Identifying Obfuscated Code through Graph-Based Semantic Analysis of Binary Code
This work addresses the need for obfuscation detection in binary code, particularly for security applications like malware analysis, but it is incremental as it builds on existing graph-based methods.
The paper tackled the problem of detecting function-level obfuscation in binary code by comparing graph-based algorithms, including Graph Neural Networks (GNNs), on various obfuscation types and datasets. It found that GNNs require meaningful semantic features to outperform baselines, achieving satisfactory results in an 11-class classification task and a malware analysis example.
Protecting sensitive program content is a critical issue in various situations, ranging from legitimate use cases to unethical contexts. Obfuscation is one of the most used techniques to ensure such protection. Consequently, attackers must first detect and characterize obfuscation before launching any attack against it. This paper investigates the problem of function-level obfuscation detection using graph-based approaches, comparing algorithms, from elementary baselines to promising techniques like GNN (Graph Neural Networks), on different feature choices. We consider various obfuscation types and obfuscators, resulting in two complex datasets. Our findings demonstrate that GNNs need meaningful features that capture aspects of function semantics to outperform baselines. Our approach shows satisfactory results, especially in a challenging 11-class classification task and in a practical malware analysis example.