Packer Detection for Multi-Layer Executables Using Entropy Analysis
نویسندگان
چکیده
Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.
منابع مشابه
Multi-factor failure mode critically analysis using TOPSIS
The paper presents a multi-factor decision-making approach for prioritizing failure modes as an alternative to traditional approach of failure mode and effect analysis (FMEA). The approach is based on the ‘technique for order preference by similarity to ideal solution’ (TOPSIS). The priority ranking is formulated on the basis of six parameters (failure occurrence, non-detection, maintainability...
متن کاملPE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables
The number of executable malware and the sophistication of their destructive ability has exponentially increased in past couple of years. Malware writers use sophisticated code obfuscation and encryption (a.k.a. packing) techniques to circumvent signatures – derived from the code of the malware for detection – stored in the signatures’ database of commercial off-the-shelf anti-virus software. I...
متن کاملA scalable multi-level feature extraction technique to detect malicious executables
We present a scalable and multi-level feature extraction technique to detect malicious executables. We propose a novel combination of three different kinds of features at different levels of abstraction. These are binary n-grams, assembly instruction sequences, and Dynamic Link Library (DLL) function calls; extracted from binary executables, disassembled executables, and executable headers, res...
متن کاملDimensionality Reduction and Improving the Performance of Automatic Modulation Classification using Genetic Programming (RESEARCH NOTE)
This paper shows how we can make advantage of using genetic programming in selection of suitable features for automatic modulation recognition. Automatic modulation recognition is one of the essential components of modern receivers. In this regard, selection of suitable features may significantly affect the performance of the process. Simulations were conducted with 5db and 10db SNRs. Test and ...
متن کاملClassifying Malicious Windows Executables Using Anomaly Based Detection
CLASSIFYING MALICIOUS WINDOWS EXECUTABLES USING ANOMALY BASED DETECTION by Ronak Sutaria A malicious executable is broadly defined as any program or piece of code designed to cause damage to a system or the information it contains, or to prevent the system from being used in a normal manner. A generic term used to describe any kind of malicious software is Malware, which includes Viruses, Worms...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Entropy
دوره 19 شماره
صفحات -
تاریخ انتشار 2017