Function Grouping & Visualization Through Machine Learning to Aid and Automate Reverse Engineering of Malware

Abstract

Modern malware analysis is stymied by dependence on the manual components of reverse engineering, which require skilled reverse engineers to perform static analysis. Machine learning and statistical analysis allow for augmentation of static analysis, detection of common benign code in malicious samples, and grouping similar bodies of low-level code. In this work four malware campaigns along with a dataset of known benign executables were utilized to test a process for grouping nearly identical functions to find similarities across executables and identify common code. In addition, those groups were collated to create sets of shared common code which could be used to better understand malware sample variants.