Packer classifier based on PE header information

Jin, Qiao; Duan, Jiayi; Vasudevan, Shobha; Bailey, Michael

doi:10.1145/2746194.2746213

Cited by 4 publications

(4 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Jin et al [21] proposed a PE header-based method for packer classification, achieving around 0.99% precision and recall. Similar to [22], the approach used PE file header analysis with nine features and the Euclidean distance for classification.…”

Section: Static Analysismentioning

confidence: 99%

Identifying Malware Packers through Multilayer Feature Engineering in Static Analysis

Alkhateeb,

Ghorbani,

Habibi Lashkari

2024

Information

View full text Add to dashboard Cite

This research addresses a critical need in the ongoing battle against malware, particularly in the form of obfuscated malware, which presents a formidable challenge in the realm of cybersecurity. Developing effective antivirus (AV) solutions capable of combating packed malware remains a crucial endeavor. Packed malicious programs employ encryption and advanced techniques to obfuscate their payloads, rendering them elusive to AV scanners and security analysts. The introduced research presents an innovative malware packer classifier specifically designed to adeptly identify packer families and detect unknown packers in real-world scenarios. To fortify packer identification performance, we have curated a meticulously crafted dataset comprising precisely packed samples, enabling comprehensive training and validation. Our approach employs a sophisticated feature engineering methodology, encompassing multiple layers of analysis to extract salient features used as input to the classifier. The proposed packer identifier demonstrates remarkable accuracy in distinguishing between known and unknown packers, while also ensuring operational efficiency. The results reveal an impressive accuracy rate of 99.60% in identifying known packers and 91% accuracy in detecting unknown packers. This novel research not only significantly advances the field of malware detection but also equips both cybersecurity practitioners and AV engines with a robust tool to effectively counter the persistent threat of packed malware.

show abstract

Section: Static Analysismentioning

confidence: 99%

Identifying Malware Packers through Multilayer Feature Engineering in Static Analysis

Alkhateeb,

Ghorbani,

Habibi Lashkari

2024

Information

View full text Add to dashboard Cite

show abstract

“…Jin et al proposed a method to classify packers based on portable executable (PE) header information. Laxmi et al proposed a packer analysis method called PEAL (Packer Executable AnaLysis), which uses extracted features from the PE header, such as the number of sections, section name, size of code, image base, etc.…”

Section: Related Workmentioning

confidence: 99%

“…The PE header contains the starting addresses of sections, and the starting addresses and section names of encrypted sections for well‐known packers are known to the public, as shown in Table . Some of the previous packer detection methods use information obtained from only the header, but this information can be easily modified by attackers to avoid detection.…”

Section: Our Proposed Packer Identifiermentioning

confidence: 99%

See 1 more Smart Citation

Packer identification method based on byte sequences

Jung

Bae

Choi

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

Summary With the growing number of malware, malware analysis technologies need to be advanced continuously. Malware authors use various packing techniques to hide their code from malware detection tools and techniques. The packing techniques are generally used to compress and encrypt executable code in executable files, and the unpacking code is usually embedded in the executable files. Therefore, packed executable files can be executed by itself, and the information associated with packing can be used to analyze and detect malware. Since different packing tools will generate different packed executable files, packing tools can be identified by analyzing packed executable files, and packer identification can reduce malware‐analyzing overheads, and the executable files can even be unpacked. However, most previous studies focused on packing detection using signatures of unpacking code, and these approaches can be avoided by placing unpacking code in other locations or by distributing unpacking code in multiple locations. In this paper, we propose a new packer identification method by analyzing only code sections to extract features of malware generated by different packing tools. Experimental results show that our approach can identify different packing tools with the accuracy of 91.6% on average. Considering packer identification is the harder problem than packing detection, we argue that our approach can contribute to reducing overheads of malware analysis.

show abstract