Explaining Binary Obfuscation

Binary obfuscation is a very broad set of techniques widely employed in the context of code protection from piracy. However, it is also used for malicious goals, e.g. virus writers often employ obfuscation in order to evade signature-based antivirus detection. Thus, the ability to detect if an executable has been obfuscated is of paramount importance, as it allows to thwart the execution of potentially malicious code. The task of detection, however, is not easy, since many different obfuscating transformations exist and the alteration of an original code is not always easily detectable. In this paper, we want to shed light on the blurry task of obfuscation detection. We will look at this task through the brand new lenses of explainable artificial intelligence (XAI), in order to finally sharpen the obscure landscape of obfuscated software. Thanks to XAI we will be able to identify the relevant features altered by the transformating obfuscation as well as the invariant ones, that can be used for obfuscation-resistant malware signatures. We show our findings thanks to an evaluation with a dataset of obfuscated and non-obfuscated binaries, explaining the important features that lead to the detection of obfuscating transformations.