skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Establishing Malware Attribution and Binary Provenance Using Multicompilation Techniques

Abstract

Malware is a serious problem for computer systems and costs businesses and customers billions of dollars a year in addition to compromising their private information. Detecting malware is particularly difficult because malware source code can be compiled in many different ways and generate many different digital signatures, which causes problems for most anti-malware programs that rely on static signature detection. Our project uses a convolutional neural network to identify malware programs but these require large amounts of data to be effective. Towards that end, we gather thousands of source code files from publicly available programming contest sites and compile them with several different compilers and flags. Building upon current research, we then transform these binary files into image representations and use them to train a long-term recurrent convolutional neural network that will eventually be used to identify how a malware binary was compiled. This information will include the compiler, version of the compiler and the options used in compilation, information which can be critical in determining where a malware program came from and even who authored it.

Authors:
 [1]
  1. Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States)
Publication Date:
Research Org.:
Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1390004
Report Number(s):
LLNL-TR-737549
DOE Contract Number:
AC52-07NA27344
Resource Type:
Technical Report
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE

Citation Formats

Ramshaw, M. J. Establishing Malware Attribution and Binary Provenance Using Multicompilation Techniques. United States: N. p., 2017. Web. doi:10.2172/1390004.
Ramshaw, M. J. Establishing Malware Attribution and Binary Provenance Using Multicompilation Techniques. United States. doi:10.2172/1390004.
Ramshaw, M. J. 2017. "Establishing Malware Attribution and Binary Provenance Using Multicompilation Techniques". United States. doi:10.2172/1390004. https://www.osti.gov/servlets/purl/1390004.
@article{osti_1390004,
title = {Establishing Malware Attribution and Binary Provenance Using Multicompilation Techniques},
author = {Ramshaw, M. J.},
abstractNote = {Malware is a serious problem for computer systems and costs businesses and customers billions of dollars a year in addition to compromising their private information. Detecting malware is particularly difficult because malware source code can be compiled in many different ways and generate many different digital signatures, which causes problems for most anti-malware programs that rely on static signature detection. Our project uses a convolutional neural network to identify malware programs but these require large amounts of data to be effective. Towards that end, we gather thousands of source code files from publicly available programming contest sites and compile them with several different compilers and flags. Building upon current research, we then transform these binary files into image representations and use them to train a long-term recurrent convolutional neural network that will eventually be used to identify how a malware binary was compiled. This information will include the compiler, version of the compiler and the options used in compilation, information which can be critical in determining where a malware program came from and even who authored it.},
doi = {10.2172/1390004},
journal = {},
number = ,
volume = ,
place = {United States},
year = 2017,
month = 7
}

Technical Report:

Save / Share:
  • Studies of basic binary geothermal cycles utilizing mixtures of hydrocarbons have shown better performance than for pure fluids for a moderate temperature (360/sup 0/F) resource. However, a loss is net geofluid effectiveness (watt-hours net plant output/1bm geofluid) results when the geofluid outlet temperature is limited to temperatures in excess of 160/sup 0/F to alleviate a silica precipitation problem. This study examined three working fluids consisting of binary mixtures of hydrocarbons to see if use of regenerative preheating techniques such as turbine exhaust recupation and/or turbine bleed could recover the loss in geofluid effectiveness for a 160/sup 0/F geofluid outlet temperature.more » Results showed that with the most promising of the three working fluids a turbine exhaust recuperator alone is sufficient to recover all the lost effectiveness while maintaining the geofluid outlet temperature at 160/sup 0/F. A brief study to investigate cold weather operation with that working fluid, and using the recuperator, showed no major detrimental response of the system; however, silica precipitation may present a problem in extremely cold weather, as the geofluid outlet temperature dropped below 160/sup 0/F for the lowest wet bulb temperatures studied.« less
  • Attribution of the origin of an illicit drug relies on identification of compounds indicative of its clandestine production and is a key component of many modern forensic investigations. The results of these studies can yield detailed information on method of manufacture, starting material source, and final product - all critical forensic evidence. In the present work, chemical attribution signatures (CAS) associated with the synthesis of the analgesic fentanyl, N-(1-phenylethylpiperidin-4-yl)-N-phenylpropanamide, were investigated. Six synthesis methods, all previously published fentanyl synthetic routes or hybrid versions thereof, were studied in an effort to identify and classify route-specific signatures. 160 distinct compounds and inorganicmore » species were identified using gas and liquid chromatographies combined with mass spectrometric methods (GC-MS and LCMS/ MS-TOF) in conjunction with inductively coupled plasma mass spectrometry (ICPMS). The complexity of the resultant data matrix urged the use of multivariate statistical analysis. Using partial least squares discriminant analysis (PLS-DA), 87 route-specific CAS were classified and a statistical model capable of predicting the method of fentanyl synthesis was validated and tested against CAS profiles from crude fentanyl products deposited and later extracted from two operationally relevant surfaces: stainless steel and vinyl tile. This work provides the most detailed fentanyl CAS investigation to date by using orthogonal mass spectral data to identify CAS of forensic significance for illicit drug detection, profiling, and attribution.« less
  • This document reports on the following: (1) Experimental determination of the ability of 17 basic structural elements to withstand simulated nuclear overpressure loads (utilizing Sandia Corporation's THUNDERPIPE Shock Tube) and uniform static pressure loads; (2) Analytical determination of the ability of these structural elements to withstand nuclear overpressure loads and uniform static pressure loads (utilizing the NOVA-2 computer program developed by Kaman AviDyne for the Air Force Weapons Laboratory, Finite element techniques and classical strength analysis techniques); (3) Identification and evaluation of differences between test results and analysis results; (4) Identification of suggested changes to NOVA-2 to upgrade its capabilities;more » (5) Analytical determination of the sensitivity of structural response to selected structural properties; and (6) Application of study results to future nuclear hardness assessments.« less