KR101792631B1 - Api-based software similarity measuring method and system using fuzzy hashing - Google Patents

Abstract

The present invention relates to a method for measuring similarity of API-based software of a function using fuzzy hashing and a system thereof. The present invention provides a method and system for comparing multiple processing programs at the same time and measuring the similarity of software by comparing in a procedure unit, not the entire program unit. Further, the present invention provides a method and system for automatically comparing many programs by evaluating the similarity though a busmark in a procedure unit of all programs. According to the present invention, the method includes the steps of: (a) extracting a code area from an input program; (b) disassembling the extracted code area; (c) dividing an instruction sequence of the disassembled program to procedures; (d) generating a hash value with respect to an API call sequence of the divided procedures by using a fuzzy hash function and storing the generated hash value in a busmark database; and (e) measuring similarity of the input program by using the stored hash value.

Description

TECHNICAL FIELD [0001] The present invention relates to a method for measuring similarity of an API-based software of a function using fuzzy hashing,

The present invention relates to a software similarity measurement method and a measurement system, and more particularly, to a software similarity measurement method and a measurement system, in which a program is classified into a procedure unit for extracting characteristics of a program, API based software similarity measurement system and method using fuzzy hashing to generate API call instruction sequence and acquire similarity measurement data (birthmark) by applying fuzzy hash function to the generated API call instruction sequence .

Recent developments in information and communication technologies have evolved piracy, cracked code theft, malicious behavior corresponding to software copyright infringement, and speeding up the distribution of illegal software.

The software watermarking technique has been proposed in the past to embed copyright notation in the original source code to identify the software owner. However, these watermark techniques are easily compromised by compiler optimizations or semantics-preserving obfuscation.

The software birthmark technique reflects the unique characteristics of every software program itself, such as the birthmark, or the point that it has since the birth of the dictionary meaning of the birthmark Technology. Therefore, it is a technology widely used in digital forensics and malicious code detection beyond the copyright infringement and code theft of software.

Traditionally, a software birthmark has generated code for an application program. They can be distinguished from the original source code and the compiled code. Compiled program codes can be divided into native code or unmanaged code, and managed code according to a programming language and a compiler.

For example, if the execution environment is Intel Microproccessor x86 and Windows OS, the native code has Intel instruction set and Portable Execution (PE) format. That's why the software birthmark approach can vary depending on managed code and native code. The software bus mark approach proposed in the following embodiments of the present invention targets native codes.

Instruction  Instruction-Based Birthmark

The program basically consists of data and instructions. The instruction sequences are often used as bus marks in previous studies because they reflect some degree of program behavior.

Structure-Based Birthmark

The software birthmark has also been proposed with a graph structure of the program. Each function in the program (procedures in native code) is defined by the dependencies between statements in a function, inheritance relationships between classes, like acyclic graphs, ), And the like. Thus, a bus mark can be generated as a graphical representation of the program.

Recently, an API-based software birthmark was proposed by Yongman Han et al. In their study, a birthmark was generated based on the API call sequence of the program. In addition, a bus mark DB (birthmark DB) was constructed to efficiently detect software copyright infringement in OSP (Online Service Provider) or P2P environment.

Their proposed birthmark extracts a program-wide API call sequence and stores it in the busmark database using a cryptographic hash function (MD5). They suggested that various types of applications can be classified by category (multimedia player, FTP client, text editor, etc.) through pre-filtering process. In the pre-filtering process, the name and number of DLLs, APIs name and number are processed in the program.

However, the use of MD5 in their research can not measure the similarity of the birthmark, and the API call sequence extracted from the entire area of the program can be changed at compile time, It does not satisfy the basic properties resiliency and credibility. It is also difficult to classify the functional characteristics of various programs into categories by only using the names and numbers of DLLs and APIs.

Korean Patent Publication No. 10-2014-0063322 (Published on May 27, 2014) Korean Patent Publication No. 10-2015-0051833 (published on May 13, 2015)

The method and system for measuring the similarity of an API-based software of a function using the fuzzy hashing according to the present invention have the following problems.

First, the present invention aims to provide a method and a system that can compare a plurality of processing programs at the same time, and can measure software similarity through comparison of procedure units rather than the whole program.

Second, the present invention is intended to provide a method and system that can automate many programs and comparisons because it evaluates the similarity with the procedure unit bus mark of all programs.

The present invention has been made in view of the above problems, and it is an object of the present invention to provide an apparatus and method for controlling the same.

According to a first aspect of the present invention, there is provided a method for measuring similarity of an API-based software of a function using fuzzy hashing, comprising the steps of: (a) extracting a code area from an input program; (b) disassembling the extracted code region; (c) separating an instruction sequence of a disassembled program into a procedure; (d) generating a hash value through a fuzzy hash function on the API call sequence of the separated procedures and storing the hash value in the bus mark DB; And (e) measuring the similarity of the input program using the stored hash value.

Preferably, the code region is a set of codes interpreted and executed by a microprocessor. In the step (b), the extracted code region is subjected to a recursive decent disassembly And recognizing reference procedures for a call instruction using the instruction.

