An Accurate Packer Identification Method Using Support Vector Machine
Summary :
PEiD is a packer identification tool widely used for malware analysis but its accuracy is becoming lower and lower recently. There exist two major reasons for that. The first is that PEiD does not provide a way to create signatures, though it adopts a signature-based approach. We need to create signatures manually, and it is difficult to catch up with packers created or upgraded rapidly. The second is that PEiD utilizes exact matching. If a signature contains any error, PEiD cannot identify the packer that corresponds to the signature. In this paper, we propose a new automated packer identification method to overcome the limitations of PEiD and report the results of our numerical study. Our method applies string-kernel-based support vector machine (SVM): it can measure the similarity between packed programs without our operations such as manually creating signature and it provides some error tolerant mechanism that can significantly reduce detection failure caused by minor signature violations. In addition, we use the byte sequence starting from the entry point of a packed program as a packer's feature given to SVM. That is, our method combines the advantages from signature-based approach and machine learning (ML) based approach. The numerical results on 3902 samples with 26 packer classes and 3 unpacked (not-packed) classes shows that our method achieves a high accuracy of 99.46% outperforming PEiD and an existing ML-based method that Sun et al. have proposed.
- Publication
- IEICE TRANSACTIONS on Fundamentals Vol.E97-A No.1 pp.253-263
- Publication Date
- 2014/01/01
- Publicized
- Online ISSN
- 1745-1337
- DOI
- 10.1587/transfun.E97.A.253
- Type of Manuscript
- Special Section PAPER (Special Section on Cryptography and Information Security)
- Category
- Foundations
Authors
Ryoichi ISAWA
National Institute of Information and Communications Technology (NICT)
Tao BAN
National Institute of Information and Communications Technology (NICT)
Shanqing GUO
Shandong University
Daisuke INOUE
National Institute of Information and Communications Technology (NICT)
Koji NAKAO
National Institute of Information and Communications Technology (NICT)
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Ryoichi ISAWA, Tao BAN, Shanqing GUO, Daisuke INOUE, Koji NAKAO, "An Accurate Packer Identification Method Using Support Vector Machine" in IEICE TRANSACTIONS on Fundamentals,
vol. E97-A, no. 1, pp. 253-263, January 2014, doi: 10.1587/transfun.E97.A.253.
Abstract: PEiD is a packer identification tool widely used for malware analysis but its accuracy is becoming lower and lower recently. There exist two major reasons for that. The first is that PEiD does not provide a way to create signatures, though it adopts a signature-based approach. We need to create signatures manually, and it is difficult to catch up with packers created or upgraded rapidly. The second is that PEiD utilizes exact matching. If a signature contains any error, PEiD cannot identify the packer that corresponds to the signature. In this paper, we propose a new automated packer identification method to overcome the limitations of PEiD and report the results of our numerical study. Our method applies string-kernel-based support vector machine (SVM): it can measure the similarity between packed programs without our operations such as manually creating signature and it provides some error tolerant mechanism that can significantly reduce detection failure caused by minor signature violations. In addition, we use the byte sequence starting from the entry point of a packed program as a packer's feature given to SVM. That is, our method combines the advantages from signature-based approach and machine learning (ML) based approach. The numerical results on 3902 samples with 26 packer classes and 3 unpacked (not-packed) classes shows that our method achieves a high accuracy of 99.46% outperforming PEiD and an existing ML-based method that Sun et al. have proposed.
URL: https://globals.ieice.org/en_transactions/fundamentals/10.1587/transfun.E97.A.253/_p
Copy
@ARTICLE{e97-a_1_253,
author={Ryoichi ISAWA, Tao BAN, Shanqing GUO, Daisuke INOUE, Koji NAKAO, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={An Accurate Packer Identification Method Using Support Vector Machine},
year={2014},
volume={E97-A},
number={1},
pages={253-263},
abstract={PEiD is a packer identification tool widely used for malware analysis but its accuracy is becoming lower and lower recently. There exist two major reasons for that. The first is that PEiD does not provide a way to create signatures, though it adopts a signature-based approach. We need to create signatures manually, and it is difficult to catch up with packers created or upgraded rapidly. The second is that PEiD utilizes exact matching. If a signature contains any error, PEiD cannot identify the packer that corresponds to the signature. In this paper, we propose a new automated packer identification method to overcome the limitations of PEiD and report the results of our numerical study. Our method applies string-kernel-based support vector machine (SVM): it can measure the similarity between packed programs without our operations such as manually creating signature and it provides some error tolerant mechanism that can significantly reduce detection failure caused by minor signature violations. In addition, we use the byte sequence starting from the entry point of a packed program as a packer's feature given to SVM. That is, our method combines the advantages from signature-based approach and machine learning (ML) based approach. The numerical results on 3902 samples with 26 packer classes and 3 unpacked (not-packed) classes shows that our method achieves a high accuracy of 99.46% outperforming PEiD and an existing ML-based method that Sun et al. have proposed.},
keywords={},
doi={10.1587/transfun.E97.A.253},
ISSN={1745-1337},
month={January},}
Copy
TY - JOUR
TI - An Accurate Packer Identification Method Using Support Vector Machine
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 253
EP - 263
AU - Ryoichi ISAWA
AU - Tao BAN
AU - Shanqing GUO
AU - Daisuke INOUE
AU - Koji NAKAO
PY - 2014
DO - 10.1587/transfun.E97.A.253
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E97-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2014
AB - PEiD is a packer identification tool widely used for malware analysis but its accuracy is becoming lower and lower recently. There exist two major reasons for that. The first is that PEiD does not provide a way to create signatures, though it adopts a signature-based approach. We need to create signatures manually, and it is difficult to catch up with packers created or upgraded rapidly. The second is that PEiD utilizes exact matching. If a signature contains any error, PEiD cannot identify the packer that corresponds to the signature. In this paper, we propose a new automated packer identification method to overcome the limitations of PEiD and report the results of our numerical study. Our method applies string-kernel-based support vector machine (SVM): it can measure the similarity between packed programs without our operations such as manually creating signature and it provides some error tolerant mechanism that can significantly reduce detection failure caused by minor signature violations. In addition, we use the byte sequence starting from the entry point of a packed program as a packer's feature given to SVM. That is, our method combines the advantages from signature-based approach and machine learning (ML) based approach. The numerical results on 3902 samples with 26 packer classes and 3 unpacked (not-packed) classes shows that our method achieves a high accuracy of 99.46% outperforming PEiD and an existing ML-based method that Sun et al. have proposed.
ER -
FlyerIEICE has prepared a flyer regarding multilingual services. Please use the one in your native language.
English
