Complexity-based packed executable classification with high accuracy

Signature-based anti-virus scanner that utilizes specific bytes string is one of the popular malware detection methods. This method shows high efficiency and low false rate in detecting malware. However, it can``t successfully detect the malware when packer method is applied to the malware. Packer compresses or encrypted the target le and pads compressed or encrypted le to additional section. Therefore, it changes the bit structure of the malware. When packed executable le is executed, compressed or ncrypted le is decompressed or decrypted on memory. Then, the program that is loaded on the memory is executed. This means that function of the packed executable program is same as an original program. Signature-based anti-virus scanner employs two methods to over-come the difficulty of detecting packed malware: packed executable classification and generic unpacking. Packed executable classification decides whether the target program is packed or not. Then, generic unpacking is performed depends on the decision of a packed executable classification. Various generic unpacking methods have been researched [13, 14, 15, 22], but these generic unpacking methods consume long time and computing resources. Thus, accuracy of a packed executable classification is the critical issue in efficient malware detection. Because a false positive case happens, unnecessary time and resource is wasted performing generic unpacking on a non-packed executable file. On the other hand, a false negative case happens, malware detection would fail. Previous packed executable classification methods show high false rate and can be easily evaded. PEiD[11] can be easily evaded by false signature. Bintropy[20] shows about 10% false rate. This method also can be evaded by monotonous padding bytes. Finally, Roberto $\It{et al}$. show high classification accuracy rate about 97%, but this method can be evaded by PE headers modification. In this thesis, we propose highly accurate classification met...
Advisors
Kim, Kwang-Joresearcher김광조researcher
Publisher
한국정보통신대학교
Issue Date
2009
Identifier
393083/225023 / 020074249
Language
eng
Description

학위논문(석사) - 한국정보통신대학교 : 공학부, 2009.2, [ vii, 39 p. ]

Keywords

악성코드; 분류; 실행압축; 패커; 복잡도; Classification; Packed Executable; Packer; Complexity; Malware

URI
http://hdl.handle.net/10203/55062
Link
http://library.kaist.ac.kr/search/detail/view.do?bibCtrlNo=393083&flag=t
Appears in Collection
School of Engineering-Theses_Master(공학부 석사논문)
Files in This Item
There are no files associated with this item.
  • Hit : 54
  • Download : 0
  • Cited 0 times in thomson ci

qr_code

  • mendeley

    citeulike


rss_1.0 rss_2.0 atom_1.0