Preferably, the step (c) includes a step of removing a procedure in which API calls do not occur in each of the separated procedures, and the step (c) And storing it in the schedule DB.

In addition, the step (d) may include the step of constructing the generated hash value into an executable file table having information on the executable file and a list table having a procedure list linked to the executable file table, And the step (e) is a step of judging program similarity through the similarity measurement function to the hash value generated in the steps (a) to (e) of the input program using the stored hash value desirable.

Also, the similarity measurement function may include:

(Where e represents a threshold value and represents a bus mark value generated through B _f for each procedure extracted from the programs P and Q for each of alpha and beta) .

According to a second aspect of the present invention, there is provided an API-based software similarity measuring system for a function using fuzzy hashing, comprising: a code region extracting unit for receiving a program and extracting a code region; A disassembly unit for disassembling the extracted code region; A procedure separator for separating an instruction sequence of a disassembled program into a procedure; A bus mark generating unit for generating a hash value through a fuzzy hash function on the API call sequence of the separated procedures and storing the hash value in the bus mark DB; And a similarity measuring unit for measuring the similarity of the input program using the stored hash value.

Here, it is preferable that the disassembling unit recognizes reference procedures for a call instruction by using a recursive decent disassembly method on the extracted code area, The procedure separator preferably removes procedures that do not cause API calls in each of the separate procedures.

Preferably, the procedure separator selectively stores the procedures in the procedure DB, and the bus mark generator generates the generated hash value using an executable file table having information on the executable file, , And a list table having a list of procedures linked to the executable file table, and stores them in the bus mark DB.

In addition, the similarity measuring unit may preferably determine the similarity of the program through the similarity measure function to the hash value of the input program generated using the stored hash value,

(Where e represents a threshold value and represents a bus mark value generated through B _f for each procedure extracted from the programs P and Q for each of alpha and beta) .

And a third aspect of the present invention features a computer program stored in a computer-readable medium for executing a method of measuring the similarity of an API-based software of a function using the above-described fuzzy hashing in combination with hardware.

The method and system for measuring similarity of API based software of a function using fuzzy hashing according to the present invention have the following effects.

First, the present invention can compare a plurality of processing programs at the same time by evaluating the degree of similarity using the similarity measurement data obtained by using a procedure unit classified program, And a system.

Second, since the present invention evaluates the similarity by a procedure unit bus mark of all programs stored in a database, a software similarity measuring method and system that can automate many programs and comparisons, to provide.

Third, it is possible to detect code duplicated in the procedure as compared to the conventional technology, which is compared with the entire program, and the bus mark information reduced through the fuzzy hash can be compared with the existing sequence And provides a method and system for software similarity measurement that is much more efficient than processing.

The effects of the present invention are not limited to those mentioned above, and other solutions not mentioned can be clearly understood by those skilled in the art from the following description.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic representation of the problem of similarity of program software.
2 is a schematic diagram illustrating a standard procedure connection of a program.
3 is a schematic diagram showing a bus mark extraction process in the conventional PE format.
4 is a flowchart illustrating a method for measuring similarity of an API-based software of a function using fuzzy hashing according to an embodiment of the present invention.
FIG. 5 is a block diagram illustrating a similarity measurement system for API-based software of a function using fuzzy hashing according to an embodiment of the present invention.
6 is a diagram showing a workflow of an API-based software similarity measurement system of a function using fuzzy hashing according to an embodiment of the present invention.
7 is a graph showing a comparison result between the procedure-based API sequence and the entire API sequence.
8 is a graph showing the results of correlation analysis of Top 50 API call frequencies between the same category programs.

Further objects, features and advantages of the present invention will become more apparent from the following detailed description and the accompanying drawings.

Before describing the present invention in detail, it is to be understood that the present invention is capable of various modifications and various embodiments, and the examples described below and illustrated in the drawings are intended to limit the invention to specific embodiments It is to be understood that the invention includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like refer to the presence of stated features, integers, steps, operations, elements, components, or combinations thereof, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Further, terms such as " part, "" unit," " module, "and the like described in the specification may mean a unit for processing at least one function or operation.

In the following description of the present invention with reference to the accompanying drawings, the same components are denoted by the same reference numerals regardless of the reference numerals, and redundant explanations thereof will be omitted. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

Traditionally, the problem of program software similarity has focused on detecting or exploring code theft. In addition, the software similarity problem is to determine whether program p is cloned or a derivative program q.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic representation of the problem of similarity of program software. The similarity problem of the software proceeds as shown in the flow of FIG. 1 and can be defined as follows.

Definitions 1. (software birthmarks (Birthmark)) that any set of programs and P, p ∈ P program Let p be given . And В is a function that can extract a set of program features . The bus mark В (p) of the program p can be defined if the following condition is satisfied.

- В (p) is obtained only from p itself.

If program q is a clone of p, then В (p) = В (q)

As in definition 1, the software bus mark reflects the unique characteristics extracted from the program p itself. Such a software birthmark is a technique for measuring the similarity of two programs. If the similarities of the birthmarks extracted from the two programs match each other, the two programs may be said to be the same or copied.

