Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.2.169

Packer Identification Using Adaptive Boosting Algorithm  

Jang, Yun-Hwan (Hanyang University)
Park, Seong-Jun (Hanyang University)
Park, Yongsu (Hanyang University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.2, 2020 , pp. 169-177 More about this Journal
Abstract
Malware analysis is one of the important concerns of computer security, and advances in analysis techniques have become important for computer security. In the past, the signature-based method was used to detect malware. However, as the percentage of packed malware increased, it became more difficult to detect using the conventional method. In this paper, we propose a method for identifying packers of packed programs using machine learning. The proposed method parses the packed program to extract specific PE information that can identify the packer and identifies the packer using the Adaptive Boosting algorithm among the machine learning models. To verify the accuracy of the proposed method, we collected and tested 391 programs packed with 12 types of packers and found that the packers were identified with an accuracy of about 99.2%. In addition, we presented the results of identification using PEiD, a signature-based PE identification tool, and existing machine learning method. The proposed method shows better performance in terms of accuracy and speed in identifying packers than existing methods.
Keywords
Computer security; Information security; Malware detection; Machine learning;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Improving proactive detection of packed malware, "detection packed malware", https://www.virusbulletin.c om/virusbulletin/2006/03/improving-proactive-detection-packed-malware, 10, Jun, 2019
2 T. Brosch and M. Morgenstern. "Runtime packers: The hidden problem," Black Hat USA, 2006
3 R. Isawa, D. Inoue and K. Nakao. "An original entry point detection method with candidate-sorting for more effective generic unpacking," IEICE TRANSACTIONS on Information and Systems, vol. E98-D, no. 4, pp. 883-893, Apr. 2015   DOI
4 S. D'ALESSIO and S. MARIANI. "PinDemonium: a DBI- based generic unpacker for Windows executables," Black hat, Apr. 2016
5 Kim Gyeong-Min, Park Juhyun, Jang Yun-Hwan and Park Yongsu. "Efficient Automatic Original Entry Point Detection," Journal of Information Science & Engineering, vol. 35, no. 4, pp. 887-902, Jul. 2019
6 Tuts4You, https://tuts4you.com, 02, May, 2019
7 PEiD, "peid", https://www.aldeid.com/wiki/PEiD, 13, Dec, 2019
8 B. Jung, S.I. Bae, C. Choi and E.G. Im. "Packer identification method based on byte sequences," Concurrency and Computation: Practice and Experience, 32.8, e5082, Oct. 2018   DOI
9 N.M. Hai, M. Ogawa and Q.T. Tho. "Packer identification based on metadata signature," In: Proceedings of the 7th Software Security, Protection, and Reverse Engineering/ Software Security and Protection Workshop, pp. 1-11, Dec. 2017
10 BE-PUM, "BE-PUM", https://github.com/NMHai/BE-PUM, 13, Dec, 2019
11 S. Naval, V. Laxmi, M.S. Gaur and P. Vinod. "Spade: Signature based packer detection," In Proceedings of the First International Conference on Security of Internet of Things. ACM, pp. 96-101, Aug. 2012
12 OllyDbg Debugger, "ollydbg", http://www.ollydbg.de, 13, Dec, 2019
13 UPX, "upx", https://upx.github.io, 19, Dec, 2019
14 T, Ban, R. Isawa, S. Guo, D. Inoue and K. Nakao. "Application of string kernel based support vector machine for malware packer identification," In The 2013 International Joint Conference on Neural Networks (IJCNN). IEEE, pp. 1-8, Aug. 2013
15 K. Kancherla, J. Donahue and S. Mukkamala. "Packer identification using Byte plot and Markov plot," Journal of Computer Virology and Hacking Techniques, vol. 12, no. 2, pp. 101-111, Sep. 2016   DOI
16 VIRUSTOTAL, https://www.virustotal.com, 31, May, 2019
17 VMProtect, "vmprotect", https://vmpsoft.com, 19, Dec, 2019
18 scikit-learn, "sklearn", https://scikit-learn.org/stable, 20, Dec, 2019