File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements

Muralidharan, Trivikram; Cohen, Avraham; Gerson, Noa; Nissim, Nir

doi:10.1145/3530810

Cited by 22 publications

(7 citation statements)

References 61 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Determining whether a binary has been packed is a critical preliminary step in the process of malware detection [3]. Research conducted by Osaghae indicates that over 80% of current malware samples utilize packing [11], highlighting the significance of addressing this issue through both detection and unpacking.…”

Section: Packed File Detection Using Machine Learningmentioning

confidence: 99%

“…However, the challenge of anti-analysis extends beyond merely prolonging the malware's operational life. When researchers analyze packed malware samples, they often extract features introduced by the packer rather than the original program [3]. This discrepancy can lead to potential mismatches between analysis results and the actual malicious behavior, particularly as packed malware can detect and avoid dynamic analysis.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Compact Multi-Step Framework for Packing Identification in Portable Executable Files for Malware Analysis

Kim,

Moon,

Choi

2024

Preprint

View full text Add to dashboard Cite

Packing presents a formidable challenge in the cybersecurity domain, significantly complicating malware analysis and prolonging the lifespan of malicious software. Malicious software frequently utilizes anti-analysis technologies to circumvent antivirus programs and analysis tools. Moreover, the process of training malware classifiers often leads to the acquisition of packer characteristics rather than those of the malware itself, thereby engendering an adversarial example or generalization error. This study seeks to address this problem by introducing a streamlined framework with 20 optimal features for the detection of packing and the identification of packers in portable executable (PE) files. Furthermore, the study proposes the framework for an optimal model capable of detecting packed samples and identifying the signatures of packers based on their unique patterns. This paper outlines an exhaustive experimental phase aimed at ascertaining the most optimal model and features for the proposed framework. The XGBoost model learnt 20 features and demonstrated outstanding performance (99.27% accuracy, 98.84% F1-Score), surpassing that reported in a recent study. Furthermore, through this study, an accessible dataset, comprising 213,784 samples and 125 features, is made available to researchers focused on packing or the development of malware classifiers.

show abstract

Section: Packed File Detection Using Machine Learningmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Compact Multi-Step Framework for Packing Identification in Portable Executable Files for Malware Analysis

Kim,

Moon,

Choi

2024

Preprint

View full text Add to dashboard Cite

show abstract

“…Code transformation techniques hinder disassembly tools [105] and evade commercial anti-malware [37,106,107]. These techniques obfuscate existing malware samples to generate unseen malicious files.…”

Section: Code Transformationmentioning

confidence: 99%

A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks

Faruki

Bhan

Jain³

et al. 2023

Information

View full text Add to dashboard Cite

Android platform security is an active area of research where malware detection techniques continuously evolve to identify novel malware and improve the timely and accurate detection of existing malware. Adversaries are constantly in charge of employing innovative techniques to avoid or prolong malware detection effectively. Past studies have shown that malware detection systems are susceptible to evasion attacks where adversaries can successfully bypass the existing security defenses and deliver the malware to the target system without being detected. The evolution of escape-resistant systems is an open research problem. This paper presents a detailed taxonomy and evaluation of Android-based malware evasion techniques deployed to circumvent malware detection. The study characterizes such evasion techniques into two broad categories, polymorphism and metamorphism, and analyses techniques used for stealth malware detection based on the malware’s unique characteristics. Furthermore, the article also presents a qualitative and systematic comparison of evasion detection frameworks and their detection methodologies for Android-based malware. Finally, the survey discusses open-ended questions and potential future directions for continued research in mobile malware detection.

show abstract

“…Although the section above analysed the state-of-the-art of network traffic generators, none of those has a security-oriented approach since there was no distinction between the inference of neutral (benign) and malicious traffic. The particular traffic generation requirements for this purpose, among others, are discussed in [14], where three types of workloads are distinguished: (1) workloads that do not contain attacks (Pure benign); (2) workloads that contain only attacks (pure malicious); (3) workloads that are a mixture of pure benign and pure malicious workloads (Mixed) [54]. These types of workloads may present two different forms: executable and trace.…”

Section: Content Generation For Cybersecurity Evaluationmentioning

confidence: 99%

Introducing the CYSAS-S3 Dataset for Operationalizing a Mission-Oriented Cyber Situational Awareness

Choumanof

Sánchez

Mayo

et al. 2022

Sensors

View full text Add to dashboard Cite

The digital transformation of the defence sector is not exempt from innovative requirements and challenges, with the lack of availability of reliable, unbiased and consistent data for training automatisms (machine learning algorithms, decision-making, what-if recreation of operational conditions, support the human understanding of the hybrid operational picture, personnel training/education, etc.) being one of the most relevant gaps. In the context of cyber defence, the state-of-the-art provides a plethora of data network collections that tend to lack presenting the information of all communication layers (physical to application). They are synthetically generated in scenarios far from the singularities of cyber defence operations. None of these data network collections took into consideration usage profiles and specific environments directly related to acquiring a cyber situational awareness, typically missing the relationship between incidents registered at the hardware/software level and their impact on the military mission assets and objectives, which consequently bypasses the entire chain of dependencies between strategic, operational, tactical and technical domains. In order to contribute to the mitigation of these gaps, this paper introduces CYSAS-S3, a novel dataset designed and created as a result of a joint research action that explores the principal needs for datasets by cyber defence centres, resulting in the generation of a collection of samples that correlate the impact of selected Advanced Persistent Threats (APT) with each phase of their cyber kill chain, regarding mission-level operations and goals.

show abstract

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements

Cited by 22 publications

References 61 publications

A Compact Multi-Step Framework for Packing Identification in Portable Executable Files for Malware Analysis

A Compact Multi-Step Framework for Packing Identification in Portable Executable Files for Malware Analysis

A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks

Introducing the CYSAS-S3 Dataset for Operationalizing a Mission-Oriented Cyber Situational Awareness

Contact Info

Product

Resources

About