Binary executable file similarity calculation using function matching

Abstract

Nowadays, computer software is an essential part in our lives and is used in various fields. While software gives us convenience, it also causes many problems. Various research efforts are needed to defend against software plagiarism, attacks using malware/software, and so on. Analysis techniques of binary executable files can be applied to investigate and defend these problems. However, it is relatively hard to analyze binary executable files without source code information, because executable files only have the information for execution and discard semantic information during the compiling process. In this paper, we proposed a similarity calculation method for binary executable files, based on function matching techniques. Attributes of a function are extracted and these attributes are used to match functions of two binary files. Our function matching process is composed of three steps: the function name matching step, the N-tuple matching step, and the final n-gram-based matching step. After the function matching process is performed, the overall similarity is calculated based on similarities of matched functions. Experimental results show that similarity accuracy of our binary-based similarity calculation method is similar to those of a well-known source-code-based method, call MOSS.