TY - GEN
T1 - Packer classifier based on PE header information
AU - Jin, Qiao
AU - Duan, Jiayi
AU - Vasudevan, Shobha
AU - Bailey, Michael
N1 - Funding Information:
This work is funded by the National Science Foundation. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Publisher Copyright:
Copyright is held by the owner/author(s).
PY - 2015/4/21
Y1 - 2015/4/21
N2 - Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware. As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.
AB - Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware. As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.
KW - D.4.6 [operating systems]: security and protection - invasive software, verification
UR - http://www.scopus.com/inward/record.url?scp=84986601813&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84986601813&partnerID=8YFLogxK
U2 - 10.1145/2746194.2746213
DO - 10.1145/2746194.2746213
M3 - Conference contribution
AN - SCOPUS:84986601813
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015
PB - Association for Computing Machinery
T2 - Symposium and Bootcamp on the Science of Security, HotSoS 2015
Y2 - 21 April 2015 through 22 April 2015
ER -