2-SPIFF: a 2-stage packer identification method based on function call graph and file attributes

Most malware employs packing technology to escape detection; thus, packer identification has become increasingly important in malware detection. To improve the accuracy of packer identification, this article analyses the differences in the function call graph (FCG) and file attributes between the non-packed executable files and the executable files packed by different packers, and further proposes a 2-stage packer i dentification method based on FCG and file attributes (2-SPIFF). In 2-SPIFF, the detection model of stage I distinguishes non-packed executable files from packed executable files based on the graph features extracted from the FCG, while the identification model of stage II identifies the packer used for packing the original executable file by using the concatenated features extracted from the FCG and file attributes. The experimental results show that 2-SPIFF can achieve an accuracy of 99.80% for packer detection and an accuracy of 98.49% for packer identification.

[1]  Sattar Hashemi,et al.  An entropy-based distance measure for analyzing and detecting metamorphic malware , 2017, Applied Intelligence.

[2]  Srinivas Mukkamala,et al.  Packer identification using Byte plot and Markov plot , 2015, Journal of Computer Virology and Hacking Techniques.

[3]  Jianming Fu,et al.  Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost , 2018, CCS.

[4]  Eun-Sun Cho,et al.  Efficient SVM Based Packer Identification with Binary Diffing Measures , 2019, 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC).

[5]  Ünal Çavusoglu,et al.  A new hybrid approach for intrusion detection using machine learning methods , 2019, Applied Intelligence.

[6]  Aziz Mohaisen,et al.  Analyzing and Detecting Emerging Internet of Things Malware: A Graph-Based Approach , 2019, IEEE Internet of Things Journal.

[7]  Pete Burnap,et al.  LAB to SOC: Robust Features for Dynamic Malware Detection , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks – Industry Track.

[8]  Daniel Gibert,et al.  The rise of machine learning for detection and classification of malware: Research developments, trends and challenges , 2020, J. Netw. Comput. Appl..

[9]  Synh Viet-Uyen Ha,et al.  An Analysis of Software Bug Reports Using Random Forest , 2018, FDSE.

[10]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[11]  Nguyen Minh Hai,et al.  Packer identification based on metadata signature , 2017 .

[12]  Jianfeng Ma,et al.  A Combination Method for Android Malware Detection Based on Control Flow Graphs and Machine Learning Algorithms , 2019, IEEE Access.

[13]  Dong Jin,et al.  Classifying Malware Represented as Control Flow Graphs using Deep Graph Convolutional Neural Network , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[14]  Philip K. Chan,et al.  Scalable Function Call Graph-based Malware Classification , 2017, CODASPY.

[15]  Eul Gyu Im,et al.  Packer identification method based on byte sequences , 2020, Concurr. Comput. Pract. Exp..

[16]  Alexander Pretschner,et al.  Leveraging Compression-Based Graph Mining for Behavior-Based Malware Detection , 2019, IEEE Transactions on Dependable and Secure Computing.

[17]  Mahdi Abadi,et al.  RAMD: registry-based anomaly malware detection using one-class ensemble classifiers , 2018, Applied Intelligence.

[18]  Heejo Lee,et al.  Entropy analysis to classify unknown packing algorithms for malware detection , 2016, International Journal of Information Security.

[19]  Roberto Bruni,et al.  Code obfuscation against abstraction refinement attacks , 2018, Formal Aspects of Computing.

[20]  Shobha Vasudevan,et al.  Packer classifier based on PE header information , 2015, HotSoS.

[21]  Babak Sadeghiyan,et al.  Malware Dynamic Analysis Evasion Techniques , 2018, ACM Comput. Surv..

[22]  Axel Legay,et al.  Effective, efficient, and robust packing detection and classification , 2019, Comput. Secur..

[23]  Zhetao Li,et al.  Hybrid malware detection approach with feedback-directed machine learning , 2020, Science China Information Sciences.

[24]  Yuxin Ding,et al.  Android Malware Detection Method Based on Function Call Graphs , 2016, ICONIP.

[25]  Sheng Chen,et al.  A malware detection method based on family behavior graph , 2018, Comput. Secur..

[26]  Theodoros Spyridopoulos,et al.  Efficient and Interpretable Real-Time Malware Detection Using Random-Forest , 2019, 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[27]  Stavros D. Nikolopoulos,et al.  A Graph-based Model for Malicious Software Detection Exploiting Domination Relations between System-call Groups , 2018, CompSysTech.

[28]  Gianmarco Baldini,et al.  A Performance Evaluation on Distance Measures in KNN for Mobile Malware Detection , 2019, 2019 6th International Conference on Control, Decision and Information Technologies (CoDIT).

[29]  Xingwei Li,et al.  A Consistently-Executing Graph-Based Approach for Malware Packer Identification , 2019, IEEE Access.