Visible to the public FALKE-MC: A Neural Network Based Approach to Locate Cryptographic Functions in Machine Code

Submitted by aekwall on Mon, 08/05/2019 - 10:35am
TitleFALKE-MC: A Neural Network Based Approach to Locate Cryptographic Functions in Machine Code
Publication TypeConference Paper
Year of Publication2018
AuthorsAigner, Alexander
Conference NameProceedings of the 13th International Conference on Availability, Reliability and Security
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-6448-5
KeywordsBinary Analysis, composability, cryptography, expandability, feature extraction, Function Detection, Neural networks, pubcrawl, Resiliency
AbstractThe localization and classification of cryptographic functions in binary files is a growing challenge in information security, not least because of the increasing use of such functions in malware. Nevertheless, it is still a time consuming and laborious task. Some of the most commonly used techniques are based on dynamic methods, signatures or manual reverse engineering. In this paper we present FALKE-MC, a novel framework that creates classifiers for arbitrary cryptographic algorithms from sample binaries. It processes multiple file formats and architectures and is easily expandable due to its modular design. Functions are automatically detected and features as well as constants are extracted. They are used to train a neural network, which can then be applied to classify functions in unknown binary files. The framework is fully automated, from the input of binary files and the creation of a classifier through to the output of classification results. In addition to that, it can deal with class imbalance between cryptographic and non-cryptographic samples during training. Our evaluation shows that this approach offers a high detection rate in combination with a low false positive rate. We are confident that FALKE-MC can accelerate the localization and classification of cryptographic functions in practice.
URLhttp://doi.acm.org/10.1145/3230833.3230858
DOI10.1145/3230833.3230858
Citation Keyaigner_falke-mc:_2018
Groups: