Multi-threaded On-the-Fly Model Generation of Malware with Hash Compaction

This paper introduces multi-threaded implementation of our binary code analyzer BE-PUM for malware. On-the-fly model generation by BE-PUM is combined with duplication detection and hash compaction method to minimize the resource consumption. The method operates in three phases including parallel expansion of states, duplication detection and update of the state space. A notable feature of our algorithm is that it requires very little synchronization or cooperation between threads, which is often a bottleneck of multi-threading, due to our strategy of local resource management. The experiments on 125 real-world malware show good performance improvement.