Generally, two features of reliability and recoverability are considered in order to evaluate the effectiveness of such a software bus mark.

Definition 2 (Resiliency) Both programs or program components Suppose that p, q ∈ P. And B (p) → a and B (q) → b are the program Let be the bus mark value extracted from p and q .

Said _{Sim p (a, b) →} [0, 1] a similarity function (function) for measuring for the program, and is assumed that the given threshold value, 0 <ε <1 value. If p and q are similar to one another, 1 - if the _{Sim p, q (a, b} ) <ε bus marking system (birthmarking system) is referred to as a recovery enemy (resilient).

Definition 3. (Credibility) Let p and q be programs written independently of each other. The bus marking system can be defined as follows (Equation 1) if it can be distinguished between the two programs, and it can be trusted.

Credibility defines a property that can be clearly distinguished when two independently developed programs are compared through a birthmarking system and resiliency is generally defined as a software bus Marks can be extracted in two approaches: original source code (including managed code) and compiled native code.

The approach extracted from the original source code has an advantage that the feature can be easily extracted by intuitively searching the flow of the code written by the developer. However, when detecting software piracy or code theft, it is generally not suitable for real-world applications because it is more often performed in a situation that does not have original source code.

Moreover, since the coding style of the developer is reflected, the code of the same flow can be analyzed differently. On the other hand, the birthmark extracted from the native code does not require the original source code since it can extract only the machine code.

However, because native code is dependent on platform (micro proccess, operating system, etc.), it has to go through a disassembling process for expert knowledge and code flow analysis in order to extract it.

SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide a system and method for extracting a software birthmark from a native code and measuring the similarity between two programs or one program and various programs .

CTPH : Context-Triggered Piecewise Hashing

The cryptographic hash algorithm outputs a fixed result to the input file. If the hash value of the two files is the same as the output value, it is determined that the file is the same file. In general, traditional cryptographic hash functions are used to verify the integrity of data in the field of information security.

A fuzzy hash can evaluate the similarity between two input values by separating the input values into several fragments and then using a hash in each fragments to produce a single result. The initial fuzzy hash is a block-based hash that divides input values into blocks of fixed size and compares the hash values. However, if the input value is manipulated (inserted, deleted, modified) and the offset is changed, the content of the block is changed and the whole result is affected.

To solve this problem, Kormblum et al.

Triggered Piecewise Hash) method has been proposed. CTPH identifies the delimiter that can distinguish the context of the input value and uses the hash for the delimited block.

For example, in the process of comparing two documents, the existing method has a problem that it is difficult to confirm the similarity of the two documents because the characters of all the pages are modified when one page is modified and the letters are pushed. However, since CTPH is a method of dividing by paragraphs, not pages, only the paragraphs in which the modifications are made are changed, and the remaining paragraphs are unchanged, thereby confirming the similarity.

Also, as pointed out by the 2010 Carnegie Mellon University CERT, there was a problem in that it was not efficient to compare similarities across files. By default, the code embedded in the program contains various constant values. Also, even if it is derived from the same source code, it may change at recompile time. Therefore, the hash value extracted from the entire file is not suitable for judging the similarity.

Accordingly, the birth mark according to the embodiment of the present invention is divided into procedures on one program and a fuzzy hash function is applied.

Suppose that define 4. (purge hash (Fuzzy Hash)) input value K is given and, K = {k _1, k _2, ..., k _{n -1, n} k} have the n blocks. And let's say the function (function) that can generate a fuzzy hash h (fuzzy hash).

When that h (K) → purge hash value for an input value of K A (fuzzy hash value) A defines that satisfy the following conditions.

- A = to as _{{a 1, a 2, ...} , a n -1, a n} for each _i and a _i k is a one-to-one relationship, and represents the k _i.

- h (K) - &gt; A , When k _i ∈ K is changed by a specific operation or modification, h (K ') → A' is obtained, it should be A ~ A ' .

In the present invention, fuzzy hash function h is defined as a case where certain conditions are satisfied. Applying a fuzzy hash function to a program feature allows you to measure the similarity between programs due to its nature.

In the following embodiments of the present invention, a function and a procedure are denoted by meaning. A function is defined as a managed code or an original source code that can be semantically separated by a person. And procedures are defined as being distinguishable by machine on native code.

Each procedure has a prologue sequence and an epilogue sequence. The procedure prologue is a small line of code at the beginning of the procedure that prepares the stack and registers for use within the procedure. Similarly, the procedure epilogue appears at the end of the procedure and restores the stack and registers to their state before calling the procedure. Figure 2 is a schematic diagram illustrating a standard procedure connection.

Definition 5. (Procedure) A given program Procedures belonging to P And that the entire set of P _f, | Pf | Let = n be the size of P _f (size) . Then , P _f = {f ₁ , f ₂ , ..., f _{n -1} , f _n } can be defined . We have f _i program P is called a procedure .

- f _i is a set of instructions that are called at least once when program P is executed.

- If f _i is called from f _j , f _i must contain instructions (ie epilogues) that can be returned to f _j .

- When f _i passes control to another f _j , it is only possible through a call instruction, which is a prologue of f _j .

