Packer classifier based on PE header information

Qiao Jin, Jiayi Duan, Shobha Vasudevan, Michael Bailey

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware. As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.

Original languageEnglish (US)
Title of host publicationProceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450333764
DOIs
StatePublished - Apr 21 2015
EventSymposium and Bootcamp on the Science of Security, HotSoS 2015 - Urbana, United States
Duration: Apr 21 2015Apr 22 2015

Publication series

NameACM International Conference Proceeding Series
Volume21-22-April-2015

Other

OtherSymposium and Bootcamp on the Science of Security, HotSoS 2015
CountryUnited States
CityUrbana
Period4/21/154/22/15

Keywords

  • D.4.6 [operating systems]: security and protection - invasive software, verification

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Packer classifier based on PE header information'. Together they form a unique fingerprint.

Cite this