Packed PE file detection for malware forensics

Seungwon Han, Keungi Lee, Sangjin Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Citations (Scopus)

Abstract

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

Original languageEnglish
Title of host publicationProceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009
DOIs
Publication statusPublished - 2009 Dec 1
Event2009 2nd International Conference on Computer Science and Its Applications, CSA 2009 - Jeju Island, Korea, Republic of
Duration: 2009 Dec 102009 Dec 12

Other

Other2009 2nd International Conference on Computer Science and Its Applications, CSA 2009
CountryKorea, Republic of
CityJeju Island
Period09/12/1009/12/12

Fingerprint

Entropy
Accidents
Viruses
Cryptography
Statistics
Malware

Keywords

  • Component
  • Entropy
  • Malware forensics
  • Packing detection
  • PE file analysis

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Computer Science Applications

Cite this

Han, S., Lee, K., & Lee, S. (2009). Packed PE file detection for malware forensics. In Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009 [5404211] https://doi.org/10.1109/CSA.2009.5404211

Packed PE file detection for malware forensics. / Han, Seungwon; Lee, Keungi; Lee, Sangjin.

Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009. 2009. 5404211.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Han, S, Lee, K & Lee, S 2009, Packed PE file detection for malware forensics. in Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009., 5404211, 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009, Jeju Island, Korea, Republic of, 09/12/10. https://doi.org/10.1109/CSA.2009.5404211
Han S, Lee K, Lee S. Packed PE file detection for malware forensics. In Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009. 2009. 5404211 https://doi.org/10.1109/CSA.2009.5404211
Han, Seungwon ; Lee, Keungi ; Lee, Sangjin. / Packed PE file detection for malware forensics. Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009. 2009.
@inproceedings{4ba02ae82941499e9d8e2e88c1f381d3,
title = "Packed PE file detection for malware forensics",
abstract = "In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.",
keywords = "Component, Entropy, Malware forensics, Packing detection, PE file analysis",
author = "Seungwon Han and Keungi Lee and Sangjin Lee",
year = "2009",
month = "12",
day = "1",
doi = "10.1109/CSA.2009.5404211",
language = "English",
isbn = "9781424449460",
booktitle = "Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009",

}

TY - GEN

T1 - Packed PE file detection for malware forensics

AU - Han, Seungwon

AU - Lee, Keungi

AU - Lee, Sangjin

PY - 2009/12/1

Y1 - 2009/12/1

N2 - In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

AB - In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

KW - Component

KW - Entropy

KW - Malware forensics

KW - Packing detection

KW - PE file analysis

UR - http://www.scopus.com/inward/record.url?scp=80655148024&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80655148024&partnerID=8YFLogxK

U2 - 10.1109/CSA.2009.5404211

DO - 10.1109/CSA.2009.5404211

M3 - Conference contribution

SN - 9781424449460

BT - Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009

ER -