FuncNet: A Euclidean Embedding Approach for Lightweight Cross-platform Binary Recognition

Reverse analysis is a necessary but manually dependent technique to comprehend the working principle of new malware. The cross-platform binary recognition facilitates the work of reverse engineers by identifying those duplicated or known parts compiled from various platforms. However, existing approaches mainly rely on raw function bytes or cosine embedding representation, which have either low binary recognition accuracy or high binary search overheads on real-world binary recognition tasks. In this paper, we propose a lightweight neural network-based approach to generate the Euclidean embedding (i.e., a numeric vector), based on the control flow graph and callee's interface information of each binary function, and classify the embedding vectors with an Euclidean distance sensitive artificial neural network. We implement a prototype called FuncNet, and evaluate it on real-world projects with 1980 binaries, about 2 million function pairs. The experiment result shows that its accuracy outperforms state-of-the-art solutions by over 13% on average and the binary search on big datasets can be done with constant time complexity.