- f _i called by a call instruction must be a set of instructions embedded in the program P or a specific reference value (property including the API).

In an embodiment of the present invention, a procedure is extracted from a sequence of instructions disassembled according to the definition 5 to extract a birthmark. However, it excludes procedures that do not contain API calls and instructions that are not procedural. The reason for this is that in order to measure the similarity to the software bus mark proposed in the embodiment of the present invention, accurate characteristics of the program must be reflected and data noise should be minimized.

The latest software bus mark technology proposed by the prior art (Yongman Han et al.) Is an illegal copying or distribution of illegal software caused by a malicious programmer or an unauthorized user on an online service provider (OSP) or P2P network A software bus mark system that detects, blocks,

However, the bus mark system proposed by the prior art has three problems. First, you can not categorize the correct categories through the DLLs name and number of APIs. An API can be defined as a list of functions provided to developers who develop applications in an operating system. In particular, the Windows system loads the APIs encapsulated in a DLL into a shared memory so that it can be used by various applications.

If the DLLs are functionally separated, they must be separated into many DLLs and always reside in memory. Therefore, the window system is divided into specific hierarchies, and the number of DLLs is reduced to the number of the DLLs. For this reason, it is not possible to distinguish the nature of the application by only names such as USER32.dll, KERNEL32.dll, and ADVAPI32.dll that are not clearly distinguished by function. In addition, in recent years, it has been difficult to judge the characteristics of an application merely by the number of API calls with the appearance of applications having a complex function according to a request of a user. For example, a recent text editor program has the ability to edit images and stores files in sync with the cloud server. In this case, the APIs of the text editor program are basically similar to the applications having the text editing function and the network and image-related APIs.

Second, an API call sequence was extracted for the entire program area. Generally, when the program source code is compiled, the compiler reflects the functions of the original source code as much as possible. In particular, in the case of an API call instruction, if it is called from a specific function of the original source code, the instruction sequence of the compiled program also exists in the corresponding function area.

Thus, even with the same source code, if the area of the function is changed in position at compile time, another API call sequence can occur, including the possibility of bypassing.

Accordingly, since the software bus mark system proposed in the embodiment of the present invention is composed of an API call sequence separated into procedures in one program, it affects the position of a function that can be changed at compile time It has the advantage of not receiving.

Finally, it is not appropriate to use cryptographic hash functions to determine similarities to program features. Traditionally, software bus marks have been studied to measure similarities between programs. Therefore, the Software Birthmark System must be designed to measure similarities between programs.

The bus mark system proposed by Yongman Han et al. Described above uses a cryptographic hash function for the API call sequence. A cryptographic hash function is a one-way function that is mainly used to verify the integrity of data because of its ability to output a completely different value even if the original data is slightly changed

For example, when a pair of similar API call sequences are given as shown in FIG. 3, a cryptographic hash function such as MD5 outputs a completely different value. However, a fuzzy hash function such as the CTPH described above maintains the similarity of the original data. Therefore, it is more appropriate to use the fuzzy hash function rather than the cryptographic hash function to evaluate the similarity of the two data.

In order to solve the above-mentioned problems, the embodiment of the present invention proposes a similarity measurement system and method for API based software of a function using fuzzy hashing.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 4 is a flowchart illustrating a method for measuring similarity of API-based software of a function using fuzzy hashing according to an embodiment of the present invention. And a block diagram of the similarity measurement system 10.

As shown in FIG. 4, an API-based software similarity measurement method of a function using fuzzy hashing according to an embodiment of the present invention includes: (a) extracting a code region from an input program; (b) disassembling the extracted code region; (c) separating an instruction sequence of a disassembled program into a procedure; (d) generating a hash value through a fuzzy hashing function for the API call sequence of the separated procedures and storing the hash value in the bus mark DB; And (e) measuring the similarity of the input program using the stored hash value.

5, the API-based software similarity measurement system 10 of a function using fuzzy hashing according to an embodiment of the present invention includes a code area extraction unit 100 for receiving a program and extracting a code area, ; A disassembly part (200) for disassembling the extracted code area; A procedure separator 300 for separating an instruction sequence of a disassembled program into a procedure; A bus mark generating unit 400 for generating a hash value through a fuzzy hashing function with respect to an API call sequence of separated procedures and storing the generated hash value in a bus mark DB; And a similarity measuring unit 500 for measuring the similarity of the inputted program using the stored hash value.

Here, the software similarity measurement system 10 (including the code domain extraction unit 100, the disassembly unit 200, the procedure separation unit 300, the bus mark generation unit 400, and the similarity measurement unit 500) May be a computing device or a computing device having a microprocessor for executing the above-described method for measuring software similarity, each of which may be a component separated by a device element included in the computing device, As shown in FIG.

Hereinafter, a method for measuring the similarity of an API-based software of a function using fuzzy hashing according to an embodiment of the present invention and a measurement system thereof will be described step by step with reference to the drawings.

Feature Extraction

Here, the software birthmark can be defined as a unique feature of the program.

