o-glasses: Visualizing x86 Code from Binary Using a 1d-CNN
Yuhei Otsubo, Akira Otsuka, Mamoru Mimura, Takeshi Sakaki and, Atsuhiro Goto
TL;DR
This paper introduces o-glasses, a 1d-CNN-based method for visualizing x86 shellcode in binary files, achieving high accuracy in identifying native code fragments for malware analysis.
Contribution
The paper presents a novel 1d-CNN approach for x86 shellcode visualization, enabling detection with minimal fragment size and high accuracy, improving over existing methods.
Findings
Achieves about 99.95% F-measure in recognizing x86 code
Uses a 16-instruction (48-byte) fragment size for effective visualization
Outperforms previous methods in code fragment recognition
Abstract
Malicious document files used in targeted attacks often contain a small program called shellcode. It is often hard to prepare a runnable environment for dynamic analysis of these document files because they exploit specific vulnerabilities. In these cases, it is necessary to identify the position of the shellcode in each document file to analyze it. If the exploit code uses executable scripts such as JavaScript and Flash, it is not so hard to locate the shellcode. On the other hand, it is sometimes almost impossible to locate the shellcode when it does not contain any JavaScript or Flash but consists of native x86 code only. Binary fragment classification is often applied to visualize the location of regions of interest, and shellcode must contain at least a small fragment of x86 native code even if most of it is obfuscated, such as, a decoder for the obfuscated body of the shellcode.…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Malware Detection Techniques · Digital and Cyber Forensics · Security and Verification in Computing