research-article

Information theoretic method for classification of packed and encoded files

Authors:

P. VinodAuthors Info & Claims

SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

Pages 296 - 303

https://doi.org/10.1145/2799979.2800015

Published: 08 September 2015 Publication History

Abstract

Malware authors make use of some anti-reverse engineering and obfuscation techniques like packing and encoding in-order to conceal their malicious payload. These techniques succeeded in evading the traditional signature based AV scanners. Packed or encoded malware samples are difficult to be analysed directly by the AV scanners. So, such samples must be initially unpacked or decoded for efficient analysis of the malicious code. This paper illustrates a static information theoretic method for the classification of packed and encoded files. The proposed method extracts fragments of fixed size from the files and calculates the entropy scores of the fragments. These entropy scores are then used for computing the Similarity Distance Matrix for fragments in a file-pair. The proposed system classifies all the encoded and packed samples properly, thereby obtaining improved detection. The proposed system is also capable of differentiating the type of packers used for the packing or encoding process.

References

[1]

Hack gmail, myspace, facebook accounts using rinlogger. http://www.101hacker.com/2011/08/hack-gmailmyspacefacebook-accounts.html.

[2]

Hxd - freeware hex editor and disk editor. http://mh-nexus.de/en/hxd/.

[3]

Ultimate guide to setup darkcomet with noip. http://www.slideshare.net/pichpratna/ultimate-guide-to-setup-darkcomet-with-noip.

[4]

Virustotal. https://www.virustotal.com/.

[5]

Weka, open source machine learning software. http://www.cs.waikato.ac.nz/ml/weka/.

[6]

http://www.download25.com/fsg-download.html, 2005.

[7]

B. Arkin, S. Stender, and G. McGraw. Software penetration testing. IEEE Security & Privacy, 3(1): 84--87, 2005.

Digital Library

[8]

C. A. Benninger. Maitland: analysis of packed and encrypted malware via paravirtualization extensions. PhD thesis, University of Victoria, 2012.

[9]

D. Bilar. Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensics, 1(2): 156--168, 2007.

Digital Library

[10]

L. Breiman. Random forests. Machine learning, 45(1): 5--32, 2001.

Digital Library

[11]

T. Brosch and M. Morgenstern. Runtime packers: The hidden problem. Black Hat USA, 2006.

[12]

K. Coogan, S. K. Debray, T. Kaochar, and G. M. Townsend. Automatic static unpacking of malware binaries. In A. Zaidman, G. Antoniol, and S. Ducasse, editors, WCRE, pages 167--176. IEEE Computer Society, 2009.

Digital Library

[13]

D. Devi and S. Nandi. PE File Features in Detection of Packed Executables. Entropy, 1(2):3, 2012.

[14]

A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In P. Ning, P. F. Syverson, and S. Jha, editors, ACM Conference on Computer and Communications Security, pages 51--62. ACM, 2008.

Digital Library

[15]

T. Fujii, K. Yoshioka, J. Shikata, and T. Matsumoto. An efficient dynamic detection method for various x86 shellcodes. In SAINT, pages 284--289. IEEE, 2012.

Digital Library

[16]

B. Gu, X. Bai, Z. Yang, A. C. Champion, and D. Xuan. Malicious shellcode detection with virtual memory snapshots. In INFOCOM, pages 974--982. IEEE, 2010.

Digital Library

[17]

F. Guo, P. Ferrie, and T. cker Chiueh. A study of the packer problem and its solutions. In R. Lippmann, E. Kirda, and A. Trachtenberg, editors, RAID, volume 5230 of Lecture Notes in Computer Science, pages 98--115. Springer, 2008.

Digital Library

[18]

G. Jacob, P. M. Comparetti, M. Neugschwandtner, C. Kruegel, and G. Vigna. A static, packer-agnostic filter to detect similar malware samples. In Detection of intrusions and Malware, and vulnerability assessment, pages 102--122. Springer, 2013.

Digital Library

[19]

G. Jeong, E. Choo, J. Lee, M. Bat-Erdene, and H. Lee. Generic unpacking using entropy analysis. In MALWARE, pages 98--105. IEEE, 2010.

[20]

M. Kandias and D. Gritzalis. Metasploit the penetration tester's guide. Computers & Security, 32: 268--269, 2013.

Digital Library

[21]

M. G. Kang, P. Poosankam, and H. Yin. Renovo: A hidden code extractor for packed executables. In Proceedings of the 2007 ACM workshop on Recurring malcode, pages 46--53. ACM, 2007.

Digital Library

[22]

Kaspersky. Virus.win32.sality.bh.http://www.securelist.com/en/descriptions/15312802/irus.Win32.Sality.bh#doc1, 2011.

[23]

R. Kohavi. A study of cross-validation and bootstrap for accuracy estimation and model selection. In IJCAI, pages 1137--1145, 1995.

Digital Library

[24]

J. Larimer. An inside look at stuxnet. http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf, 2009.

[25]

R. Lyda and J. Hamrock. Using entropy analysis to find encrypted and packed malware. IEEE Security & Privacy, 5(2): 40--45, 2007.

Digital Library

[26]

L. M. M. Oberhumer and J. Reiser. Upx: the ultimate packer for executables. http://upx.sourceforge.net, 2007.

[27]

L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In ACSAC07, 2007.

[28]

R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern Recognition Letters, 29(14): 1941--1946, 2008.

Digital Library

[29]

J. J. Rodriguez, L. I. Kuncheva, and C. J. Alonso. Rotation forest: A new classifier ensemble method. IEEE Trans. Pattern Anal. Mach. Intell., 28(10): 1619--1630, 2006.

Digital Library

[30]

R. E. Schapire. A brief introduction to boosting. In IJCAI, pages 1401--1406, 1999.

Digital Library

[31]

A. Software. Aspack. http://www.aspack.com.

[32]

Y. Song, M. E. Locasto, A. Stavrou, A. D. Keromytis, and S. J. Stolfo. On the infeasibility of modeling polymorphic shellcode. Machine learning, 81(2): 179--205, 2010.

Digital Library

[33]

I. Sorokin. Comparing files using structural entropy. Journal in Computer Virology, 7(4): 259--265, 2011.

Digital Library

[34]

K. Timm. Malware validation techniques. http://blogs.cisco.com/security/malware_validation_techniques, 2010.

[35]

X. Ugarte-Pedrero, I. Santos, B. Sanz, C. Laorden, and P. G. Bringas. Countering entropy measure attacks on packed software detection. In CCNC, pages 164--168. IEEE, 2012.

[36]

N. Verma, V. Mishra, and V. Singh. Detection of alphanumeric shellcodes using similarity index. In Advances in Computing, Communications and Informatics (ICACCI, 2014 International Conference on, pages 1573--1577. IEEE, 2014.

[37]

C. Wressnegger, F. Boldewin, and K. Rieck. Deobfuscating embedded malware using probable-plaintext attacks. In Research in Attacks, Intrusions, and Defenses, pages 164--183. Springer, 2013.

Digital Library

[38]

S. Yu, S. Zhou, L. Liu, R. Yang, and J. Luo. Malware variants identification based on byte frequency. In Networks Security Wireless Communications and Trusted Computing (NSWCTC), 2010 Second International Conference on, volume 2, pages 32--35. IEEE, 2010.

Digital Library

[39]

Z. Zhao and G.-J. Ahn. Using instruction sequence abstraction for shellcode detection and attribution. In CNS, pages 323--331. IEEE, 2013.

