Identifying Obfuscated Code through Graph-Based Semantic Analysis of Binary Code
Roxane Cohen, Robin David, Florian Yger, Fabrice Rossi
TL;DR
This paper tackles identifying obfuscated code at the function level by learning from graph representations of binary functions. It compares classical graph-feature baselines with various Graph Neural Network (GNN) architectures and several semantically-rich node features, across two obfuscation datasets and two data-split schemes. The key finding is that GNNs outperform baselines only when provided with meaningful semantic features, with Graph Isomorphism Network (GIN) and related models achieving the strongest results, including on a real-world XTunnel malware example. The work demonstrates the practicality of graph-based semantic analysis for obfuscation detection and informs future directions in graph representations and feature design for binary analysis.
Abstract
Protecting sensitive program content is a critical issue in various situations, ranging from legitimate use cases to unethical contexts. Obfuscation is one of the most used techniques to ensure such protection. Consequently, attackers must first detect and characterize obfuscation before launching any attack against it. This paper investigates the problem of function-level obfuscation detection using graph-based approaches, comparing algorithms, from elementary baselines to promising techniques like GNN (Graph Neural Networks), on different feature choices. We consider various obfuscation types and obfuscators, resulting in two complex datasets. Our findings demonstrate that GNNs need meaningful features that capture aspects of function semantics to outperform baselines. Our approach shows satisfactory results, especially in a challenging 11-class classification task and in a practical malware analysis example.