DeepReflect: Discovering malicious functionality through binary reconstruction

Evan Downing, Yisroel Mirsky, Kyuhong Park, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Deep learning has continued to show promising results for malware classification. However, to identify key malicious behaviors, malware analysts are still tasked with reverse engineering unknown malware binaries using static analysis tools, which can take hours. Although machine learning can be used to help identify important parts of a binary, supervised approaches are impractical due to the expense of acquiring a sufficiently large labeled dataset. To increase the productivity of static (or manual) reverse engineering, we propose DEEPREFLECT: a tool for localizing and identifying malware components within a malicious binary. To localize malware components, we use an unsupervised deep neural network in a novel way, and classify the components through a semi-supervised cluster analysis, where analysts incrementally provide labels during their daily work flow. The tool is practical since it requires no data labeling to train the localization model, and minimal/noninvasive labeling to train the classifier incrementally. In our evaluation with five malware analysts on over 26k malware samples, we found that DEEPREFLECT reduces the number of functions that an analyst needs to reverse engineer by 85% on average. Our approach also detects 80% of the malware components compared to 43% when using a signature-based tool (CAPA). Furthermore, DEEPREFLECT performs better with our proposed autoencoder than SHAP (an AI explanation tool). This is significant because SHAP, a state-of-the-art method, requires a labeled dataset and autoencoders do not.

Original languageEnglish
Title of host publicationProceedings of the 30th USENIX Security Symposium
PublisherUSENIX Association
Pages3469-3486
Number of pages18
ISBN (Electronic)9781939133243
StatePublished - 1 Jan 2021
Event30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online
Duration: 11 Aug 202113 Aug 2021

Publication series

NameProceedings of the 30th USENIX Security Symposium

Conference

Conference30th USENIX Security Symposium, USENIX Security 2021
CityVirtual, Online
Period11/08/2113/08/21

Fingerprint

Dive into the research topics of 'DeepReflect: Discovering malicious functionality through binary reconstruction'. Together they form a unique fingerprint.

Cite this