Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bin2Vec: Interpretable and Auditable Multi-View Binary Analysis for Code Plagiarism Detection

Moussa Moussaoui, Tarik Houichime, Abdelalim Sadiq

TL;DR

Bin2Vec tackles the problem of binary artifact similarity by fusing static and dynamic signals into a multi-view embedding framework. It constructs five views (functions, imports, exports, traces, registers) and uses a deterministic encoder with a hashing fallback to generate per-view and global cosine similarities, enabling interpretable and auditable matching. The approach emphasizes architecture-awareness, provenance-traceability, and scalability to whole binaries, contributing a reproducible end-to-end pipeline for software auditing and plagiarism detection. Experiments on PuTTY and 7-Zip reveal distinct view-level patterns across programs while validating the method's interpretability and robustness to single-signal brittleness.

Abstract

We introduce Bin2Vec, a new framework that helps compare software programs in a clear and explainable way. Instead of focusing only on one type of information, Bin2Vec combines what a program looks like (its built-in functions, imports, and exports) with how it behaves when it runs (its instructions and memory usage). This gives a more complete picture when deciding whether two programs are similar or not. Bin2Vec represents these different types of information as views that can be inspected separately using easy-to-read charts, and then brings them together into an overall similarity score. Bin2Vec acts as a bridge between binary representations and machine learning techniques by generating feature representations that can be efficiently processed by machine-learning models. We tested Bin2Vec on multiple versions of two well-known Windows programs, PuTTY and 7-Zip. The primary results strongly confirmed that our method compute an optimal and visualization-friendly representation of the analyzed software. For example, PuTTY versions showed more complex behavior and memory activity, while 7-Zip versions focused more on performance-related patterns. Overall, Bin2Vec provides decisions that are both reliable and explainable to humans. Because it is modular and easy to extend, it can be applied to tasks like auditing, verifying software origins, or quickly screening large numbers of programs in cybersecurity and reverse-engineering work.

Bin2Vec: Interpretable and Auditable Multi-View Binary Analysis for Code Plagiarism Detection

TL;DR

Bin2Vec tackles the problem of binary artifact similarity by fusing static and dynamic signals into a multi-view embedding framework. It constructs five views (functions, imports, exports, traces, registers) and uses a deterministic encoder with a hashing fallback to generate per-view and global cosine similarities, enabling interpretable and auditable matching. The approach emphasizes architecture-awareness, provenance-traceability, and scalability to whole binaries, contributing a reproducible end-to-end pipeline for software auditing and plagiarism detection. Experiments on PuTTY and 7-Zip reveal distinct view-level patterns across programs while validating the method's interpretability and robustness to single-signal brittleness.

Abstract

We introduce Bin2Vec, a new framework that helps compare software programs in a clear and explainable way. Instead of focusing only on one type of information, Bin2Vec combines what a program looks like (its built-in functions, imports, and exports) with how it behaves when it runs (its instructions and memory usage). This gives a more complete picture when deciding whether two programs are similar or not. Bin2Vec represents these different types of information as views that can be inspected separately using easy-to-read charts, and then brings them together into an overall similarity score. Bin2Vec acts as a bridge between binary representations and machine learning techniques by generating feature representations that can be efficiently processed by machine-learning models. We tested Bin2Vec on multiple versions of two well-known Windows programs, PuTTY and 7-Zip. The primary results strongly confirmed that our method compute an optimal and visualization-friendly representation of the analyzed software. For example, PuTTY versions showed more complex behavior and memory activity, while 7-Zip versions focused more on performance-related patterns. Overall, Bin2Vec provides decisions that are both reliable and explainable to humans. Because it is modular and easy to extend, it can be applied to tasks like auditing, verifying software origins, or quickly screening large numbers of programs in cybersecurity and reverse-engineering work.

Paper Structure

This paper contains 5 sections, 1 equation, 11 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Experimental Results and Analysis
  5. Conclusion

Figures (11)

  • Figure 1: Overview of the Bin2Vec pipeline: inputs (static and dynamic), per-view embedding construction, normalization and aggregation, and global cosine similarity.
  • Figure 2: Field-wise export comparison: PuTTY (4 versions) vs. 7-Zip.
  • Figure 3: Field-wise export embeddings comparison (cosine similarity): PuTTY (4 versions) vs. 7-Zip.
  • Figure 4: Field-wise import comparison: PuTTY (4 versions) vs. 7-Zip.
  • Figure 5: Field-wise function embeddings comparison (cosine similarity): PuTTY (4 versions) vs. 7-Zip.
  • ...and 6 more figures