TY - JOUR
T1 - Packer detection for multi-layer executables using entropy analysis
AU - Bat-Erdene, Munkhbayar
AU - Kim, Taebeom
AU - Park, Hyundo
AU - Lee, Heejo
N1 - Publisher Copyright:
© 2017 by the authors.
Copyright:
Copyright 2019 Elsevier B.V., All rights reserved.
PY - 2017/3/16
Y1 - 2017/3/16
N2 - Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.
AB - Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.
KW - Entropy analysis
KW - Multi-layer packing
KW - Original entry point (OEP)
KW - Piecewise aggregate approximation (PAA)
KW - Re-packing algorithms
KW - Symbolic aggregate approximation (SAX)
UR - http://www.scopus.com/inward/record.url?scp=85024404913&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85024404913&partnerID=8YFLogxK
U2 - 10.3390/e19030125
DO - 10.3390/e19030125
M3 - Article
AN - SCOPUS:85024404913
VL - 19
JO - Entropy
JF - Entropy
SN - 1099-4300
IS - 3
M1 - 125
ER -