Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Workshop Organizers
  • Registration Information
  • Registration Discounts
  • At a Glance
  • Calendar
  • Workshop Program
  • Birds-of-a-Feather Sessions
  • Co-located Workshops
  • Sponsorship
  • Activities
  • Hotel and Travel Information
  • Students
  • Questions
  • Help Promote!
  • For Participants
  • Call for Papers
  • Past Workshops

sponsors

Bronze Sponsor

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » FuncTracker: Discovering Shared Code to Aid Malware Forensics
Tweet

connect with us

https://twitter.com/usenixsecurity
https://www.facebook.com/usenixassociation
http://www.linkedin.com/groups/USENIX-Association-49559/about
https://plus.google.com/108588319090208187909/posts
http://www.youtube.com/user/USENIXAssociation

FuncTracker: Discovering Shared Code to Aid Malware Forensics

Authors: 

Charles LeDoux, Arun Lakhotia, Craig Miles, and Vivek Notani, University of Louisiana at Lafayette; Avi Pfeffer, Charles River Analytics

Abstract: 

Malware code has forensic value, as evident from recent studies drawing relationships between creators of Duqu and Stuxnet through similarity of their code. We present FuncTracker, a system developed on top of Palantir, to discover, visualize, and explore relationships between malware code, with the intent of drawing connections over very large corpi of malware – millions of binaries consisting of terabytes of data. To address such scale we forego the classic data-mining methods requiring pairwise comparison of feature vectors, and instead represent a malware as a set of hashes over carefully selected features. To ensure that a hash match implies a strong match we represent individual functions using hashes of semantic features, in lieu of syntact features commonly used in the literature. A graph representing a collection of malware is formed by function hashes representing nodes, making it possible to explore the collection using classic graph operations supported by Palantir. By annotating the nodes with additional information, such as the location and time where the malware was discovered, one can use the relationship within malware to make connections between otherwise unrelated clues.

Charles LeDoux, Center for Advanced Computer Studies; University of Louisiana at Lafayette

Arun Lakhotia, Center for Advanced Computer Studies; University of Louisiana at Lafayette

Craig Miles, University of Louisiana at Lafayette

Vivek Notani, University of Louisiana at Lafayette

Avi Pfeffer, Charles River Analytics

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {179234,
author = {Charles LeDoux and Arun Lakhotia and Craig Miles and Vivek Notani and Avi Pfeffer},
title = {{FuncTracker}: Discovering Shared Code to Aid Malware Forensics},
booktitle = {6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 13)},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/leet13/workshop-program/presentation/ledoux},
publisher = {USENIX Association},
month = aug,
}
Download
Le Doux PDF
View the slides

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

Bronze Sponsors

© USENIX

  • Privacy Policy
  • Contact Us