The software similarity measurement system 10 proposed in the embodiment of the present invention is based on a procedure including an API call in programs with native codes that have been distributed. In other words, in one program we extract the following features:

- a set of procedures (API calls)

API call sequences of each procedure

- DDLLs and APIs information embedded in the target program

The method proposed by Yongman Han et al. Is characterized by extracting an API call sequence for the entire program area and generating a bus mark through the MD5 hash function.

The program basically consists of functions. Therefore, it is not appropriate to create a sequence for the entire area of the program. In addition, the cryptographic hash function is not suitable for similarity measurement, which is the initial motivation of the software bus mark because the original data is slightly changed even if the original data is slightly changed.

The software similarity measurement system 10 according to the embodiment of the present invention classifies instructions in a program that is first disassembled in order to extract the characteristics of the program. Next, a sequence of instructions for calling the API among the call instructions in each function is generated. Finally, the API call sequences of the functions generate their own values by the fuzzy hash function h and store them in the bus mark database.

As described above, since the fuzzy hash function for measuring the similarity of data is also not suitable to be applied to the entire data, in the embodiment of the present invention, Apply the fuzzy hash function to the scissors appropriately.

Generating Birthmark

In an embodiment of the present invention, a birthmark is based on an API call sequence on separate procedures of a program. On a given program P, the entire set of procedures P _f is represented by Equation (2) below.

Where m is the size of the API call sequence in a procedure, and API _m is an API call sequence with API _i ∈ P _f . At this time, the birth marking procedure is defined as follows.

Definition 6. (Birthmarking procedure) Suppose there is a procedure f ∈ P _f for a given program P. Let B _{f be} a function that creates a birthmark for the procedure. The procedure bus mark B _f (f _i ) is defined as the following equation (3).

Here, h represents the fuzzy hash function defined by Definition 4., and the procedure busmark extracted from each program in one program generates a value through a fuzzy hash function for similarity measurement . The above-mentioned conventional bus mark (Yongman Han et al.) Generates a value through the cryptographic hash function MD5 for the API call sequence extracted from the entire area of one program.

As described above, the method has some problems. Therefore, in order to improve the above-mentioned problem, m API cocole sequences {API ₁ , API ₂ , ..., API _m } A fuzzy hash function h is applied (see Equation 3)

Definition 7. (Program Birthmark) A procedure with size n in a given program P Let P = {f ₁ , f ₂ , ..., f _n } be the complete set of The program bus mark function B _p is defined as | Pf | by the procedure bus mark B _f (f _i ) = | Bp | → n defined by _f B (f _i) having a length and a list can be defined as the following equation 4].

Similarity measurement using fuzzy hashing

The fuzzy hash function used in the embodiment of the present invention is the above-mentioned Context-Triggered Piecewise Hashing (CTPH). The CTPH spamsum algorithm uses a weighted version of the edit distance formula developed for the actual USENET newsreader.

For the sake of clarity, the weighted edit distance is defined as e (s1, s2) given by s1 and s2 expressed by [Equation 6] and [Equation 7]. Where i is the number of insertions, d is the number of deletions, c is the number of changes, and w is the number of swaps. And, l ₁ and l ₂ are the respective lengths of s1 and s2.

The edit distance is rescaled from 0-64 to 0-100, 0 is converted to no homology (no homology), and 100 is considered to be almost the same file. The final match score M for strings of lengths l ₁ and l ₂ calculated by the following formula (8) is calculated by the following formula (8).

Where S represents the rescale constant and is rescaled and converted to a degree of file similarity from 0 - S to 0 - 100. For example, when S = 64 and 0 is rescaled to 100, it is recognized as the same file. Then, when S = 64 is rescaled to 0, it is recognized that there is no homology. (No homology) When S = 64 which is the default value, S and 64 items are deleted.

In the embodiment of the present invention, the following equation (9) for the match score M is finally defined as a similarity function Sim _f for the procedure bus mark. It is assumed that B _f (f ₁ ) → α and B _f (f ₂ ) → β are obtained from the two given procedure angles f ₁ and f ₂ .

Program similarity measurement

The task of the embodiment of the present invention is to measure the similarity between the two programs. For this purpose, a procedure birth mark using a fuzzy hash is used through a set of procedures in which an API call on the program is generated. &Lt; / RTI &gt; Measure the similarity between the two programs through the procedure's birthmark list.

Similarity measures are known as the Dice coefficient or Sorensen Index and are used for information retrieval. In the embodiment of the present invention, a function for measuring similarity between two programs is defined as follows.

Definition 8. (Program Similarity)

Suppose there are two programs or components P, Q ∈ Р. B _f (f _i ∈ P) → α _i and B _f (f _i ∈ Q) → β _i are the bus mark values extracted by the bus marking procedure function B _f . Then, the program similarity is defined by the following equation (10).

Where n and k denote the number of procedures including API calls for programs P and Q, and [alpha] _i and [beta] _i for each procedure extracted from both programs P and Q, _Bf .

Implementation

Hereinafter, the similarity measuring system 10 (birthmarking system) proposed in the embodiment of the present invention will be described in more detail. The software similarity measurement system 10 according to the embodiment of the present invention carries out a total of five steps. The first step receives the first program and stores the extracted birthmark in the database (bus mark DB) through four steps. Then, through two steps, measure the similarity with the procedure or the whole other program. The overall workflow for this is shown in Fig.

