Comments on: Getting Started with Savarin

By: Matthieu

Matthieu — Sat, 23 Jan 2010 13:48:25 +0000

No problem, I’ll keep you updated via e-mail. But don’t be afraid I think you’ll be quicker. I’m a bit tired by publications, reviewers and stupid bibliometric indices. Moreover, I’ll have to find a job and publications don’t necessarily help.
But that’s an other matter ^^.

By: Silvio Cesare

Silvio Cesare — Fri, 22 Jan 2010 16:13:15 +0000

Hi. It’s interesting because I have based some new work on/related to that paper also. You may have seen a twitter post of mine recently which linked that paper as I had also done an implementation of it – except I don’t do vertex colouring. I was hoping to publish later in the year – I have a working system also and I think the results are good – its efficient and effective. I have this vision that we might both be doing the same thing, because it seems a natural progression from existing literature – especially when applied to malware, because the kruegel paper is primarily about the simpler case of worm detection and doesn’t continue on with the traditional approach *wink*. The 2 papers I am publishing currently take a different approach and are not related to the kruegel paper.

I think for my case a patent would be hard to obtain because of existing work in the kruegel paper. I actually have 2 variations, and 1 is somewhat different, while the other variation is very similar. But still I think of a prior art issue.

If you publish, give me a warning if possible before you submit, so I have the option of submitting to another conference or journal independently. I can tell you also when I am intending to submit. I was hoping to postpone writing a paper for a while however while I finished my thesis.

The research world on this problem is really small it seems.

By: Matthieu

Matthieu — Fri, 22 Jan 2010 15:23:49 +0000

Hi Silvio,
We don’t do largest common sub-graph but common subgraphs. The best paper on this approach (I think, but yours have not appeared yet ;)) is the one of Kruegel on worm detection http://www.cs.ucsb.edu/~seclab/projects/polyworms/index.html. I should add a link on savarin.

The details on the method are not explained in the papers provided on savarin, perhaps in a future publication or in a patent. But the technology used to do it, is the one explained in the papers.

Moreover savarin don’t identify common code but common structures, that is common sub-CFG.

Although, with some work you should be able to do largest common subgraph with automata techniques ;).

I’m on hollydays between two trains… do not hesitate to ask precision but I may be a bit long to answer.

–
Matthieu

By: dan

dan — Fri, 22 Jan 2010 08:47:13 +0000

I’ll let the Savarin guru answer in person if you don’t mind ^^

By: Silvio Cesare

Silvio Cesare — Thu, 21 Jan 2010 23:59:23 +0000

A quick additional comment because you say that savarin identifies the common code between samples as shown in the screenshots. This does not appear to be the largest common subgraph identification. I’d be interested in having this explained to me, because it seems I must not have understood the original papers if this is the case.

By: Silvio Cesare

Silvio Cesare — Thu, 21 Jan 2010 23:52:37 +0000

Hi. I agree that savarin is a great service to provide for malware analysis. I am curious about the similarity function you demonstrated where there was a similarity of 41% etc. Is this based on the largest common subgraph? The papers that savarin is based on, to my knowledge, work on fast isomorphisn and maximum common subgraph testing. So am I presuming correctly that there is some similarity function in the vein of s=|maximum_common_subgraph(a, b)|/max(|a|, |b|). I can't recall this function being described in the savarin papers.