Dynamic classification of packing algorithms for inspecting executables using entropy analysis

Munkhbayar Bat-Erdene, Taebeom Kim, Hongzhe Li, Heejo Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    8 Citations (Scopus)

    Abstract

    Packing is widely used for bypassing anti-malware systems, and the proportion of packed malware has been growing rapidly, making up over 80% of malware. Few studies on detecting packing algorithms have been conducted during last two decades. In this paper, we propose a method to classify packing algorithms of given packed executables. First, we convert entropy values of the packed executables loaded in memory into symbolic representations. Our proposed method uses SAX (Symbolic Aggregate Approximation) which is known to be good at large data conversion. Due to its advantage of simplifying complicated patterns, symbolic representation is commonly used in bio-informatics and data mining fields. Second, we classify the distribution of symbols using supervised learning classifications, i.e., Naive Bayes and Support Vector Machines. Results of our experiments with a collection of 466 programs and 15 packing algorithms demonstrated that our method can identify packing algorithms of given executables with a high accuracy of 94.2%, recall of 94.7% and precision of 92.7%. It has been confirmed that packing algorithms can be identified using entropy analysis, which is a measure of uncertainty of running executables, without a prior knowledge of the executable.

    Original languageEnglish
    Title of host publicationProceedings of the 2013 8th International Conference on Malicious and Unwanted Software
    Subtitle of host publication"The Americas", MALWARE 2013
    PublisherIEEE Computer Society
    Pages19-26
    Number of pages8
    ISBN (Print)9781479925339
    DOIs
    Publication statusPublished - 2013
    Event2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013 - Fajardo, PR, United States
    Duration: 2013 Oct 222013 Oct 24

    Publication series

    NameProceedings of the 2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013

    Other

    Other2013 8th International Conference on Malicious and Unwanted Software: "The Americas", MALWARE 2013
    Country/TerritoryUnited States
    CityFajardo, PR
    Period13/10/2213/10/24

    Keywords

    • Entropy Analysis
    • Original Entry Point (OEP)
    • Packing Algorithms
    • Piecewise Aggregate Approximation (PAA)
    • Symbolic Aggregate Approximation (SAX)

    ASJC Scopus subject areas

    • Software

    Fingerprint

    Dive into the research topics of 'Dynamic classification of packing algorithms for inspecting executables using entropy analysis'. Together they form a unique fingerprint.

    Cite this