Skip to main content
SpringerLink
Log in

Boosting Scalability in Anomaly-Based Packed Executable Filtering

  • Conference paper
Book cover Information Security and Cryptology (Inscrypt 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7537))

Included in the following conference series:

  • 1224 Accesses

Abstract

During the last years, malware writers have been using several techniques to evade detection. One of the most common techniques employed by the anti-virus industry is signature scanning. This method requires the end-host to compare files against a database that should contain signatures for each malware sample. In order to allow their creations to bypass these protection systems, programmers use software encryption tools and code obfuscation techniques to hide the actual behaviour of their malicious programs. One of these techniques is packing, a method that encrypts the real code of the executable and places it as data in a new executable that contains an unpacking routine. In previous work, we designed and implemented an anomaly detector based on PE structural characteristics and heuristic values, and we were able to decide whether an executable was packed or not. We stated that this detection system could serve as a filtering step for a generic and time consuming unpacking phase. In this paper, we improve that system applying a data reduction algorithm to our representation of normality (i.e., not packed executables), finding similarities among executables and grouping them to form consistent clusters that reduce the amount of comparisons needed. We show that this improvement reduces drastically the processing time, while maintaining detection and false positive rates stable.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kaspersky: Kaspersky security bulletin: Statistics 2008 (2008), http://www.viruslist.com/en/analysis?pubid=204792052

  2. McAfee Labs: Mcafee whitepaper: The good, the bad, and the unknown (2011), http://www.mcafee.com/us/resources/white-papers/wp-good-bad-unknown.pdf

  3. PEiD: PEiD webpage (2010), http://www.peid.info/

  4. Faster Universal Unpacker: (1999), http://code.google.com/p/fuu/

  5. Morgenstern, M., Pilz, H.: Useful and useless statistics about viruses and anti-virus programs. In: Proceedings of the CARO Workshop (2010), http://www.f-secure.com/weblog/archives/Maik_Morgenstern_Statistics.pdf

  6. Babar, K., Khalid, F.: Generic unpacking techniques. In: Proceedings of the 2nd International Conference on Computer, Control and Communication (IC4), pp. 1–6. IEEE (2009)

    Google Scholar 

  7. Data Rescue: Universal PE Unpacker plug-in, http://www.datarescue.com/idabase/unpack_pe

  8. Stewart, J.: Ollybone: Semi-automatic unpacking on ia-32. In: Proceedings of the 14th DEF CON Hacking Conference (2006)

    Google Scholar 

  9. Rolles, R.: Unpacking virtualization obfuscators. In: Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT) (2009)

    Google Scholar 

  10. Böhne, L.: Pandora’s bochs: Automatic unpacking of malware. PhD thesis (2008)

    Google Scholar 

  11. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 2006 Annual Computer Security Applications Conference (ACSAC), pp. 289–300 (2006)

    Google Scholar 

  12. Kang, M., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, pp. 46–53 (2007)

    Google Scholar 

  13. Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: Fast, generic, and safe unpacking of malware. In: Proceedings of the 2007 Annual Computer Security Applications Conference (ACSAC), pp. 431–441 (2007)

    Google Scholar 

  14. Sharif, M., Yegneswaran, V., Saidi, H., Porras, P., Lee, W.: Eureka: A Framework for Enabling Static Malware Analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  15. Danielescu, A.: Anti-debugging and anti-emulation techniques. CodeBreakers Journal 5(1) (2008), http://www.codebreakers-journal.com/

  16. Cesare, S.: Linux anti-debugging techniques, fooling the debugger (1999), http://vx.netlux.org/lib/vsc04.html

  17. Julus, L.: Anti-debugging in WIN32 (1999), http://vx.netlux.org/lib/vlj05.html

  18. Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 121–141. Springer, Heidelberg (2009)

    Google Scholar 

  19. Shafiq, M., Tabish, S., Farooq, M.: PE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables. In: Proceedings of the 2009 Virus Bulletin Conference (VB), pp. 1–10 (2009)

    Google Scholar 

  20. Perdisci, R., Lanzi, A., Lee, W.: McBoost: Boosting scalability in malware collection and analysis using statistical classification of executables. In: Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC), pp. 301–310 (2008)

    Google Scholar 

  21. Ugarte-Pedrero, X., Santos, I., Bringas, P.G.: Structural Feature Based Anomaly Detection for Packed Executable Identification. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 230–237. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  22. Kent, J.: Information gain and a general measure of correlation. Biometrika 70(1), 163–173 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  23. Kumar, V.: An introduction to cluster analysis for data mining. Computer Science Department, University of Minnesota, USA (2000)

    Google Scholar 

  24. Heyer, L., Kruglyak, S., Yooseph, S.: Exploring expression data: identification and analysis of coexpressed genes. Genome Research 9(11), 1106–1115 (1999)

    Article  Google Scholar 

  25. VX Heavens, http://vx.netlux.org/

  26. Kohavi, R.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In: Proceedings of the International Joint Conference on Artificial Intelligence, vol. 14, pp. 1137–1145 (1995)

    Google Scholar 

  27. VMware: (2011), http://www.vmware.com

Download references

Author information

Authors and Affiliations

  1. S3Lab, DeustoTech - Computing, Deusto Institute of Technology University of Deusto, Avenida de las Universidades 24, 48007, Bilbao, Spain

    Xabier Ugarte-Pedrero, Igor Santos & Pablo G. Bringas

Authors
  1. Xabier Ugarte-Pedrero
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Igor Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pablo G. Bringas
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Chinese Academy of Sciences, Institute of Information Engineering, 100190, Beijing, China

    Chuan-Kun Wu  & Dongdai Lin  & 

  2. Computer Science Department, Google Inc. and Columbia University, S.W. Mudd Building, NY 10027, New York, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ugarte-Pedrero, X., Santos, I., Bringas, P.G. (2012). Boosting Scalability in Anomaly-Based Packed Executable Filtering. In: Wu, CK., Yung, M., Lin, D. (eds) Information Security and Cryptology. Inscrypt 2011. Lecture Notes in Computer Science, vol 7537. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34704-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34704-7_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34703-0

  • Online ISBN: 978-3-642-34704-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation