A Method to Evaluate CFG Comparison Algorithms Patrick P.F. Chan - - PowerPoint PPT Presentation
A Method to Evaluate CFG Comparison Algorithms Patrick P.F. Chan Christian Collberg Research problem Which CFG similarity algorithm is better? I come up with a new algorithm, how does it compare to the existing ones? Is there a
Patrick P.F. Chan Christian Collberg
compare to the existing ones?
similarity algorithms?
similarity algorithms
algorithms
function
a = input() if a % 2 == 0 print “even” print “odd”
Entry Exit
True False
CFGs of malware Match
Original software Suspected pirated software How similar?
Assignment Submission Solution How similar?
How similar?
a program
a program
Match the nodes of the enhanced CFGs
1 2 3 4
1 2 3 4 5
CFG A CFG B
from CFGs and match them
1 2 3 4
1 2 3 4 5
CFG A CFG B
1 2 4 1 2 3 1 2 4 1 2 5 1 2 3 2 4 5
No match!
another graph
Cost of matching node 1 of CFG A to node 1 of CFG B Cost of deleting node 1 of CFG B Cost of deleting node 4 of CFG B Cost of matching dummy nodes Cost of deleting nodes in CFG B Cost of deleting nodes in CFG A Cost of matching nodes
1 2 3 4
1 2 3 4 5
CFG A CFG B
1 2 3 4
1 2 3 4 5
CFG A CFG B
Total cost = 5
́-Janicˇic ́ et al. iteratively builds a similarity matrix between the nodes of the two CFGs, based on the similarity of their neighbor
flow graphs using Labeled Transition Systems (LTS)
distances with respect to a seed CFG G0
that the higher is the similarity score between Gi and G0 given by that algorithm, the higher Gi is ranked
the ranking it produces to the ground truth ⟨G1, G2, G3,...⟩, using ranking correlation algorithms such as sortedness or Pearson correlation
G0
G0 G1 G2 G3
ED = 1 ED = 2 ED = 3
G0 G1 G2 G3
ED = 1 ED = 2 ED = 3 Ranking: ⟨G1, G2, G3⟩
G0 G1 G2 G3
ED = 1 ED = 2 ED = 3 Ranking: ⟨G1, G2, G3⟩
G0 G1 G2 G3
SimA = 0.4 SimA = 0.1 SimA = 0.8
G0 G1 G2 G3
ED = 1 ED = 2 ED = 3 Ranking: ⟨G1, G2, G3⟩
G0 G1 G2 G3
SimA = 0.4 SimA = 0.1 SimA = 0.8 Ranking: ⟨G3, G1, G2⟩
G0 G1 G2 G3
ED = 1 ED = 2 ED = 3 Ranking: ⟨G1, G2, G3⟩
G0 G1 G2 G3
SimA = 0.4 SimA = 0.1 SimA = 0.8 Ranking: ⟨G3, G1, G2⟩ Pearson correlation = -0.5
two CFGs?
increasing edit distances with the seed CFG G0?
→ N that computes the smallest number of edit
a b c d
G0
a b c d a b c d a b c d
Add Edge
a b c d e
Add Node Add Edge
a b c d
Delete Edge
For every possible edit operation that can be applied to G0, apply that and generate a new graph
Do the same for the newly generated graphs Obtain the Edit Distance Graph (EDG)
a b c d a b c d a b c d a b c d
Add Edge
a b c d e
Add Node Add Edge
a b c d
Delete Edge Add Edge Add Edge
Randomly pick a CFG on each level and they become our G1, G2, G3,…
five CFGs)
“Goodness score” statistics of the four algorithms
Time used by the four algorithms to finish 100 test cases
detection
tools
base
Edit instructions => huge EDG
algorithms
algorithms users / researchers
Thank you!