Structural feature based anomaly detection for packed executable identification

Authors:
Xabier Ugarte-Pedrero;Igor Santos;Pablo G. Bringas
Affiliations:
S³Lab, DeustoTech - Computing, Deusto Institute of Technology, University of Deusto, Bilbao, Spain;S³Lab, DeustoTech - Computing, Deusto Institute of Technology, University of Deusto, Bilbao, Spain;S³Lab, DeustoTech - Computing, Deusto Institute of Technology, University of Deusto, Bilbao, Spain
Venue:
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Year:
2011

Citing 5
Cited 5

PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Renovo: a hidden code extractor for packed executables

Proceedings of the 2007 ACM workshop on Recurring malcode
Estimating the selectivity of tf-idf based cosine similarity predicates

ACM SIGMOD Record
McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection

Collective classification for packed executable identification

Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
PEAL--Packed executable analysis

ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
ESCAPE: entropy score analysis of packed executable

Proceedings of the Fifth International Conference on Security of Information and Networks
Boosting scalability in anomaly-based packed executable filtering

Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology
SPADE: Signature based PAcker DEtection

Proceedings of the First International Conference on Security of Internet of Things

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malware is any software with malicious intentions. Commercial anti-malware software relies on signature databases. This approach has proven to be effective when the threats are already known. However, malware writers employ software encryption tools and code obfuscation techniques to hide the actual behaviour of their malicious programs. One of these techniques is executable packing, which consists of encrypting the real code of the executable so that it is decrypted in its execution. Commercial solutions to this problem try to identify the packer and then apply the corresponding unpacking routine for each packing algorithm. Nevertheless, this approach fails to detect new and custom packers. Therefore, generic unpacking methods have been proposed which execute the binary in a contained environment and gather its actual code. However, these approaches are very time-consuming and, therefore, a filter step is required that identifies whether an executable is packed or not. In this paper, we present the first packed executable detector based on anomaly detection. This approach represents not packed executables as feature vectors of structural information and heuristic values. Thereby, an executable is classified as packed or not packed by measuring its deviation to the representation of normality (not packed executables). We show that this method achieves high accuracy rates detecting packed executables while maintaining a low false positive rate.