面向跨架构恶意软件的函数相似性检测和衍变分析

自动化的恶意软件衍变分析已成为当前一项重要的网络安全研究工作。函数相似性检测在软件衍变分析过程中扮演着关键角色，但是大多数现有的方法难以有效处理跨架构的情况。随着越来越多跨架构恶意软件的出现，如何在代码跨架构情况下准确地进行函数相似性检测以及衍变分析变得更加紧迫。为此，提出了一种新的基于Weisfeiler-Lehman图同构测试的函数哈希方法WLHash，从而能够高效地进行跨架构软件之间的函数相似性检测和衍变分析。实验结果表明，所提方法能够较为准确且高效地检测跨架构软件之间的函数相似性，并进而获取它们之间的衍变关系，同时计算开销比较低，适用于大规模的跨架构恶意软件衍变分析。

Function Similarity Detection and Lineage Analysisfor Cross-architecture Malware

Automated malware lineage analysis has become an important network security research. Function similarity detection plays a key role in software lineage analysis, but most of the existing methods are difficult to deal with cases with cross-architecture. With the emergence of more and more cross architecture malware, how to accurately detect function similarity and analyze the evolution in the case of code with cross architecture becomes more urgent. Therefore, this paper proposed WLHhash, a new function hash method, based on Weisfeiler-Lehman graph isomorphism testing, thus the function similarity detection and lineage analysis between cross architecture software can be carried out efficiently. Experimental results show that the proposed method can efficiently analyze the similarity of cross architecture functions, accurately capture the lineage relationship between them, and has low computational cost, so it can be applied to lineage analysis cross architecture malware on a large scale.