论文信息 - Packed PE File Detection for Malware Forensics

Packed PE File Detection for Malware Forensics

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance. Keywords-component; malware forensics; PE file analysis; entropy; packing detection

Sangjin Lee | Keungi Lee | Seungwon Han

[1] Yang-seo Choi,et al. PE File Header Analysis-Based Packed PE File Detection Technique (PHAD) , 2008, International Symposium on Computer Science and its Applications.

[2] Robert Lyda,et al. Using Entropy Analysis to Find Encrypted and Packed Malware , 2007, IEEE Security & Privacy.

[3] Tzi-cker Chiueh,et al. A Study of the Packer Problem and Its Solutions , 2008, RAID.

[4] Stefan Katzenbeisser,et al. Software transformations to improve malware detection , 2007, Journal in Computer Virology.

[5] Thomas M. Cover,et al. Elements of Information Theory , 2005 .

[6] Thomas M. Cover,et al. Elements of Information Theory: Cover/Elements of Information Theory, Second Edition , 2005 .

[7] Danilo Gligoroski,et al. Bypassing Data Execution Prevention on MicrosoftWindows XP SP2 , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[8] Eoghan Casey,et al. Malware Forensics: Investigating and Analyzing Malicious Code , 2008 .

[9] Aditya P. Mathur,et al. A Survey of Malware Detection Techniques , 2007 .