A software similarity system according to an embodiment of the present invention evaluates similarity through a total of five steps. Most of the previous researches have been proposed for evaluating the similarity of only two programs. However, the system proposed in the embodiment of the present invention is not limited to the procedure unit of every program stored in the database, Because of its similarity, it has the advantage of automating many programs and comparisons.

In addition, since the birthmark is stored separately in procedure units, partial similarity can be measured rather than the whole program. This is because, compared with the conventional technology in which the entire program is compared, It is also possible to detect the code. Also, the reduced bus bar mark information through the fuzzy hash is much more efficient than the comparison process for existing sequences.

Step 1 (step (a)):

The code region extracting unit (100) extracts a code region on the received program p. Here, the code area refers to a set of codes interpreted and executed by a microprocessor. Executable files have a specific format depending on the operating system. For example, the Windows platform has the PE format, and the UNIX and Linux operating systems have the ELF or COFF format.

Step 2 (step (b)):

The disassembling unit 200 disassembles the code region extracted in the step 1. Disassembly is necessary to identify the meaning of an instruction sequence and to distinguish a procedure and extract an API call sequence therein. In an embodiment of the present invention, distorm 3 is utilized to perform reliable and automated disassembly. In addition, in order to discriminate the procedure, step 3 is performed by recognizing the basic structure of the above procedure and executing a call instruction through a recursive decent disassembly method focusing on the control flow among the disassembly processing methods instruction (s).

Step 3 (step (c)):

The procedure separator 300 separates the disassembled instruction sequence of the program into a procedure. Also, those that do not cause API calls in each procedure are removed. The result at this stage is eventually a collection of API call sequences occurring within the procedure's unique name. A software similarity measurement system 10 and method in accordance with an embodiment of the present invention may provide for reviewing disassembly results for similar procedures. So you can optionally store the disassembly results.

Step 4 (step (d)):

The bus mark generating unit 400 generates a hash value through a fuzzy hash function on the API call sequence of the separated procedures and stores the hash value in the bus mark DB.

The storage of the bus mark DB can be made up of a table having information on an executable file and a table having a procedure list linked thereto. In the conventional technology, the number of DLLs and the number of APIs are stored for category classification. However, in the embodiment of the present invention, the number of DLLs and APIs is used to classify categories by identifying the characteristics of application aplications Proved that it is impossible in reality and can cause a lot of false positives.

Also, recent applications have many complex functions built in. Therefore, there is a high likelihood that a category will not be clearly classified, and it may be processed at a higher cost. Thus, the software similarity measurement system 10 and method according to the embodiment of the present invention focuses on the similarity of the program itself.

Similar Relation Assessment (step (e))

Similarity Measure If a Q at a given P, Q is derived from a source such as P (that is, a different version of the same program), then in an embodiment of the invention, P and Q are similar, . If P≈Q, then two values of α and β obtained by B _p (P) → α and B _p (Q) → β can be defined as α≈β.

Therefore, the similarity measurement function Sim _p (?,?) Can be defined by the following equation (11).

In the embodiment of the present invention, the threshold value was determined as? = 0.35. From the threshold value, the similarity range of [0.0, 0.35] is an independent classification criterion, [0.35, 0.65] is a noncritical classification criterion, and [0.65,1] to be.

Generally, although the prior arts have presented different thresholds epsilon, in the embodiment of the present invention the threshold value epsilon = 0.35 was determined based on experimental results based on the characteristics of resilience and credibility.

Evaluation and Evaluation

For the evaluation of the software similarity measurement system 10 and method according to the embodiment of the present invention, the experimental environment constituted the Intel Core i7 2.6 GHz, Memory 16Gb Windows 7 32 bit environment. The system is implemented in python, using pefile, distorm3, and sdeep packages. We also used IDA pro 6.1 from Hex-Rays for disassembly verification.

In the embodiment of the present invention, there are two evaluations. The first verifies the resilient of the birthmark and verifies the problems of the proposed approach in the conventional similarity measurement method.

The second verifies the credibility. This shows the relationship ≤ ε between independent programs. Finally, the performance of the system according to an embodiment of the present invention is verified.

version Specifications application (Version-specific Applications)

The first experiment in the embodiment of the present invention is to prove that the birthmarking system is resilient through a set of similar programs. To do this, we measure the similarity (v0.52-v0.62) similarity of the well-known version of putty to the remote terminal access program (see [Table 1]). The versions of each compiler were identified using the PEiD tool.

The 10 programs shown in [Table 1] have been modified from the original source code every time the version is updated. Thus, the embodiment of the present invention makes a hypothesis. First, each version of the putty program has some similarity to each other. The closer the second version is updated, the less similarity with the lower version, and the difference is the most similar to the oldest and latest version. Finally, similarities with yourself should always be 100% identical.

In an embodiment of the present invention, the first experiment proceeded in two ways. The first is a bus mark that extracts an API call sequence from the entire program proposed by the prior art (Yongman Han et al.) To generate a value using a fuzzy hash function, and the other is a bus mark Is a bus mark that extracts an API call sequence for each procedure and generates a value with a fuzzy hash function.

