A STATISTICAL APPROACH FOR PACKER IDENTIFICATION
Keywords:concolic testing, packer, malware analysis, tf-idf, obfuscation techniques.
Most of modern malware are packed by packers which automatically generate a lot of obfuscation techniques to defeat the anti-virus software. To identify packer, most of industry approaches still adopt the well-known technique of signature matching which can be easily evaded. This paper studies the new approach of applying a statistical approach to tackle this problem. We propose a new weight for extracting what obfuscation techniques might be more favourable in packers. We call it obfuscation technique frequency-inverse packer frequency ( ). As the term implies, calculates values for each obfuscation techniques in a packer through an inverse proportion of the frequency of the obfuscation technique in a particular packer to the percentage of packers the obfuscation technique appears in. Obfuscation techniques with high value show a strong relationship with the packer they appear in. Based on this weight, packer is represented by a vector of . Then the used packer is identified by measuring the similarity between vectors of packer and targeted file. For checking the accuracy of our approach, we have performed the experiments of identifying packer on 200 real-world malware for comparing between our approach with the binary signature technique adopted in CFF Explorer. The result shows that our technique produces the better detection.
How to Cite
Vietnam Journal of Sciences and Technology (VJST) is an open access and peer-reviewed journal. All academic publications could be made free to read and downloaded for everyone. In addition, Articles are published under term of the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA) Licence which permits use, distribution and reproduction in any medium, provided the original work is properly cited & ShareAlike terms followed.
Copyright on any research article published in VJST is retained by the respective author(s), without restrictions. Authors grant VAST Journals System (VJS) a license to publish the article and identify itself as the original publisher. Upon author(s) by giving permission to VJS either via VJS journal portal or other channel to publish their research work in VJS agrees to all the terms and conditions of https://creativecommons.org/licenses/by-sa/4.0/ License and terms & condition set by VJS.
Authors have the responsibility of to secure all necessary copyright permissions for the use of 3rd-party materials in their manuscript.