2-SPIFF: a 2-stage packer identification method based on function call graph and file attributes
Authors: 
Hao Liu, Chun Guo, Yunhe Cui, Guowei Shen, Yuan PingAuthors Info & Claims
Pages 9038 - 9053
Abstract
Most malware employs packing technology to escape detection; thus, packer identification has become increasingly important in malware detection. To improve the accuracy of packer identification, this article analyses the differences in the function call graph (FCG) and file attributes between the non-packed executable files and the executable files packed by different packers, and further proposes a 2-stage packer i dentification method based on FCG and file attributes (2-SPIFF). In 2-SPIFF, the detection model of stage I distinguishes non-packed executable files from packed executable files based on the graph features extracted from the FCG, while the identification model of stage II identifies the packer used for packing the original executable file by using the concatenated features extracted from the FCG and file attributes. The experimental results show that 2-SPIFF can achieve an accuracy of 99.80% for packer detection and an accuracy of 98.49% for packer identification.
References
[1]
Afianian A, Niksefat S, Sadeghiyan B, and Baptiste DMalware dynamic analysis evasion techniques: a surveyACM Comput Surv2019526126https://doi.org/10.1145/3365001
[2]
Alasmary H, Khormali A, Anwar A, Park J, Choi J, Abusnaina A, Awad A, Nyang D, and Mohaisen A Analyzing and detecting emerging internet of things malware: a graph-based approach IEEE Internet Things J 2019 6 5 8977-8988
[3]
aldeid (2020) PEiD—aldeid https://www.aldeid.com/wiki/PEiD
[4]
Asghar T and Mahdi A Ramd: registry-based anomaly malware detection using one-class ensemble classifiers Appl Intell 2019 49 2641-2658
[5]
A.S.L. (2020) Exeinfo PE by A.S.L.—compression detector and data detector http://www.exeinfo.xn.pl/
[6]
Baldini G, Geneiatakis D (2019) A performance evaluation on distance measures in knn for mobile malware detection. In: 2019 6th International conference on control, decision and information technologies (CoDIT), pp 193–198
[7]
Bat-Erdene M, Park H, Li H, Lee H, and Choi MS Entropy analysis to classify unknown packing algorithms for malware detection Int J Inf Secur 2017 16 227-248
[8]
Biondi F, Enescu MA, Given-Wilson T, Legay A, Noureddine L, and Verma V Effective, efficient, and robust packing detection and classification Comput Secur 2019 85 436-451
[9]
Bruni R, Giacobazzi R, and Gori R Code obfuscation against abstraction refinement attacks Formal Aspects Comput 2018 30 685-711
[10]
Bulazel A, Yener B (2017) A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Proceedings of the 1st reversing and offensive-oriented trends symposium, Vienna, pp 1–21.
[11]
Çavusoglu Ü A new hybrid approach for intrusion detection using machine learning methods Appl Intell 2019 49 7 2735-2761
[12]
Cheng B, Ming J, Fu J, Peng G, Chen T, Zhang X, Marion JY (2018) Towards paving the way for large-scale windows malware analysis: generic binary unpacking with orders-of-magnitude performance boost. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, CCS ’18. Association for Computing Machinery, New York, pp 395–411.
[13]
Ding Y, Zhu S, Xia X (2016) Android malware detection method based on function call graphs. In: Neural information processing. Cham, pp 70–77
[14]
Ding Y, Xia X, Chen S, and Li Y A malware detection method based on family behavior graph Comput Secur 2018 73 73-86
[15]
Esmaeel R, Sattar H, Alireza KH, and Maryam AH An entropy-based distance measure for analyzing and detecting metamorphic malware Appl Intell 2018 48 1536-1546
[16]
Gibert D, Mateu C, Planes J, Vicens R (2018) Classification of malware by using structural entropy on convolutional neural networks. In: Thirty-second AAAI conference on artificial intelligence, pp 7759–7764
[17]
Gibert D, Mateu C, and Planes JThe rise of machine learning for detection and classification of malware: research developments, trends and challengesJ Netw Comput Appl2020153102526https://doi.org/10.1016/j.jnca.2019.102526
[18]
Hai NM, Ogawa M, Tho QT (2017) Packer identification based on meatadata signature. In: 7th Software security, protection, and reverse engineering workshop (collocated with ACSAC 2017), Orlando, pp 1–11.
[19]
Hassen M, Chan PK (2017) Scalable function call graph-based malware classification. In: Proceedings of the seventh ACM on conference on data and application security and privacy, New York, pp 239–248
[20]
Hex-Rays (2020) IDA Pro—Hex Rays. https://www.hex-rays.com/products/ida/
[21]
Hors (2020) Github—horsicq/detect-it-easy: program for determining types of files for windows, linux and macos https://github.com/horsicq/Detect-It-Easy
[22]
Jin Q, Duan J, Vasudevan S, Bailey M (2015) Packer classifier based on PE header information. In: Proceedings of the 2015 symposium and bootcamp on the science of security, New York, pp 1–2.