[Table 2] shows the results of API call sequence extraction from all areas of version programs for putty, and similarity measurement by generating bus marks through fuzzy hash function h, Highlights are shown for fields that are more than%.

From the results of the experiment in [Table 2], it is possible to find a problem in the study of the prior art (Yongman Han et al.). All similarity measurement results are 0.0, except for some versions. However, since Yongman Han et al. Applied the MD5 hash function, only the hash value corresponding to 1.0 will be valid. In addition, the API call sequence for a whole program can be generated by a similar program depending on the position of the procedure every time the program is compiled, irrespective of the characteristics of the program, Can be generated.

Therefore, the approach proposed in the prior art proves that the result of [Table 2] does not satisfy the resiliency which is characteristic of the software birthmark.

The novel API-based software birthmark proposed in the embodiment of the present invention is shown in Table 3 as an experimental result. Experimental results show that the full version of putty programs has a similarity of about 66%. In addition, when verifying by the hypothesis set forth in the embodiment of the present invention, the similarity decreases as the versions become larger, and the difference is that the similarity of the oldest version with the latest version is about 66% . Additionally, the 0.56 and 0.57 versions are the time when the compiler changed.

In order to demonstrate the characteristics of the reconstruction (definition 2) and reliability (definition 3), the embodiment of the present invention requires determination of the threshold value epsilon. In the foregoing, the threshold value is suitably determined by the experimental result of each method. In the first experimental results with the footty version specification, the resilience was satisfied with ε = 0.35. All versions of the PuTTY program showed the same results as in [Table 3]. Therefore, in the embodiment of the present invention, the threshold value? = 0.35 can be determined. Further, in order to satisfy the reliability, the threshold value? = 0.35. Detailed results of recoverability are shown in FIG. The graph shown in Fig. 7 is based on the data of [Table 2] and [Table 3].

As shown in FIG. 6, in the embodiment of the present invention, it has been proved through experiments that the degree of similarity decreases as the version is farther from itself (x = 0), and the software similarity measurement system 10 proposed in the embodiment of the present invention And confirm that the method satisfies the resiliency.

Other Application  Evaluation of other Applications

In the embodiment of the present invention, the second experiment is performed on independently implemented applications. As shown in Table 4, in the embodiment of the present invention, sample programs are classified into specific categories and selected. In addition, some programs were chosen to measure similarity by placing differences between the two versions. All programs have a PE format that can be run on Windows and are compiled for a 32-bit operating system.

As shown in Table 4, in the embodiment of the present invention, the reduction ratios of the bus marks using the original bus mark (including API call sequence only) and the fuzzy hashing were measured. The average reduction rate is about 41%. This means that the size of the bus mark is actually more effective for bus marking using fuzzy hashing than the original bus mark. It also means a reduction in the storage overhead for the database.

DLLs / APIs  Have free In filtering  Correlation Analysis for Pre-filtering with DLLs / APIs )

An API can be defined as a list of functions provided to developers who develop applications in an operating system. In particular, the Windows system loads modules encapsulated in DLLs into a shared memory so that it can be used by various applications.

If the DLLs are functionally separated, they must always reside in memory, separated by a large number of DLLs, so that the Windows system is divided into specific classes and resident in memory. For this reason, it is not possible to distinguish the nature of the application by only names such as USER32.dll, KERNEL32.dll, and ADVAPI32.dll that are not clearly distinguished by function.

In addition, in recent years, it has been difficult to judge the characteristics of an application merely by the number of API calls with the appearance of applications having a complex function according to a request of a user.

In the embodiment of the present invention, as described above, this problem has been pointed out and in order to verify this, the top 50 for the API call frequency of the program and the correlation analysis with the program in the same category, And is shown in Fig.

As shown in FIG. 8, each graph is a correlation coefficient for an API call generation frequency of two programs for each sample program. The correlation coefficient values for each category are evaluated very low, which means that categories can not be categorized only by the names and number of DLLs and APIs proposed in the prior art (Yongman Han et al.).

As described above, in the embodiment of the present invention, a software similarity measuring system (10) (birthmarking system) and a method thereof are proposed in which a fuzzy hashing is applied to an API call sequence separated by a procedure.

The embodiments of the present invention also improved the recent software birthmark system proposed in the prior art and conducted experiments to verify it. Software similarity measurement or software birthmark has traditionally been studied to satisfy both attributes of resiliency and credibility.

In the embodiment of the present invention, in the experiment, the resiliency was evaluated through putty programs of different versions of the same program, and the problems of the approach proposed in the prior art were verified. As a result, it was found that the software similarity system proposed in the embodiment of the present invention is superior.

In the experiment to evaluate the credibility, 18 applications were selected for each category. Among them, similarities were measured including other versions of the same program, and as a result, we were able to distinguish correctly.

