A detection framework for semantic code clones and obfuscated code

•Detecting obfuscated code and code clones based on semantics is challenging.•Unique dual detection framework proposed for both code obfuscation and clones.•Novel code semantic features are used based on Java BDG, PDG & AST.•Extensive experiments established the superiority of our framework. Cod...

Full description

Saved in:
Bibliographic Details
Published in:Expert systems with applications 2018-05, Vol.97, p.405-420
Main Authors: Sheneamer, Abdullah, Roy, Swarup, Kalita, Jugal
Format: Article
Language:English
Subjects:
Artificial intelligence
Bytecode dependency graph
Code obfuscation
Codes
Computer viruses
Dependence
Detectors
Feature extraction
Fragments
Graphs
Intellectual property
Machine learning
Malware
Model accuracy
Program dependency graph
Semantic code clones
Semantics
Software
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•Detecting obfuscated code and code clones based on semantics is challenging.•Unique dual detection framework proposed for both code obfuscation and clones.•Novel code semantic features are used based on Java BDG, PDG & AST.•Extensive experiments established the superiority of our framework. Code obfuscation is a staple tool in malware creation where code fragments are altered substantially to make them appear different from the original, while keeping the semantics unaffected. A majority of the obfuscated code detection methods use program structure as a signature for detection of unknown codes. They usually ignore the most important feature, which is the semantics of the code, to match two code fragments or programs for obfuscation. Obfuscated code detection is a special case of the semantic code clone detection task. We propose a detection framework for detecting both code obfuscation and clone using machine learning. We use features extracted from Java bytecode dependency graphs (BDG), program dependency graphs (PDG) and abstract syntax trees (AST). BDGs and PDGs are two representations of the semantics or meaning of a Java program. ASTs capture the structural aspects of a program. We use several publicly available code clone and obfuscated code datasets to validate the effectiveness of our framework. We use different assessment parameters to evaluate the detection quality of our proposed model. Experimental results are excellent when compared with contemporary obfuscated code and code clone detectors. Interestingly, we achieve 100% success in detecting obfuscated code based on recall, precision, and F1-Score. When we compare our method with other methods for all of obfuscations types, viz, contraction, expansion, loop transformation and renaming, our model appears to be the winner. In case of clone detection our model achieve very high detection accuracy in comparison to other similar detectors.
ISSN:0957-4174
1873-6793
DOI:10.1016/j.eswa.2017.12.040