  30. The materials supplement for the paper. Who Wrote This Code? Identifying the Authors of Program Binaries. http://pages.cs.wisc.edu/~dnater/esorics-supp/

  31. Programmer De-anonymization from Binary Executables (2015). https://github.com/calaylin/bda

  32. Hex-Ray decompiler (2015). https://www.hex-rays.com/products/decompiler/

  33. Refactoring tool (2016). https://www.devexpress.com/Products/CodeRush/. Accessed Feb 2017

  34. C++ refactoring tools for visual studio (2016). http://www.wholetomato.com/. Accessed Feb 2016

  35. Tigress is a diversifying virtualizer/obfuscator for the C language (2016). http://tigress.cs.arizona.edu/

  36. Junod, P., Rinaldini, J., Wehrli, J., Michielin, J.: Obfuscator-LLVM: software protection for the masses. In: Proceedings of the 1st International Workshop on Software Protection, pp. 3–9. IEEE Press (2015)

    Google Scholar 

  37. Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and Anti-VM technologies (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. United Arab Emirates University, Al Ain, Abu Dhabi, UAE

    Saed Alrabaee

  2. CIISE, Concordia University, Montreal, QC, Canada

    Saed Alrabaee, ElMouatez Billah Karbab, Lingyu Wang & Mourad Debbabi

Authors
  1. Saed Alrabaee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. ElMouatez Billah Karbab
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lingyu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mourad Debbabi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saed Alrabaee .

Editor information

Editors and Affiliations

  1. NEC Corporation, Kawasaki, Japan

    Kazue Sako

  2. University of Surrey, Guildford, UK

    Steve Schneider

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Peter Y. A. Ryan

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alrabaee, S., Karbab, E.B., Wang, L., Debbabi, M. (2019). BinEye: Towards Efficient Binary Authorship Characterization Using Deep Learning. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29962-0_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29961-3

  • Online ISBN: 978-3-030-29962-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation