Exploring the Long Tail of (Malicious) Software Downloads

Rahbarinia, Babak; Balduzzi, Marco; Perdisci, Roberto

doi:10.1109/dsn.2017.19

Cited by 12 publications

(16 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many experts assume that these results are due to the fact that classifiers just learn to distinguish between packed and unpacked programs. In fact, we would expect that machine-learning-based classifiers will deliver poor performance in real-world settings, where packing is increasingly seen in both malicious and benign software [10,59,84]. Unfortunately, most related work did not consider or only briefly discussed the effects of packing when proposing machine-learning-based classifiers [43,56,80,81,82,96,97].…”

Section: Introductionmentioning

confidence: 99%

“…As packing is being increasingly adopted by legitimate software [84], the anti-malware industry needs to do better than detecting packers, otherwise good and bad programs are misclassified, causing pain to users and eventually resulting in alert fatigue and missed detections. This is especially a concern for previous studies that rely on anti-malware products for establishing ground truth, as misclassification of packed benign programs might have biased those studies [22,43,86,88,97].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features

Aghakhani

Gritti

Mecca³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Machine learning techniques are widely used in addition to signatures and heuristics to increase the detection rate of anti-malware software, as they automate the creation of detection models, making it possible to handle an ever-increasing number of new malware samples. In order to foil the analysis of anti-malware systems and evade detection, malware uses packing and other forms of obfuscation. However, few realize that benign applications use packing and obfuscation as well, to protect intellectual property and prevent license abuse.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features

Aghakhani

Gritti

Mecca³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…While the exact fraction of packed malware samples is still unclear, in a recent study by Rahbarinia et al [34], the authors found that 58% of the malicious downloaded files are packed with an off-the-shelf packer. However, their estimation does not take into account the presence of custom packers (35% of packed malware adopts custom packers, according to [29]).…”

Section: Introductionmentioning

confidence: 99%

“…Therefore, even if the existence of low-entropy packing was known to researchers, it was often dismissed as statistically irrelevant and with a negligible impact on practical experiments. As a result, researchers (such as in [26], [33], [39], [48], [34], [47]) continued to resort to entropy-based metrics and static signatures to identify the presence of packing. For instance, in the extensive analysis and large-scale measurement of malware packing performed to date [47], the authors selected their samples from VirusTotal [8] by querying for files with an entropy greater than seven.…”

Section: Introductionmentioning

confidence: 99%

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem

Mantovani¹,

Aonzo

Ugarte-Pedrero

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

An open research problem on malware analysis is how to statically distinguish between packed and non-packed executables. This has an impact on antivirus software and malware analysis systems, which may need to apply different heuristics or to resort to more costly code emulation solutions to deal with the presence of potential packing routines. It can also affect the results of many research studies in which the authors adopt algorithms that are specifically designed for packed or non-packed binaries. Therefore, a wrong answer to the question "is this executable packed?" can make the difference between malware evasion and detection. It has long been known that packing and entropy are strongly correlated, often leading to the wrong assumption that a low entropy score implies that an executable is NOT packed. Exceptions to this rule exist, but they have always been considered as oneoff cases, with a negligible impact on any large scale experiment. However, if such an assumption might have been acceptable in the past, our experiments show that this is not the case anymore as an increasing and remarkable number of packed malware samples implement proper schemes to keep their entropy low. In this paper, we empirically investigate and measure this problem by analyzing a dataset of 50K low-entropy Windows malware samples. Our tests show that, despite all samples have a low entropy value, over 30% of them adopt some form of runtime packing. We then extended our analysis beyond the pure entropy, by considering all static features that have been proposed so far to identify packed code. Again, our tests show that even a state of the art machine learning classifier is unable to conclude whether a low-entropy sample is packed or not by relying only on features extracted with static analysis.

show abstract

“…This becomes a more severe problem for static malware detectors, since packing is also in widespread use in benign samples today. samples [28]. Although dynamic analysis is shown to be susceptible to evasion techniques, run-time behavior is hard to obfuscate.…”

Section: Introductionmentioning

confidence: 99%

Neurlux

Jindal

Salls

Aghakhani

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Malware detection plays a vital role in computer security. Modern machine learning approaches have been centered around domain knowledge for extracting malicious features. However, many potential features can be used, and it is time consuming and difficult to manually identify the best features, especially given the diverse nature of malware.In this paper, we propose Neurlux, a neural network for malware detection. Neurlux does not rely on any feature engineering, rather it learns automatically from dynamic analysis reports that detail behavioral information. Our model borrows ideas from the field of document classification, using word sequences present in the reports to predict if a report is from a malicious binary or not. We investigate the learned features of our model and show which components of the reports it tends to give the highest importance. Then, we evaluate our approach on two different datasets and report formats, showing that Neurlux improves on the state of the art and can effectively learn from the dynamic analysis reports. Furthermore, we show that our approach is portable to other malware analysis environments and generalizes to different datasets. CCS CONCEPTS• Security and privacy → Software and application security; • Computing methodologies → Neural networks.

show abstract

Exploring the Long Tail of (Malicious) Software Downloads

Cited by 12 publications

References 9 publications

When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features

When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem

Neurlux

Contact Info

Product

Resources

About