Browse > Article
http://dx.doi.org/10.3745/KTCCS.2013.2.1.043

A Classification Method for Executable Files based on Comparison of Undocumented Information in the PE Header  

Kim, Jung-Sun (한국전자통신연구원 부설연구소)
Kang, Jung-Min (한국전자통신연구원 부설연구소)
Kim, Kang-San (한국전자통신연구원 부설연구소)
Shin, Wook (한국전자통신연구원 부설연구소)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.2, no.1, 2013 , pp. 43-50 More about this Journal
Abstract
File identification and analysis is an important process of computer forensics, since the process determines which subjects are necessary to be collected and analyzed as digital evidence. An efficient file classification aids in the file identification, especially in case of copyright infringement where we often have huge amounts of files. A lot of file classification methods have been proposed by far, but they have mostly focused on classifying malicious behaviors based on known information. In copyright infringement cases, we need a different approach since our subject includes not only malicious codes, but also vast number of normal files. In this paper, we propose an efficient file classification method that relies on undocumented information in the header of the PE format files. Out method is useful in copyright infringement cases, being applied to any sort of PE format executable file whether the file is malicious, packed, mutated, transformed, virtualized, obfuscated, or not.
Keywords
PE(Portable Executable); File Identification; File Classification; Computer Forensics; Malicious Codes;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 M. Gheorghescu, "An Automated virus classification system," in Proceedings of the 2005 Virus Bulletin Conference, pp. 294-300, 2005.
2 N. Y. Park, Y. M. Kim, and B. N. Noh, "A Behavior based Detection for Malicious Code Using Obfuscation Technique," The Journal of KIISC: Vol.16, No.3, pp.17-28, 2006.   과학기술학회마을
3 Q. G. Miao, Y. Wang, Y. Cao, X. G. Zhang, and Z. L. Liu, "APICapture - a Tool for Monitoring the Behavior of Malware," in Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering, pp.390-394, August, 2010.
4 V. P. Nair, H. Jain, Y. K. Golecha, M. S. Gaur, and V. Laxmi, "MEDUSA: MEtamorphic malware dynamic analysis using signature from API," in Proceedings of the 3rd International Conference on Security of Information and Networks, pp.263-269, September, 2010.
5 M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan, "Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors," in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp.45-60, November, 2010.
6 K. S. Han, I. K. Kim, and E. G. Im, "A Proposal of Evaluation Index for Malware Collecting and Analyzing," The Journal of Security Engineering: Vol.8, No.1, pp.77-88, 2011.
7 K. S. Han, I. K. Kim, and E. G. Im, "Malware Family Classification Method using API Sequential Characteristic," The Journal of Security Engineering: Vol.8, No.2, pp.319-335, 2011.
8 J. W. Park, S. T. Moon, G. W. Son, I. K. Kim, K. S. Han, E. G. Im, and I. G. Kim, "An Automatic Malware Classification System using String List and APIs," The Journal of Security Engineering: Vol.8, No.5, pp.611-626, 2011.
9 S. H. Kim, S. B. Ji, and Y. S. Park, "Malware Analysis Method Using Pin," in Proceedings of the 38th KIISE Fall Conference, Vol.38, No.2(C), pp.187-190, 2011.
10 ClamAV, http://www.clamav.net/
11 Rich Signature, http://www.ntcore.com/Files/richsign.htm
12 CNSECURITY, http://www.cnsec.co.kr
13 R. Tian, L. M. Batten, and S. C. Versteeg, "Function Length as a Tool for Malware Classification," in Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp.69-76, October, 2008.
14 A. Karnik, S. Goswami, and R. Guha, "Detecting Obfuscated Viruses Using Cosine Similarity Analysis," in Proceedings of the 1th Asia International Conference on Modelling & Simulation, pp.165-170, March, 2007.
15 Q. Zhang and D. S. Reeves, "MetaAware: Identifying Metamorphic Malware," in Proceedings of the 23rd Annual Computer Security Applications Conference, pp.411-420, September, 2007.
16 G. Bonfante, M. Kaczmarek, and J. Y. Marion, "Morphological Detection of Malware," in Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp.1-8, October, 2008.
17 S. M. Tabish, M. Z. Shafiq, and M. Farooq, "Malware Detection using Statistical Analysis of Byte-Level File Content," in Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, pp.23-31, June, 2009.
18 J. Lee, K. Jeong, and H. Lee, "Detecting Metamorphic Malwares using Code Graphs," in Proceedings of the 2010 ACM Symposium on Applied Computing, pp.1970-1977, March, 2010.
19 S. Cesare and Y. Xiang, "A Fast Flowgraph Based Classification System for Packed and Polymorphic Malware on the Endhost," in Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications, pp.721-728, April, 2010.
20 S. K. Cha, I. Moraru, J. Jang, J. Truelove, D. Brumley, and D. G. Andersen, "SplitScreen: Enabling Efficient, Distributed Malware Detection," in Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, April, 2010.
21 D. Y. Yang and S. C. Yeo, "Windows Abnormal Classification Based on API Call Group Conditions," The Journal of KITCS: Vol.2, No.1, pp.13-20, 2010.