All-in-One Framework for Detection, Unpacking, and Verification for Malware Analysis

Choi, Mi-Jung; Bang, Jiwon; Kim, Jong-Wook; Kim, Hajin; Moon, Yang-Sae

doi:10.1155/2019/5278137

Cited by 11 publications

(4 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The 'ep_only' attribute indicates whether a signature can be found in the entry point section as True or False. The ground truths were labeled based on a portion of the framework proposed in a previous study, referred to as Algorithm 6 [33]. Among the collected samples, 87,499 were labeled as Custom-Packed when a sample had hidden EPS (entry point sections) or high entropy values without a packer signature.…”

Section: Permutation Importancementioning

confidence: 99%

An Efficient Multi-Step Framework for Malware Packing Identification

Kim,

Moon,

Choi

2023

Preprint

View full text Add to dashboard Cite

Packing is a disruptive factor in the field of cybersecurity, as it obstructs the analysis of packed malware and prolongs the lifespan of malware samples. Malware equipped with anti-analysis technologies evades antivirus software and analysis tools. Therefore, detecting and analyzing packed malware is a technically challenging and resource-intensive task. The situation becomes even worse when malware classifiers are trained on the characteristics of packers instead of malware itself. Training models with numerous inadequate data inadvertently renders them impractical for classifying actual malware. Therefore, researchers should consider packetizing to construct practical malware classifier models. In this paper, we aim to propose an opportunity to reconcile the problem of packetizing with identifying it. We present a dataset consisting of over 200K actual malware samples. We propose a multi-step framework for classifying and identifying packed samples. The framework includes pseudo-optimal feature selection, machine learning-based classifiers, and packer identification steps. The framework preselects the top 20 important features using the CART algorithm and permutation importance in the first step. In the second step, each model trains on the preselected 20 features to classify the packed files with the highest performance. The XGBoost algorithm, trained on the features preselected by XGBoost with the permutation importance, demonstrated the best performance among all experimental scenarios, achieving an accuracy of 99.67%, an F1-Score of 99.46%, and an area under the curve of 99.98%. The proposed framework identifies the packer only for samples classified as Well-Known Packed in the third step.

show abstract

Section: Permutation Importancementioning

confidence: 99%

An Efficient Multi-Step Framework for Malware Packing Identification

Kim,

Moon,

Choi

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…This study conducted a comprehensive review of the approaches for detecting malware only based on sample operation codes (OpCodes) and drew useful insights towards them. As mentioned earlier, this study focused on the malware OpCodes features and dropped the other malware features like API system calls features such in [5][38][39][40] [70] and text features such as in [38][39][40] [71][72] due to their limitations, since the former could be decoyed when the evader uses his own developed OpCodes instructions written from the ground up instead of uses of the formal API system calls. As well, it dropped the latter because the garbag of text that could be injected into the malware, which evades detection, too.…”

Section: Recommendations and Future Directionsmentioning

confidence: 99%

Malware Detection Approaches based on Operational Codes (OpCodes) of Executable Programs: A Review

Saleh

2023

IJEEI

View full text Add to dashboard Cite

Usually, malware is analyzed in two ways: dynamic malware analysis and static malware analysis. The former collects feature datasets during the run of the malware, and involves malware API system calls, and registry, file, process, and network activities features. The latter collects feature datasets without the run of the malware, and involves OpCodes and text features. Several previous studies have addressed the review of the malware detection approaches based on various feature datasets, but none of them has addressed the review of the approaches merely based on malware OpCodes features. Therefore, this study aimed to review the malware detection approaches only based on OpCodes features and deduced that there is a positive relationship between the Study Year and the Detection Ratio. Besides, incorporating the improved deep learning (DL) in the approaches for detecting malware only based on OpCodes achieved 1.427 times greater accurate detection ratio.

show abstract

“…Penggunaan teknik enkripsi, mutasi dan pengemasan (packer) untuk melundungi malware dari sistem analis, menjadikan malware mampu menghindari dateksi (Zhang et al, 2020). Variasi dan kemampuan malware meningkat setiap tahun, salah satunya adalah packer yang merupakan sebuah teknik penyamaran yang digunakan untuk menghindari deteksi dan analisis malware (Choi et al, 2019). Pada dasarnya analisis terhadap malware diperlukan untuk mengetahui ciri, pola serangan, pola perlindungan terhadap malware agar tidak mudah dideteksi dan mengantisipasi infeksi malware pada sebuah sistem.…”

Section: Pendahuluanunclassified

Analisis Penggunaan Packer Perangkat Lunak Berbahaya(Malware) Menggunakan Teknik Reverse Engineering

2021

View full text Add to dashboard Cite

Penelitian malware telah banyak dilakukan dengan berbagai metode akan tetapi dengan berkembangnya program malware menjadikannya sulit untuk dideteksi, sistem yang digunakan pada sistem analisis atau antivirus masih memiliki kendala, penggunaan teknik yang berbasis pada signature masih belum mampu untuk melakukan pedeteksian dengan baik. Pengguaan packer menjadi salah satu kendala utama untuk melakukan analisis dikarenakan teknik packer atau teknik penyamaran ini merubah ukuran dari file asli, hal ini dimaksudkan untuk menghindari deteksi, dan penggunaan packer selalu memiliki entropy yang sangat tinggi untuk menyulitkan proses dekripsi algoritma yang digunakan. Penelitian ini bertujuan untuk melakukan analisis terhadap malware yang menggunakan packer untuk melihat informasi dan dapat mengetahui lebih detail struktur dari packer dengan menngunakan teknik reverse engineering

show abstract

All-in-One Framework for Detection, Unpacking, and Verification for Malware Analysis

Cited by 11 publications

References 24 publications

An Efficient Multi-Step Framework for Malware Packing Identification

An Efficient Multi-Step Framework for Malware Packing Identification

Malware Detection Approaches based on Operational Codes (OpCodes) of Executable Programs: A Review

Analisis Penggunaan Packer Perangkat Lunak Berbahaya(Malware) Menggunakan Teknik Reverse Engineering

Contact Info

Product

Resources

About