sponsors
usenix conference policies
FuncTracker: Discovering Shared Code to Aid Malware Forensics
Charles LeDoux, Arun Lakhotia, Craig Miles, and Vivek Notani, University of Louisiana at Lafayette; Avi Pfeffer, Charles River Analytics
Malware code has forensic value, as evident from recent studies drawing relationships between creators of Duqu and Stuxnet through similarity of their code. We present FuncTracker, a system developed on top of Palantir, to discover, visualize, and explore relationships between malware code, with the intent of drawing connections over very large corpi of malware – millions of binaries consisting of terabytes of data. To address such scale we forego the classic data-mining methods requiring pairwise comparison of feature vectors, and instead represent a malware as a set of hashes over carefully selected features. To ensure that a hash match implies a strong match we represent individual functions using hashes of semantic features, in lieu of syntact features commonly used in the literature. A graph representing a collection of malware is formed by function hashes representing nodes, making it possible to explore the collection using classic graph operations supported by Palantir. By annotating the nodes with additional information, such as the location and time where the malware was discovered, one can use the relationship within malware to make connections between otherwise unrelated clues.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Charles LeDoux and Arun Lakhotia and Craig Miles and Vivek Notani and Avi Pfeffer},
title = {{FuncTracker}: Discovering Shared Code to Aid Malware Forensics},
booktitle = {6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 13)},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/leet13/workshop-program/presentation/ledoux},
publisher = {USENIX Association},
month = aug
}
connect with us