Abstract
Executable packing is the most common technique to evade detection by anti-virus software.Many signature-based unpackers have been presented to uncover hidden viruses,which make the signature-based anti-virus software successfully detect the packed malicious code. However,these universal unpackers are computationally expensive and scanning large collections of executables may take several hours or even days.In order to improve the computational efficiency, Machine learning techniques have recently been proven effective in solving the focused issues,but up to now,no methods can show what packing method has been used in it.In this paper we proposed a fine-grained detection method to detect whether a malicious code has been packed and which method is been used to.This method firstly extract a hex-string from the target object file and then apply a String-Kernel-Based SVM Classifier to implement the fast detection of packed malicious code.We also show that our system achieves very high detection accuracy of packed executables, so that only executables detected as packed will be sent to an universal unpacker, thus saving a significant amount of processing time.
Chapter PDF
Similar content being viewed by others
Keywords
References
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 289–300 (2006)
Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM 2007, pp. 46–53 (2007)
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy 5, 40–45 (2007)
Kolter, J.Z., Maloof, M.A.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7, 2721–2744 (2006)
Perdisci, R., Gu, G., Lee, W.: Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems. In: Proceedings of the Sixth International Conference on Data Mining, ICDM 2006, pp. 488–498 (2006)
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC 2007, Miami Beach, Florida, USA (December 2007)
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy 5, 40–45 (2007)
Perdisci, R., Lanzi, A., Lee, W.: Classification of packed executables for accurate computer virus detection. Pattern Recogn. Lett. 29, 1941–1946 (2008)
Charras, C., Lecroq, T.: Sequence comparison. Laboratoire d’Informatique de Rouen et Atelier Biologie Informatique Statistique Socio-Linguistique. Universit’e de Rouen, France (1998)
http://en.wikipedia.org/wiki/Receiver_operating_characteristic/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Guo, S., Li, S., Yu, Y., Hu, A., Ban, T. (2012). A Fine-Grained Classification Approach for the Packed Malicious Code. In: Chim, T.W., Yuen, T.H. (eds) Information and Communications Security. ICICS 2012. Lecture Notes in Computer Science, vol 7618. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34129-8_49
Download citation
DOI: https://doi.org/10.1007/978-3-642-34129-8_49
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34128-1
Online ISBN: 978-3-642-34129-8
eBook Packages: Computer ScienceComputer Science (R0)