Dynamic classification of packing algorithms for inspecting executables using entropy analysis

Munkhbayar Bat-Erdene, Taebeom Kim, Hongzhe Li, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)

Abstract

Packing is widely used for bypassing anti-malware systems, and the proportion of packed malware has been growing rapidly, making up over 80% of malware. Few studies on detecting packing algorithms have been conducted during last two decades. In this paper, we propose a method to classify packing algorithms of given packed executables. First, we convert entropy values of the packed executables loaded in memory into symbolic representations. Our proposed method uses SAX (Symbolic Aggregate Approximation) which is known to be good at large data conversion. Due to its advantage of simplifying complicated patterns, symbolic representation is commonly used in bio-informatics and data mining fields. Second, we classify the distribution of symbols using supervised learning classifications, i.e., Naive Bayes and Support Vector Machines. Results of our experiments with a collection of 466 programs and 15 packing algorithms demonstrated that our method can identify packing algorithms of given executables with a high accuracy of 94.2%, recall of 94.7% and precision of 92.7%. It has been confirmed that packing algorithms can be identified using entropy analysis, which is a measure of uncertainty of running executables, without a prior knowledge of the executable.

Original languageEnglish
Title of host publicationProceedings of the 2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013
PublisherIEEE Computer Society
Pages19-26
Number of pages8
DOIs
Publication statusPublished - 2013 Jan 1
Event2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013 - Fajardo, PR, United States
Duration: 2013 Oct 222013 Oct 24

Other

Other2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013
CountryUnited States
CityFajardo, PR
Period13/10/2213/10/24

Keywords

  • Entropy Analysis
  • Original Entry Point (OEP)
  • Packing Algorithms
  • Piecewise Aggregate Approximation (PAA)
  • Symbolic Aggregate Approximation (SAX)

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Dynamic classification of packing algorithms for inspecting executables using entropy analysis'. Together they form a unique fingerprint.

  • Cite this

    Bat-Erdene, M., Kim, T., Li, H., & Lee, H. (2013). Dynamic classification of packing algorithms for inspecting executables using entropy analysis. In Proceedings of the 2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013 (pp. 19-26). [6703681] IEEE Computer Society. https://doi.org/10.1109/MALWARE.2013.6703681