Packer Detection for Multi-Layer Executables Using Entropy Analysis

Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.

[1]  K. Shadan,et al.  Available online: , 2012 .

[2]  S Haydon The hidden problem. , 1991, Nursing times.

[3]  Muhammad Zubair Shafiq,et al.  PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime , 2009, RAID.

[4]  Eamonn J. Keogh,et al.  A symbolic representation of time series, with implications for streaming algorithms , 2003, DMKD '03.

[5]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[6]  Wanlei Zhou,et al.  Malwise—An Effective and Efficient Classification System for Packed and Polymorphic Malware , 2013, IEEE Transactions on Computers.

[7]  Christopher Krügel,et al.  A Static, Packer-Agnostic Filter to Detect Similar Malware Samples , 2012, DIMVA.

[8]  Eamonn J. Keogh,et al.  Dimensionality Reduction for Fast Similarity Search in Large Time Series Databases , 2001, Knowledge and Information Systems.

[9]  Mafaz Mohsin Khalil Al-Anezi,et al.  Generic Packing Detection using Several Complexity Analysis for Accurate Malware Detection , 2014 .

[10]  B. R. Meijer Rules and algorithms for the design of templates for template matching , 1992, [1992] Proceedings. 11th IAPR International Conference on Pattern Recognition.

[11]  Matt Pietrek,et al.  Peering Inside the PE: A Tour of the Win32 Portable Executable File Format , 1994 .

[12]  Eamonn J. Keogh,et al.  On the Need for Time Series Data Mining Benchmarks: A Survey and Empirical Demonstration , 2002, Data Mining and Knowledge Discovery.

[13]  Heejo Lee,et al.  Detecting Malicious Web Links and Identifying Their Attack Types , 2011, WebApps.

[14]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[15]  Wenke Lee,et al.  Classification of packed executables for accurate computer virus detection , 2008, Pattern Recognit. Lett..

[16]  Li Sun,et al.  Pattern Recognition Techniques for the Classification of Malware Packers , 2010, ACISP.

[17]  Edgar O. Osaghae Classifying Packed Programs as Malicious Software Detected , .

[18]  Robert Lyda,et al.  Using Entropy Analysis to Find Encrypted and Packed Malware , 2007, IEEE Security & Privacy.

[19]  Tzi-cker Chiueh,et al.  A Study of the Packer Problem and Its Solutions , 2008, RAID.

[20]  Nirwan Ansari,et al.  Revealing Packed Malware , 2008, IEEE Security & Privacy.

[21]  Igor Santos,et al.  Countering entropy measure attacks on packed software detection , 2012, 2012 IEEE Consumer Communications and Networking Conference (CCNC).

[22]  Heejo Lee,et al.  Dynamic classification of packing algorithms for inspecting executables using entropy analysis , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[23]  Sukumar Nandi,et al.  Detection of packed malware , 2012, SecurIT '12.

[24]  Heejo Lee,et al.  Entropy analysis to classify unknown packing algorithms for malware detection , 2016, International Journal of Information Security.

[25]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[26]  Igor Santos,et al.  Collective classification for packed executable identification , 2011, CEAS '11.

[27]  Yang Xiang,et al.  Classification of malware using structured control flow , 2010 .

[28]  Vladimir Vapnik,et al.  The Nature of Statistical Learning , 1995 .

[29]  Carlos A Molina,et al.  High-dose statin for every stroke: the good, the bad, and the unknown. , 2012, Stroke.

[30]  Christos Faloutsos,et al.  Fast Time Sequence Indexing for Arbitrary Lp Norms , 2000, VLDB.

[31]  Debin Gao,et al.  Denial-of-Service Attacks on Host-Based Generic Unpackers , 2009, ICICS.

[32]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[33]  Heejo Lee,et al.  Generic unpacking using entropy analysis , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[34]  T. Vinay Kumar M. Tech Malwise-An Effective and Efficient Classification System for Packed and Polymorphic Malware , 2014 .