Obfuscation Resilient Search through Executable Classification

TL;DR

This paper introduces Macneto, a deep learning-based method for searching obfuscated executables that remains effective despite structural modifications, aiding malware detection and intellectual property protection.

Contribution

Macneto is a novel approach that leverages deep learning and instruction analysis to perform obfuscation-resilient executable search without relying on structural landmarks.

Findings

High search precision against state-of-the-art obfuscators

Effective in identifying relevant executables despite control flow modifications

Assists developers in understanding obfuscated code by inferring keywords

Abstract

Android applications are usually obfuscated before release, making it difficult to analyze them for malware presence or intellectual property violations. Obfuscators might hide the true intent of code by renaming variables and/or modifying program structures. It is challenging to search for executables relevant to an obfuscated application for developers to analyze efficiently. Prior approaches toward obfuscation resilient search have relied on certain structural parts of apps remaining as landmarks, un-touched by obfuscation. For instance, some prior approaches have assumed that the structural relationships between identifiers are not broken by obfuscators; others have assumed that control flow graphs maintain their structures. Both approaches can be easily defeated by a motivated obfuscator. We present a new approach,Macneto, to search for programs relevant to obfuscated executables leveraging deep learning and principal components on instructions. Macneto makes few assumptions about the kinds of modifications that an obfuscator might perform. We show that it has high search precision for executables obfuscated by a state-of-the-art obfuscator that changes control flow. Further, we also demonstrate the potential of Macneto to help developers understand executables, where Macneto infers keywords (which are from the relevant unobfuscated program) for obfuscated executables.