Skip to main content
SpringerLink
Log in

Structural Feature Based Anomaly Detection for Packed Executable Identification

  • Conference paper
Computational Intelligence in Security for Information Systems

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6694))

Abstract

Malware is any software with malicious intentions. Commercial anti-malware software relies on signature databases. This approach has proven to be effective when the threats are already known. However, malware writers employ software encryption tools and code obfuscation techniques to hide the actual behaviour of their malicious programs. One of these techniques is executable packing, which consists of encrypting the real code of the executable so that it is decrypted in its execution. Commercial solutions to this problem try to identify the packer and then apply the corresponding unpacking routine for each packing algorithm. Nevertheless, this approach fails to detect new and custom packers. Therefore, generic unpacking methods have been proposed which execute the binary in a contained environment and gather its actual code. However, these approaches are very time-consuming and, therefore, a filter step is required that identifies whether an executable is packed or not. In this paper, we present the first packed executable detector based on anomaly detection. This approach represents not packed executables as feature vectors of structural information and heuristic values. Thereby, an executable is classified as packed or not packed by measuring its deviation to the representation of normality (not packed executables). We show that this method achieves high accuracy rates detecting packed executables while maintaining a low false positive rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kaspersky: Kaspersky security bulletin: Statistics (2008), http://www.viruslist.com/en/analysis?pubid=204792052

  2. McAfee Labs: Mcafee whitepaper: The good, the bad, and the unknown (2011), http://www.mcafee.com/us/resources/white-papers/wp-good-bad-unknown.pdf

  3. PEiD: PEiD webpage (2010), http://www.peid.info/

  4. Faster Universal Unpacker (1999), http://code.google.com/p/fuu/

  5. Morgenstern, M., Pilz, H.: Useful and useless statistics about viruses and anti-virus programs. In: Proceedings of the CARO Workshop (2010), www.f-secure.com/weblog/archives/Maik_Morgenstern_Statistics.pdf

  6. Babar, K., Khalid, F.: Generic unpacking techniques. In: Proceedings of the 2nd International Conference on Computer, Control and Communication (IC4), pp. 1–6. IEEE, Los Alamitos (2009)

    Google Scholar 

  7. Data Rescue: Universal PE Unpacker plug-in, http://www.datarescue.com/idabase/unpack_pe

  8. Stewart, J.: Ollybone: Semi-automatic unpacking on ia-32. In: Proceedings of the 14th DEF CON Hacking Conference (2006)

    Google Scholar 

  9. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 2006 Annual Computer Security Applications Conference (ACSAC), pp. 289–300 (2006)

    Google Scholar 

  10. Kang, M., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, pp. 46–53. ACM, New York (2007)

    Chapter  Google Scholar 

  11. Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: Fast, generic, and safe unpacking of malware. In: Proceedings of the 2007 Annual Computer Security Applications Conference (ACSAC), pp. 431–441 (2007)

    Google Scholar 

  12. Yegneswaran, V., Saidi, H., Porras, P., Sharif, M., Mark, W.: Eureka: A framework for enabling static analysis on malware. Technical report, Technical Report SRI-CSL-08-01 (2008)

    Google Scholar 

  13. Danielescu, A.: Anti-debugging and anti-emulation techniques. CodeBreakers Journal 5(1) (2008), http://www.codebreakers-journal.com/

  14. Cesare, S.: Linux anti-debugging techniques, fooling the debugger (1999), http://vx.netlux.org/lib/vsc04.html

  15. Julus, L.: Anti-debugging in WIN32 (1999), http://vx.netlux.org/lib/vlj05.html

  16. Farooq, M.: PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 121–141. Springer, Heidelberg (2009)

    Google Scholar 

  17. Shafiq, M., Tabish, S., Farooq, M.: PE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables. In: Proceedings of the Virus Bulletin Conference (VB), pp. 29–33 (2009)

    Google Scholar 

  18. Perdisci, R., Lanzi, A., Lee, W.: McBoost: Boosting scalability in malware collection and analysis using statistical classification of executables. In: Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC), pp. 301–310 (2008)

    Google Scholar 

  19. Kent, J.: Information gain and a general measure of correlation. Biometrika 70(1), 163–173 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  20. Tata, S., Patel, J.: Estimating the Selectivity of tf-idf based Cosine Similarity Predicates. SIGMOD Record 36(2), 75–80 (2007)

    Article  Google Scholar 

  21. VX Heavens, http://vx.netlux.org/

Download references

Author information

Authors and Affiliations

  1. S3Lab, DeustoTech - Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, 48007, Bilbao, Spain

    Xabier Ugarte-Pedrero, Igor Santos & Pablo G. Bringas

Authors
  1. Xabier Ugarte-Pedrero
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Igor Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pablo G. Bringas
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Departamento de Ingeniería Civil, Universidad de Burgos, Francisco de Vitoria s/n, 09006, Burgos, Spain

    Álvaro Herrero

  2. Departamento de Informática y Automática, Universidad de Salamanca, Plaza de la Merced s/n, 37008, Salamanca, Spain

    Emilio Corchado

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ugarte-Pedrero, X., Santos, I., Bringas, P.G. (2011). Structural Feature Based Anomaly Detection for Packed Executable Identification. In: Herrero, Á., Corchado, E. (eds) Computational Intelligence in Security for Information Systems. Lecture Notes in Computer Science, vol 6694. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21323-6_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-21323-6_29

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-21322-9

  • Online ISBN: 978-3-642-21323-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation