Abstract
Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.
Highlights
We briefly describe the operations involved in the re-packing and multi-layer packing process of packed executables, using entropy analysis and the symbolic representation
The data sample consisted of training and testing packed executables in the ratio of 50:50, where from a sample of 2196 re-packed and multi-layer packed executables 1098 were training sets
We proposed a new technique for re-packing or multi-layer packing algorithms detection using
Summary
Malware creates distress and significant financial loss by violating privacy of computer users. Connived (indulged) on their previous success attackers develop their malware so that harder to detect [1,2]. Following Yan et al.’s [3] understanding, we consider packer as “a program that produces a number of data blocks to form a compressed and encrypted version of the original executable”. Packing helps to evade from anti-virus (AV) by diminishing the size or transforming the appearance of executable binary [2,4,5,6,7]. “a packer is a program that transforms an executable binary into another form, and packing is becoming one of the widely used technique.”. To hide the original behavior of the malware attackers use different packing algorithms to generate a greater number of malware options. Quickly detecting and correctly unpacking packers allow us to efficiently and accurately unpack a packed executable file and conduct further analysis
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
