article

Classification of packed executables for accurate computer virus detection

Authors:

Roberto Perdisci,

Wenke LeeAuthors Info & Claims

Pattern Recognition Letters, Volume 29, Issue 14

Pages 1941 - 1946

https://doi.org/10.1016/j.patrec.2008.06.016

Published: 01 October 2008 Publication History

Abstract

Executable packing is the most common technique used by computer virus writers to obfuscate malicious code and evade detection by anti-virus software. Universal unpackers have been proposed that can detect and extract encrypted code from packed executables, therefore potentially revealing hidden viruses that can then be detected by traditional signature-based anti-virus software. However, universal unpackers are computationally expensive and scanning large collections of executables looking for virus infections may take several hours or even days. In this paper we apply pattern recognition techniques for fast detection of packed executables. The objective is to efficiently and accurately distinguish between packed and non-packed executables, so that only executables detected as packed will be sent to an universal unpacker, thus saving a significant amount of processing time. We show that our system achieves very high detection accuracy of packed executables with a low average processing time.

References

[1]

Andersen, S., 2004. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies. <http://technet.microsoft.com/en-us/library/bb457155(d=printer).aspx>.

[2]

CA. Win32.sdbot Family (2005). <http://ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=12411>.

[3]

CA. Win32.agobot Family (2006). <http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=37776>.

[4]

Computer viruses: theory and experiments. Comput. Security. v6 i1. 22-35.

[5]

Cortes, C., Mohri, M., 2004. Confidence intervals for the area under the roc curve. In: NIPS 2004: Advances in Neural Information Processing Systems.

[6]

Kang, M.G., Poosankam, P., Yin, H., 2007. Renovo: A hidden code extractor for packed executables. In: WORM'07: Proceedings of the 5th ACM Workshop on Recurring Malcode.

[7]

Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. v7. 2721-2744.

[8]

Using entropy analysis to find encrypted and packed malware. IEEE Security Privacy. v5 i2. 40-45.

[9]

Martignoni, L., Christodorescu, M., Jha, S., 2007. Omniunpack: fast, generic, and safe unpacking of malware. In: ACSAC'07: Proceedings of the 23rd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference.

[10]

Morgenstern, M., Brosch, T., 2006. Runtime Packers: The Hidden Problem? Presented at Black Hat USA 2006.

[11]

Perdisci, R., Gu, G., Lee, W., 2006. Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems. In: ICDM'06: Proceedings of the Sixth International Conference on Data Mining.

Digital Library

[12]

Pietrek, M., 2002a. An In-depth Look into the Win32 Portable Executable File Format. <http://msdn.microsoft.com/msdnmag/issues/02/02/PE/>.

[13]

Pietrek, M., 2002b. An In-depth Look into the Win32 Portable Executable File Format, part 2. <http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/>.

[14]

Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W., 2006. Polyunpack: automating the hidden-code extraction of unpack-executing malware. In: ACSAC'06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference.

[15]

Stepan, A., 2006 Improving Proactive Detection of Packed Malware. <http://www.virusbtn.com/virusbulletin/archive/2006/03/vb200603-packed.dkb>.

[16]

On inferring application protocol behaviors in encrypted network traffic. J. Mach. Learn. Res. v7. 2745-2769.

Cited By

Bertrand Van Ouytsel CDam KLegay A(2024)Analysis of machine learning approaches to packing detectionComputers and Security10.1016/j.cose.2023.103536136:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103536
Muthukumar SSenthilkumar MVeeramani C(2024)Optimal Control of Computer Virus Spreading Model with Partial ImmunizationWireless Personal Communications: An International Journal10.1007/s11277-024-11013-6134:4(2287-2313)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s11277-024-11013-6
Alkhateeb EGhorbani AHabibi Lashkari A(2024)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s10207-023-00759-y
Show More Cited By

Index Terms

Classification of packed executables for accurate computer virus detection

Recommendations

A Fine-Grained Classification Approach for the Packed Malicious Code
Information and Communications Security
Abstract
Executable packing is the most common technique to evade detection by anti-virus software.Many signature-based unpackers have been presented to uncover hidden viruses,which make the signature-based anti-virus software successfully detect the ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
Computer Virus: Timeline of computer viruses and worms, Computer program, Malware, Adware, Spyware, Computer worm, Trojan horse (computing), Elk Cloner, ... Polymorphic code, Metamorphic code

Comments

Information & Contributors

Information

Published In

Copyright © Elsevier B.V. © 2008.

Publisher

Elsevier Science Inc.

United States

Publication History

Published: 01 October 2008

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bertrand Van Ouytsel CDam KLegay A(2024)Analysis of machine learning approaches to packing detectionComputers and Security10.1016/j.cose.2023.103536136:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103536
Muthukumar SSenthilkumar MVeeramani C(2024)Optimal Control of Computer Virus Spreading Model with Partial ImmunizationWireless Personal Communications: An International Journal10.1007/s11277-024-11013-6134:4(2287-2313)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s11277-024-11013-6
Alkhateeb EGhorbani AHabibi Lashkari A(2024)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s10207-023-00759-y
Mimura M(2023)Impact of benign sample size on binary classification accuracyExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.118630211:COnline publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1016/j.eswa.2022.118630
Muralidharan TCohen AGerson NNissim N(2022)File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for EnhancementsACM Computing Surveys10.1145/353081055:5(1-45)Online publication date: 3-Dec-2022
https://dl.acm.org/doi/10.1145/3530810
Dam KGiven-Wilson TLegay AVeroneze R(2022)Packer classification based on association rule miningApplied Soft Computing10.1016/j.asoc.2022.109373127:COnline publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1016/j.asoc.2022.109373
Mimura MIto R(2022)Applying NLP techniques to malware detection in a practical environmentInternational Journal of Information Security10.1007/s10207-021-00553-821:2(279-291)Online publication date: 1-Apr-2022
https://dl.acm.org/doi/10.1007/s10207-021-00553-8
de Lima SSilva HLuz JLima HSilva Sde Andrade Ada Silva A(2021)Artificial intelligence-based antivirus in order to detect malware preventivelyProgress in Artificial Intelligence10.1007/s13748-020-00220-410:1(1-22)Online publication date: 1-Mar-2021
https://dl.acm.org/doi/10.1007/s13748-020-00220-4
Choi MBang JKim JKim HMoon Y(2019)All-in-One Framework for Detection, Unpacking, and Verification for Malware AnalysisSecurity and Communication Networks10.1155/2019/52781372019Online publication date: 13-Oct-2019
https://dl.acm.org/doi/10.1155/2019/5278137
Kumar AKuppusamy KAghila G(2019)A learning model to detect maliciousness of portable executable using integrated feature setJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2017.01.00331:2(252-265)Online publication date: 1-Apr-2019
https://dl.acm.org/doi/10.1016/j.jksuci.2017.01.003
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents