Comments on: Birthmarks for GPL http://madisonian.net/2007/08/26/birthmarks-for-gpl/ a blog about law, tech, culture, and related things Sat, 11 Feb 2012 02:59:42 -0600 http://wordpress.org/?v=2.8.4 hourly 1 By: Bruce Boyden http://madisonian.net/2007/08/26/birthmarks-for-gpl/comment-page-1/#comment-224130 Bruce Boyden Mon, 27 Aug 2007 16:03:41 +0000 http://madisonian.net/archives/2007/08/26/birthmarks-for-gpl/#comment-224130 I'm curious why this works. Wouldn't two programs that do roughly the same thing, e.g., Word and WordPerfect, make a lot of the same API calls in the same order? But I notice there's barely any overlap between the various PNG and XML readers tested in the paper. I’m curious why this works. Wouldn’t two programs that do roughly the same thing, e.g., Word and WordPerfect, make a lot of the same API calls in the same order? But I notice there’s barely any overlap between the various PNG and XML readers tested in the paper.

]]> By: James Grimmelmann http://madisonian.net/2007/08/26/birthmarks-for-gpl/comment-page-1/#comment-224129 James Grimmelmann Mon, 27 Aug 2007 05:25:30 +0000 http://madisonian.net/archives/2007/08/26/birthmarks-for-gpl/#comment-224129 k-gram call sequence analysis can be surprisingly powerful; it does seem that a program's sequence of API calls is a reasonably hard-to-change property. As an undergraduate, I saw a presentation of some of the "computer immunology" research cited by this paper: the reasoning goes that a novel sequence of API calls is evidence of a new program running (which could be a piece of malware). This paper just inverts that logic: a familiar sequence of API calls is evidence that the "new" program is an old program in disguise. I'm surprised that they don't extend the binary nature of this "birthmark" to keep a statistical count of the sequences. At least for programs executing similar tasks, it would seem that the frequency of a k-gram would be even more revealing that whether that sequence was executed at all. k-gram call sequence analysis can be surprisingly powerful; it does seem that a program’s sequence of API calls is a reasonably hard-to-change property. As an undergraduate, I saw a presentation of some of the “computer immunology” research cited by this paper: the reasoning goes that a novel sequence of API calls is evidence of a new program running (which could be a piece of malware). This paper just inverts that logic: a familiar sequence of API calls is evidence that the “new” program is an old program in disguise.

I’m surprised that they don’t extend the binary nature of this “birthmark” to keep a statistical count of the sequences. At least for programs executing similar tasks, it would seem that the frequency of a k-gram would be even more revealing that whether that sequence was executed at all.

]]>