Accelerating Cyber Vulnerability Analysis with Binary Files Rendered as Images

Challenge:

The keystone of cyber vulnerability analysis involves accurate scrutiny of binary data consisting of ones and zeros. A typical suspect data stream may contain billions of ones and zeros complicating the analysis process. Traditional analytic tools rely on binary files being organized in a standard structure with header and signature. Unfortunately, malware often modifies established structure in order to hide malicious code. A modified structure breaks traditional tools, which forces analysts to manually examine mountains of raw data with a hex editor. Manual analysis of a data stream requires skilled experts doing tedious work that can take weeks or months. Even then, discovery of the vulnerability might occur long after execution of a hidden exploit.

Solution:

Battelle created Cantor Dust, a unique interactive software tool that renders binary files as images to speed the process of data-stream analysis. By translating binary information into a visual abstraction, reverse engineers and forensic analysts can sift through mountains of arbitrary data in seconds. Even previously unseen instruction sets and data formats can be easily located and understood through their visual fingerprint. Whether searching for exploitable code, stealthy malware, cryptographic keys, or network anomalies, Cantor Dust uses advanced statistical analysis to provide new visual translation techniques that dramatically accelerate the analysis process for security investigators of all backgrounds. A primary use is condensing complex binary structure into simple visual patterns that quickly reveal deviations in structure, such as those created by steganographic techniques that hide messages in data.

Outcome:

Battelle’s Cantor Dust is helping reverse engineers and forensic analysts to use interactive imagery for sifting through megabytes of arbitrary data in seconds, and immediately identify structural deviations leading to identification of malware and other vulnerabilities. Without Cantor Dust, investigators must use arduous manual analysis that often yields no results.