Packer classifier based on PE header information

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware. As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.

Original languageEnglish (US)
Title of host publicationProceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450333764
DOIs
StatePublished - Apr 21 2015
EventSymposium and Bootcamp on the Science of Security, HotSoS 2015 - Urbana, United States
Duration: Apr 21 2015Apr 22 2015

Publication series

NameACM International Conference Proceeding Series
Volume21-22-April-2015

Other

OtherSymposium and Bootcamp on the Science of Security, HotSoS 2015
CountryUnited States
CityUrbana
Period4/21/154/22/15

Fingerprint

Packers
Classifiers
Malware

Keywords

  • D.4.6 [operating systems]: security and protection - invasive software, verification

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Jin, Q., Duan, J., Vasudevan, S., & Bailey, M. D. (2015). Packer classifier based on PE header information. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015 [2746213] (ACM International Conference Proceeding Series; Vol. 21-22-April-2015). Association for Computing Machinery. https://doi.org/10.1145/2746194.2746213

Packer classifier based on PE header information. / Jin, Qiao; Duan, Jiayi; Vasudevan, Shobha; Bailey, Michael Donald.

Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015. Association for Computing Machinery, 2015. 2746213 (ACM International Conference Proceeding Series; Vol. 21-22-April-2015).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Jin, Q, Duan, J, Vasudevan, S & Bailey, MD 2015, Packer classifier based on PE header information. in Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015., 2746213, ACM International Conference Proceeding Series, vol. 21-22-April-2015, Association for Computing Machinery, Symposium and Bootcamp on the Science of Security, HotSoS 2015, Urbana, United States, 4/21/15. https://doi.org/10.1145/2746194.2746213
Jin Q, Duan J, Vasudevan S, Bailey MD. Packer classifier based on PE header information. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015. Association for Computing Machinery. 2015. 2746213. (ACM International Conference Proceeding Series). https://doi.org/10.1145/2746194.2746213
Jin, Qiao ; Duan, Jiayi ; Vasudevan, Shobha ; Bailey, Michael Donald. / Packer classifier based on PE header information. Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015. Association for Computing Machinery, 2015. (ACM International Conference Proceeding Series).
@inproceedings{03767468365b4e90a860745802cf4d17,
title = "Packer classifier based on PE header information",
abstract = "Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware. As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.",
keywords = "D.4.6 [operating systems]: security and protection - invasive software, verification",
author = "Qiao Jin and Jiayi Duan and Shobha Vasudevan and Bailey, {Michael Donald}",
year = "2015",
month = "4",
day = "21",
doi = "10.1145/2746194.2746213",
language = "English (US)",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery",
booktitle = "Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015",

}

TY - GEN

T1 - Packer classifier based on PE header information

AU - Jin, Qiao

AU - Duan, Jiayi

AU - Vasudevan, Shobha

AU - Bailey, Michael Donald

PY - 2015/4/21

Y1 - 2015/4/21

N2 - Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware. As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.

AB - Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware. As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.

KW - D.4.6 [operating systems]: security and protection - invasive software, verification

UR - http://www.scopus.com/inward/record.url?scp=84986601813&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84986601813&partnerID=8YFLogxK

U2 - 10.1145/2746194.2746213

DO - 10.1145/2746194.2746213

M3 - Conference contribution

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015

PB - Association for Computing Machinery

ER -