sesa 18: e1

Research Article

Binary Code Similarity Detection through LSTM and Siamese Neural Network

Download83 downloads
  • @ARTICLE{10.4108/eai.14-9-2021.170956,
        author={Zhengping Luo and Tao Hou and Xiangrong Zhou and Hui Zeng and Zhuo Lu},
        title={Binary Code Similarity Detection through LSTM and Siamese Neural Network},
        journal={EAI Endorsed Transactions on Security and Safety: Online First},
        volume={},
        number={},
        publisher={EAI},
        journal_a={SESA},
        year={2021},
        month={9},
        keywords={Malware detection, binary analysis, LSTM, Siamese Neural Network, similarity detection},
        doi={10.4108/eai.14-9-2021.170956}
    }
    
  • Zhengping Luo
    Tao Hou
    Xiangrong Zhou
    Hui Zeng
    Zhuo Lu
    Year: 2021
    Binary Code Similarity Detection through LSTM and Siamese Neural Network
    SESA
    EAI
    DOI: 10.4108/eai.14-9-2021.170956
Zhengping Luo1,*, Tao Hou2, Xiangrong Zhou3, Hui Zeng3, Zhuo Lu2
  • 1: Department of Computer Science & Physics, Rider University, Lawrenceville, NJ 08648, USA
  • 2: Computer Science Engineering and Electrical Engineering, University of South Florida, Tampa FL 33620, USA
  • 3: Intelligent Automation Inc., Rockville MD 20855, USA
*Contact email: zhengpingluo@mail.usf.edu

Abstract

Given the fact that many software projects are closed-source, analyzing security-related vulnerabilities at the binary level is quintessential to protect computer systems from attacks of malware. Binary code similarity detection is a potential solution for detecting malware from the binaries generated by the processor. In this paper, we proposed a malware detection mechanism based on the binaries using machine learning techniques. Through utilizing the Recurrent Neural Network (RNN), more specifically Long Short-Term Memory (LSTM) network, we generate the uniformed feature embedding of each binary file and further take advantage of the Siamese Neural Network to compute the similarity measure of the extracted features. Therefore, the security risks of the software projects can be evaluated through the similarity measure of the corresponding binaries with existing trained malware. Our real-world experimental results demonstrate a convincing performance in distinguishing out the outliers, and achieved slightly better performance compared with existing state-of-the-art methods.