Behavior Analysis via Execution Path Clusters

As the presence of malware increases in binary applications, behavior analysis is rapidly becoming necessary. We examine the application of execution path clustering and information pedigree analysis to analyze the behaviors of an application. An execution path is the sequence of basic blocks in a binary that are executed in response to a given input. One execution path represents a specific behavior of the application, likewise, similar execution paths define similar application behaviors. We cluster dynamic execution paths using the hierarchical agglomerative clustering algorithm to characterize program behavior. Furthermore, through comparisons between clusters, we can use information pedigree analysis to identify the modal inputs which cause the execution of unique behaviors within a cluster. Through this form of modality analysis, we can identify the modal inputs which control the mode in which the application executes. This approach allows us to automatically elicit the specification of software for which we only have the binary image. To assess the utility of this approach, we report on experiments conducted against a set of test Android applications.