[23]
Jung B, Bae SI, Choi C, and Im EGPacker identification method based on byte sequencesConcurr Comput: Pract Exp202032e5082https://doi.org/10.1002/cpe.5082
[24]
Kancherla K, Donahue J, and Mukkamala S Packer identification using byte plot and markov plot J Comput Virol Hacking Tech 2016 12 2 101-111
[25]
Kim Y, Paik J, Choi S, Cho E (2019) Efficient svm based packer identification with binary diffing measures. In: 2019 IEEE 43rd annual computer software and applications conference (COMPSAC), vol 1, pp 795–800
[26]
Li X, Shan Z, Liu F, Chen Y, and Hou Y A consistently-executing graph-based approach for malware packer identification IEEE Access 2019 7 51620-51629
[27]
Li Z, Li W, Lin F, Sun Y, Yang M, Zhang Y, and Wang Z Hybrid malware detection approach with feedback-directed machine learning Sci China Inf Sci 2020 63 139103
[28]
Lysenko S, Bobrovnikova K, Nicheporuk A, Shchuka R (2019) Svm-based technique for mobile malware detection. In: Proceedings of the second international workshop on computer modeling and intelligent systems (CMIS-2019), Zaporizhzhia, pp 85– 97
[29]
Ma Z, Ge H, Liu Y, Zhao M, and Ma J A combination method for android malware detection based on control flow graphs and machine learning algorithms IEEE Access 2019 7 21235-21245
[30]
Mills A, Spyridopoulos T, Legg P (2019) Efficient and interpretable real-time malware detection using random-forest. In: 2019 International conference on cyber situational awareness, data analytics and assessment (Cyber SA), pp 1–8.
[31]
Mpanti A, Nikolopoulos SD, Polenakis I (2018) A graph-based model for malicious software detection exploiting domination relations between system-call groups. In: Proceedings of the 19th international conference on computer systems and technologies, CompSysTech 2018, Ruse, Bulgaria, September 13–14, 2018, pp 20–26
[32]
Osaghae EO Classifying packed programs as malicious software detected Inf Technol Electr Eng 2016 5 22-25
[33]
Rhode M, Tuson L, Burnap P, Jones K (2019) Lab to soc: robust features for dynamic malware detection. In: 2019 49th annual IEEE/IFIP international conference on dependable systems and networks—industry track (DSN), pp 13–16
[34]
Tran HM, Van Nguyen S, Ha SVU, Le TQ (2018) An analysis of software bug reports using random forest. In: Future data and security engineering. Cham, pp 273–285
[35]
Wuchner T, Cislak A, Ochoa M, and Pretschner A Leveraging compression-based graph mining for behavior-based malware detection IEEE Trans Depend Secur Comput 2019 16 1 99-112
[36]
Yan J, Yan G, Jin D (2019) Classifying malware represented as control flow graphs using deep graph convolutional neural network. In: 2019 49th annual IEEE/IFIP international conference on dependable systems and networks (DSN), pp 52–63
Index Terms
- 2-SPIFF: a 2-stage packer identification method based on function call graph and file attributes
Index terms have been assigned to the content through auto-classification.
Recommendations
XGBoost based Packer Identification study using Entry point
ACM ICEA '20: Proceedings of the 2020 ACM International Conference on Intelligent Computing and its Emerging ApplicationsWith the development of IT technology, the number of new and variant malware is rapidly increasing. Malware developers make it difficult to analyze malware by applying techniques such as packing and obfuscation. In this paper, packing file detection and ...
Efficient Malware Packer Identification Using Support Vector Machines with Spectrum Kernel
ASIAJCIS '13: Proceedings of the 2013 Eighth Asia Joint Conference on Information SecurityPacking is among the most popular obfuscation techniques to impede anti-virus scanners from successfully detecting malware. Efficient and automatic packer identification is an essential step to perform attack on ever increasing malware databases. In this ...
A control flow graph-based signature for packer identification
MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM)The large number of malicious files that are produced daily outpaces the current capacity of malware analysis and detection. For example, Intel Security Labs reported that during the second quarter of 2016, their system found more than 40M of new malware [...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2021.
Publisher
Kluwer Academic Publishers
United States
Publication History
Published: 01 December 2021
Accepted: 11 March 2021
Author Tags
Qualifiers
- Research-article
Funding Sources
- Science and Technology Foundation of Guizhou Province
- Science and Technology Foundation of Guizhou Province
- National Natural Science Foundation of China
- Program for Science & Technology Innovation Talents in Universities of He’nan Province
- Key Technologies R & D Program of He’nan Province
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 20 Dec 2024