Cited By

Gujar SPatil S(2024)A Machine Learning-Based PE Header Analysis for Malware DetectionInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAR615(1671-1676)Online publication date: 1-Apr-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAR615
Cañadas AMendez OVega J(2023)Algebraic Structures Induced by the Insertion and Detection of MalwareComputation10.3390/computation1107014011:7(140)Online publication date: 11-Jul-2023
https://doi.org/10.3390/computation11070140
Wang QYan HZhao CMei RHan ZZhou Y(2022)Measurement of Malware Family Classification on a Large-Scale Real-World Dataset2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00196(1390-1397)Online publication date: Dec-2022
https://doi.org/10.1109/TrustCom56396.2022.00196
Show More Cited By

Index Terms

Information theoretic method for classification of packed and encoded files
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

PEAL--Packed executable analysis
ADCONS'11: Proceedings of the 2011 international conference on Advanced Computing, Networking and Security

The proliferation of packed malware has posed a serious threat to computers connected to Internet across the globe. Packers are popular tools used by malware authors to hide malicious payloads that bypass traditional signature antiviruses (AV). Packing ...
ESCAPE: entropy score analysis of packed executable
SIN '12: Proceedings of the Fifth International Conference on Security of Information and Networks

Malware developers hide the malicious payload of malware binary by employing various obfuscation techniques. One such technique commonly applied is packing. Packer transforms the original bytes so it is difficult to recognize the behaviour of any ...
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

September 2015

350 pages

ISBN:9781450334532

DOI:10.1145/2799979

Conference Chairs:
Oleg Makarevich
Southern Federal University, Russia
,
Ron Poet
University of Glasgow, UK
,
Atilla Elçi
Aksaray University, Turkey
,
Manoj Singh Gaur
Malaviya National Institute of Technology, India
,
Mehmet Orgun
Macquarie University, Australia
,
Program Chairs:
Ludmila Babenko
Southern Federal University, Russia
,
Sadek Ferdous
University of Glasgow, UK
,
Anthony T. S. Ho
University of Surrey, UK
,
Vijay Laxmi
Malaviya National Institute of Technology, India
,
Josef Pieprzyk
Queensland University of Technology, Australia

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIN '15

SIN '15: The 8th International Conference on Security of Information and Networks

September 8 - 10, 2015

Sochi, Russia

Acceptance Rates

SIN '15 Paper Acceptance Rate 34 of 92 submissions, 37%;

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
148
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gujar SPatil S(2024)A Machine Learning-Based PE Header Analysis for Malware DetectionInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAR615(1671-1676)Online publication date: 1-Apr-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAR615
Cañadas AMendez OVega J(2023)Algebraic Structures Induced by the Insertion and Detection of MalwareComputation10.3390/computation1107014011:7(140)Online publication date: 11-Jul-2023
https://doi.org/10.3390/computation11070140
Wang QYan HZhao CMei RHan ZZhou Y(2022)Measurement of Malware Family Classification on a Large-Scale Real-World Dataset2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00196(1390-1397)Online publication date: Dec-2022
https://doi.org/10.1109/TrustCom56396.2022.00196
Schultz NDuby A(2022)Towards A Framework for Preprocessing Analysis of Adversarial Windows Malware2022 10th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS55398.2022.9800812(1-6)Online publication date: 6-Jun-2022
https://doi.org/10.1109/ISDFS55398.2022.9800812
Dam KGiven-Wilson TLegay AVeroneze R(2022)Packer classification based on association rule miningApplied Soft Computing10.1016/j.asoc.2022.109373127:COnline publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1016/j.asoc.2022.109373
Li ZChen QXiong CChen YZhu TYang HCavallaro LKinder JWang XKatz J(2019)Effective and Light-Weight Deobfuscation and Semantic-Aware Attack Detection for PowerShell ScriptsProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3363187(1831-1847)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3363187
Jung BBae SChoi CIm E(2018)Packer identification method based on byte sequencesConcurrency and Computation: Practice and Experience10.1002/cpe.508232:8Online publication date: 18-Nov-2018
https://doi.org/10.1002/cpe.5082

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents