# On the Feasibility of Malware Authorship Attribution

**Authors:** Saed Alrabaee, Paria Shirani, Mourad Debbabi, and Lingyu Wang

arXiv: 1701.02711 · 2017-01-11

## TL;DR

This paper reviews the current state of malware authorship attribution, analyzes features that survive compilation, and evaluates the applicability of existing techniques to real malware binaries.

## Contribution

It provides a comprehensive review, analyzes features for binary authorship attribution, and assesses the feasibility of existing methods on real malware samples.

## Key findings

- Certain stylistic features can survive compilation
- Existing techniques have limited applicability to real malware
- Feature analysis helps identify viable attribution methods

## Abstract

There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1701.02711/full.md

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/1701.02711/full.md

## References

42 references — full list in the complete paper: https://tomesphere.com/paper/1701.02711/full.md

---
Source: https://tomesphere.com/paper/1701.02711