It also pointed out a problem with the category classification of the bus mark approach proposed in the prior art (Yongman Han et al.), Which was confirmed through experiments performed in the embodiments of the present invention. We performed correlation analysis with the programs of the same category through the top 50 APIs of the call frequency of each program and the number of times, and all the results showed that they have low correlation. Therefore, we could get the result that the proposed approach could not classify functional categories of programs.

That is, in the embodiment of the present invention, as a technique for improving the bus marking system or the software similarity measurement system 10 proposed in the prior art (Yongman Han et al.), A software birthmark is a program Extracts the API call sequence from a partitioned procedure for native code and generates it through a fuzzy hash function. A fuzzy hash is a hash function proposed to measure the similarity of data, unlike the traditional cryptographic hash function.

In the embodiment of the present invention, since the API call sequence is extracted on a procedure-by-procedure basis, the feature can be reflected on the birthmark without being affected by the compiler. This is a clear improvement of the conventional birthmark and proved through experimentation.

Further, as another embodiment of the present invention, a computer program stored in a computer-readable medium for executing the slope stability evaluation method using the three-dimensional topography model and soil classification combined with hardware may be used.

That is, the apparatus according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the recording medium include ROM, RAM, optical disk, magnetic tape, floppy disk, hard disk, nonvolatile memory and the like. The computer-readable recording medium may also be distributed over a networked computer system so that computer readable code can be stored and executed in a distributed manner.

The embodiments and the accompanying drawings described in the present specification are merely illustrative of some of the technical ideas included in the present invention. Accordingly, the embodiments disclosed herein are for the purpose of describing rather than limiting the technical spirit of the present invention, and it is apparent that the scope of the technical idea of the present invention is not limited by these embodiments. It will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

10: similarity measurement system, 100: code region extraction unit
200: Disassembly unit 300: Procedure separation unit
400: bus mark generating unit 500: similarity measuring unit

Claims (16)

(a) extracting a code area from an input program;
(b) disassembling the extracted code region;
(c) separating an instruction sequence of a disassembled program into a procedure;
(d) generating a hash value through a fuzzy hash function on the API call sequence of the separated procedures and storing the hash value in the bus mark DB; And
(e) measuring the similarity of the input program using the stored hash value. &lt; Desc / Clms Page number 19 &gt; The method according to claim 1,
Wherein the code region comprises:
And a set of codes that are interpreted and executed by the microprocessor. The method according to claim 1,
The step (b)
And recognizing reference procedures for a call instruction using a recursive decent disassembly scheme for the extracted code region. &Lt; RTI ID = 0.0 &gt; 8. &lt; / RTI & Based software similarity measure. The method according to claim 1,
The step (c)
And removing a procedure that does not cause an API call in each of the separated procedures. The method according to claim 1,
The step (c)
And selectively storing the separated procedures in a procedure DB. A method of measuring similarity of an API-based software of a function using fuzzy hashing. The method according to claim 1,
The step (d)
And storing the generated hash value in a database in the form of an executable file table having information on the executable file and a list table provided with a procedure list linked to the executable file table, Based software similarity measure. The method according to claim 1,
The step (e)
Wherein the hash value generated in the steps (a) through (e) of the input program is determined by using a similarity measure function, using the stored hash value, based on the API of the function using fuzzy hashing A method for measuring similarity of software. The method of claim 7,
Wherein the similarity measure function comprises:

(Where? Represents a threshold value, and represents a bus mark value generated through B _f for each procedure extracted from the programs? And Q for each? And?). A method for measuring the similarity of API based software of a function using fuzzy hashing. A code region extraction unit for receiving a program and extracting a code region;
A disassembly unit for disassembling the extracted code region;
A procedure separator for separating an instruction sequence of a disassembled program into a procedure;
A bus mark generating unit for generating a hash value through a fuzzy hash function on the API call sequence of the separated procedures and storing the hash value in the bus mark DB; And
And a similarity measuring unit for measuring the similarity of the inputted program using the stored hash value. The method of claim 9,
The disassembling unit includes:
Characterized in that the extracted code area is recognized by recursive decent disassembly to reference procedures for a call instruction. Similarity measurement system. The method of claim 9,
Wherein the procedure separator comprises:
And removing the procedure that does not cause the API call in each of the separated procedures. The method of claim 9,
Wherein the procedure separator comprises:
And the stored procedure is selectively stored in the procedure DB. The system for measuring similarity of an API-based software of a function using fuzzy hashing. The method of claim 9,
Wherein the birthmark generating unit comprises:
Wherein the generated hash value is constituted by an executable file table having information on an executable file and a list table provided with a procedure list linked to an executable file table and stored in a bus mark DB. Based software similarity measurement system. The method of claim 9,
Wherein the similarity measuring unit comprises:
Wherein the hash value of the input program generated using the stored hash value is used to determine the program similarity through the similarity measure function. 15. The method of claim 14,
Wherein the similarity measure function comprises:

(Where? Represents a threshold value, and represents a bus mark value generated through B _f for each procedure extracted from the programs? And Q for each? And?). Similarity measurement system for API based software of functions using fuzzy hashing. Combined with hardware,
A computer program stored on a computer-readable medium for executing a method of determining the similarity of an API-based software of a function using the fuzzy hashing of claim 1.

Images