An Accurate Packer Identification Method Using Support Vector Machine
スポンサーリンク
概要
- 論文の詳細を見る
PEiD is a packer identification tool widely used for malware analysis but its accuracy is becoming lower and lower recently. There exist two major reasons for that. The first is that PEiD does not provide a way to create signatures, though it adopts a signature-based approach. We need to create signatures manually, and it is difficult to catch up with packers created or upgraded rapidly. The second is that PEiD utilizes exact matching. If a signature contains any error, PEiD cannot identify the packer that corresponds to the signature. In this paper, we propose a new automated packer identification method to overcome the limitations of PEiD and report the results of our numerical study. Our method applies string-kernel-based support vector machine (SVM): it can measure the similarity between packed programs without our operations such as manually creating signature and it provides some error tolerant mechanism that can significantly reduce detection failure caused by minor signature violations. In addition, we use the byte sequence starting from the entry point of a packed program as a packer's feature given to SVM. That is, our method combines the advantages from signature-based approach and machine learning (ML) based approach. The numerical results on 3902 samples with 26 packer classes and 3 unpacked (not-packed) classes shows that our method achieves a high accuracy of 99.46% outperforming PEiD and an existing ML-based method that Sun et al. have proposed.
著者
-
NAKAO Koji
National Institute of Information and Communications Technology
-
Guo Shanqing
Shandong University
-
BAN Tao
National Institute of Information and Communications Technology
-
Inoue Daisuke
National Institute Of Information And Communicarions Technology
-
BAN Tao
National Institute of Information and Communications Technology (NICT)
-
ISAWA Ryoichi
National Institute of Information and Communications Technology (NICT)
-
NAKAO Koji
National Institute of Information and Communications Technology (NICT)
関連論文
- O-means: An Optimized Clustering Method for Analyzing Spam Based Attacks
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- Fine-Grain Feature Extraction from Malware's Scan Behavior Based on Spectrum Analysis
- Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation
- Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities
- Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring
- Special Section on Information Theory and Its Applications
- O-means : An Optimized Clustering Method for Analyzing Spam Based Attacks
- A Comparative Study of Unsupervised Anomaly Detection Techniques Using Honeypot Data
- P2P Network Traffic Analysis Using Data Mining Engines
- A Novel Malware Clustering Method Using Frequency of Function Call Traces in Parallel Threads
- An Empirical Evaluation of an Unpacking Method Implemented with Dynamic Binary Instrumentation
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Catching the Behavioral Differences between Multiple Executions for Malware Detection
- An Accurate Packer Identification Method Using Support Vector Machine
- Design and Implementation of Security for HIMALIS Architecture of Future Networks
- Catching the Behavioral Differences between Multiple Executions for Malware Detection