Packer detection for multi-layer executables using entropy analysis

Munkhbayar Bat-Erdene; Taebeom Kim; Hyundo Park; Heejo Lee

doi:10.3390/e19030125

Packer detection for multi-layer executables using entropy analysis

Munkhbayar Bat-Erdene, Taebeom Kim, Hyundo Park, Heejo Lee

Department of Computer and Radio Communications Engineering

Research output: Contribution to journal › Article › peer-review

12 Citations (Scopus)

Abstract

Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.

Original language	English
Article number	125
Journal	Entropy
Volume	19
Issue number	3
DOIs	https://doi.org/10.3390/e19030125
Publication status	Published - 2017 Mar 16

Keywords

Entropy analysis
Multi-layer packing
Original entry point (OEP)
Piecewise aggregate approximation (PAA)
Re-packing algorithms
Symbolic aggregate approximation (SAX)

ASJC Scopus subject areas

Physics and Astronomy(all)

Access to Document

10.3390/e19030125

Fingerprint Dive into the research topics of 'Packer detection for multi-layer executables using entropy analysis'. Together they form a unique fingerprint.

Cite this

@article{5617f0b92dcc47b9b1ffb83712f3d4cf,

title = "Packer detection for multi-layer executables using entropy analysis",

abstract = "Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.",

keywords = "Entropy analysis, Multi-layer packing, Original entry point (OEP), Piecewise aggregate approximation (PAA), Re-packing algorithms, Symbolic aggregate approximation (SAX)",

author = "Munkhbayar Bat-Erdene and Taebeom Kim and Hyundo Park and Heejo Lee",

year = "2017",

month = mar,

day = "16",

doi = "10.3390/e19030125",

language = "English",

volume = "19",

journal = "Entropy",

issn = "1099-4300",

publisher = "Multidisciplinary Digital Publishing Institute (MDPI)",

number = "3",

}

TY - JOUR

T1 - Packer detection for multi-layer executables using entropy analysis

AU - Bat-Erdene, Munkhbayar

AU - Kim, Taebeom

AU - Park, Hyundo

AU - Lee, Heejo

PY - 2017/3/16

Y1 - 2017/3/16

N2 - Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.

AB - Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.

KW - Entropy analysis

KW - Multi-layer packing

KW - Original entry point (OEP)

KW - Piecewise aggregate approximation (PAA)

KW - Re-packing algorithms

KW - Symbolic aggregate approximation (SAX)

UR - http://www.scopus.com/inward/record.url?scp=85024404913&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85024404913&partnerID=8YFLogxK

U2 - 10.3390/e19030125

DO - 10.3390/e19030125

M3 - Article

AN - SCOPUS:85024404913

VL - 19

JO - Entropy

JF - Entropy

SN - 1099-4300

IS - 3

M1 - 125

ER -