Top

Published in:

2020 | OriginalPaper | Chapter

Detection of Metamorphic Malware Packers Using Multilayered LSTM Networks

Authors : Erik Bergenholtz, Emiliano Casalicchio, Dragos Ilie, Andrew Moss

Published in: Information and Communications Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Malware authors do their best to conceal their malicious software to increase its probability of spreading and to slow down analysis. One method used to conceal malware is packing, in which the original malware is completely hidden through compression or encryption, only to be reconstructed at run-time. In addition, packers can be metamorphic, meaning that the output of the packer will never be exactly the same, even if the same file is packed again. As the use of known off-the-shelf malware packers is declining, it is becoming increasingly more important to implement methods of detecting packed executables without having any known samples of a given packer. In this study, we evaluate the use of recurrent neural networks as a means to classify whether or not a file is packed by a metamorphic packer. We show that even with quite simple networks, it is possible to correctly distinguish packed executables from non-packed executables with an accuracy of up to \(89.36\%\) when trained on a single packer, even for samples packed by previously unseen packers. Training the network on more packer raises this number to up to \(99.69\%\).

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Machine Learning-Assisted Compartmentalization Scheme for Bare-Metal Systems

next chapter Profile Matching Across Online Social Networks

Available only for authorised users

An epoch is a pass over all training and validation data exactly once.

https://gist.github.com/erikbergenholtz/a653d46db64c2ce490af91698f75e992.

Windows 10 Education 32-bit, build 17763.316.

\(\texttt {objdump -d <FILENAME>}\).

\(\texttt {objdump -Mintel -D --start-address <ENTRY POINT>}\).

Objdump. https://sourceware.org/binutils/docs/binutils/objdump.html. Accessed 16 Jan 2020

Radare2. https://www.radare.org/r/. Accessed 16 Jan 2020

Retargetable decompiler. https://retdec.com/. Accessed 8 May 2019

Intel® 64 and IA-32 ArchitecturesSoftware Developer’s Manual, May 2019

Ban, T., Isawa, R., Guo, S., Inoue, D., Nakao, K.: Application of string kernel based support vector machine for malware packer identification. In: The 2013 International Joint Conference on Neural Networks, IJCNN 2013, Dallas, TX, USA, 4–9 August 2013, pp. 1–8. IEEE (2013). https://doi.org/10.1109/IJCNN.2013.6707043

Ban, T., Isawa, R., Guo, S., Inoue, D., Nakao, K.: Efficient malware packer identification using support vector machines with spectrum kernel. In: Eighth Asia Joint Conference on Information Security, AsiaJCIS 2013, Seoul, Korea, 25–26 July 2013, pp. 69–76. IEEE (2013). https://doi.org/10.1109/ASIAJCIS.2013.18

Bat-Erdene, M., Kim, T., Li, H., Lee, H.: Dynamic classification of packing algorithms for inspecting executables using entropy analysis. In: 8th International Conference on Malicious and Unwanted Software: “The Americas”, MALWARE 2013, Fajardo, PR, USA, 22–24 October 2013, pp. 19–26. IEEE Computer Society (2013). https://doi.org/10.1109/MALWARE.2013.6703681

Bat-Erdene, M., Kim, T., Park, H., Lee, H.: Packer detection for multi-layer executables using entropy analysis. Entropy 19(3), 125 (2017). https://doi.org/10.3390/e19030125CrossRef

Bat-Erdene, M., Park, H., Li, H., Lee, H., Choi, M.-S.: Entropy analysis to classify unknown packing algorithms for malware detection. Int. J. Inf. Secur. 16(3), 227–248 (2017). https://doi.org/10.1007/s10207-016-0330-4CrossRef

10.

Bergenholtz, E., Casalicchio, E., Ilie, D., Moss, A.: Appendices for: detection of metamorphic malware packers using multilayered LSTM networks (2020). https://github.com/erikbergenholtz/appendix_metamorphic_packers/blob/master/appendix.pdf. Accessed 14 Apr 2020

11.

Blazytko, T., Contag, M., Aschermann, C., Holz, T.: Syntia: syntesizing the semantics of obfuscated code. In: Proceedings of 26 USENIX Security Symposium. Vancouver, BC, Canada, August 2017

12.

Brosch, T., Morgenstern, M.: Runtime packers: the hidden problem. Black Hat USA (2006)

13.

Burgess, C.J., Kurugollu, F., Sezer, S., McLaughlin, K.: Detecting packed executables using steganalysis. In: 5th European Workshop on Visual Information Processing, EUVIP 2014, Villetaneuse, Paris, France, 10–12 December 2014, pp. 1–5. IEEE (2014). https://doi.org/10.1109/EUVIP.2014.7018361

14.

Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations, January 1997. http://www.cs.auckland.ac.nz/staff-cgi-bin/mjd/csTRcgi.pl?serial

15.

The Mental Driller: Metamorphism in practice or “How I made MetaPHOR and what I’ve learnt”, February 2002. https://web.archive.org/web/20070602061547/http://vx.netlux.org/lib/vmd01.html. Accessed 10 Dec 2019

16.

Gupta, N., Naval, S., Laxmi, V., Gaur, M.S., Rajarajan, M.: P-SPADE: GPU accelerated malware packer detection. In: Miri, A., Hengartner, U., Huang, N., Jøsang, A., García-Alfaro, J. (eds.) 2014 Twelfth Annual International Conference on Privacy, Security and Trust, Toronto, ON, Canada, 23–24 July 2014, pp. 257–263. IEEE Computer Society (2014). https://doi.org/10.1109/PST.2014.6890947

17.

holy\_father: Morphine v2.7 (2004). https://github.com/bowlofstew/rootkit.com/tree/master/hf/Morphine27. Accessed 24 Oct 2018

18.

Hubballi, N., Dogra, H.: Detecting packed executable file: supervised or anomaly detection method? In: 11th International Conference on Availability, Reliability and Security, ARES 2016, Salzburg, Austria, 31 August–2 September 2016, pp. 638–643. IEEE Computer Society (2016). https://doi.org/10.1109/ARES.2016.18

19.

Jeong, G., Choo, E., Lee, J., Bat-Erdene, M., Lee, H.: Generic unpacking using entropy analysis. In: 5th International Conference on Malicious and Unwanted Software, MALWARE 2010, Nancy, France, 19–20 October 2010, pp. 98–105. IEEE Computer Society (2010). https://doi.org/10.1109/MALWARE.2010.5665789

20.

Kancherla, K., Donahue, J., Mukkamala, S.: Packer identification using byte plot and markov plot. J. Comput. Virol. Hacking Tech. 12(2), 101–111 (2016). https://doi.org/10.1007/s11416-015-0249-8CrossRef

21.

Křoustek, J., Matula, P., Kolár, D., Zavoral, M.: Advanced preprocessing of binary executable files and its usage in retargetable decompilation. Int. J. Adv. Softw. 7(1), 112–122 (2014)

22.

Lee, W.Y., Saxe, J., Harang, R.: SeqDroid: obfuscated android malware detection using stacked convolutional and recurrent neural networks. In: Alazab, M., Tang, M.J. (eds.) Deep Learning Applications for Cyber Security. ASTSA, pp. 197–210. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-13057-2_9CrossRef

23.

Morgenstern, M., Pilz, H.: Useful and useless statistics about viruses and anti-virus programs. In: Proceedings of the CARO Workshop (2010)

24.

Naval, S., Laxmi, V., Gaur, M.S., Vinod, P.: SPADE: Signature based PAcker DEtection. In: Chandrasekhar, R., Tanenbaum, A.S., Rangan, P.V. (eds.) First International Conference on Security of Internet of Things, SECURIT 2012, Kollam, India, 17–19 August 2012. pp. 96–101. ACM (2012). https://doi.org/10.1145/2490428.2490442

25.

Rolles, R.: Unpacking virtualization obfuscators. In: Proceedings of USENIX WOOT. Montreal, Canada, August 2009

26.

Sun, L., Versteeg, S., Boztaş, S., Yann, T.: Pattern recognition techniques for the classification of malware packers. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 370–390. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14081-5_23CrossRef

27.

Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Boston, Massachusetts (2005)

28.

Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 659–673. IEEE Computer Society (2015). https://doi.org/10.1109/SP.2015.46

29.

Xie, P., Liu, X., Yin, J., Wang, Y.: Absent extreme learning machine algorithm with application to packed executable identification. Neural Comput. Appl. 27(1), 93–100 (2014). https://doi.org/10.1007/s00521-014-1558-4CrossRef

30.

Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv. 6(5), 65–69 (2008). https://doi.org/10.1109/MSP.2008.126CrossRef

Title: Detection of Metamorphic Malware Packers Using Multilayered LSTM Networks
Authors: Erik Bergenholtz
Emiliano Casalicchio
Dragos Ilie
Andrew Moss
Publisher: Springer International Publishing
Book: Information and Communications Security
Print ISBN: 978-3-030-61077-7

Electronic ISBN: 978-3-030-61078-4

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-61078-4_3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner