高级检索

    基于社团检测算法的固件二进制比对技术

    Firmware Binary Comparison Technology Based on Community Detection Algorithm

    • 摘要: 固件比对是二进制比对技术的重要分支.然而,既往研究关注于函数的表示方法的优化却忽略了对过滤器的设计优化,导致固件常因包含同构函数引发误匹配,以致现有二进制比对技术应用于固件比对时效果不够理想.为此,提出基于社团检测算法的固件比对技术,首次将复杂网络相关理论应用于二进制比对领域.通过社团检测算法将固件内的函数划分为若干社团,利用社团匹配实现过滤器的功能,再根据匹配社团寻找匹配函数;此外,优化了函数相似度计算方法,设计了操作数相似性计算方法.在实现原型系统后,使用1382个固件构建2个数据集进行实验,验证了可行性,分析了基于社团检测算法的固件比对方法的性能,确定了各参数的合理取值,设计了评估指标可信匹配率,并比较了该方法与Bindiff的比对效果.实验表明:该方法可以提升Bindiff比对结果5%~11%的正确率.

       

      Abstract: Firmware comparison is an important branch of binary comparison technology. However, the existing binary comparison technology is not ideal when applied to firmware comparison. Previous studies focused on the optimization of the function representation method, but neglected the design and improvement of filters, which led to mismatches caused by firmware containing isomorphic functions. For this reason, this paper proposes a firmware comparison technology based on community detection algorithms, and applies complex network related theories to the field of binary comparison for the first time. Divide the function in the firmware into several communities through the community detection algorithm, use community matching to realize the filter function, and then find the matching function according to the matching community; In addition, this paper optimizes the function similarity calculation method, and designs the operand similarity calculation method. After the prototype system is implemented, this paper uses 1382 firmware to construct two data sets for experiments to verify the feasibility, analyze the performance of the method in this paper, and determine the reasonable value of each parameter, design the credible matching rate as the evaluation index, and compare the method in this paper and Bindiff. Experiments show that this method can improve the accuracy of Bindiff comparison results by 5% to 11%.

       

    /

    返回文章
    返回