Entropy analysis to classify unknown packing algorithms for malware detection
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Bat-Erdene, Munkhbayar | - |
dc.contributor.author | Park, Hyundo | - |
dc.contributor.author | Li, Hongzhe | - |
dc.contributor.author | Lee, Heejo | - |
dc.contributor.author | Choi, Mahn-Soo | - |
dc.date.accessioned | 2021-09-03T05:32:20Z | - |
dc.date.available | 2021-09-03T05:32:20Z | - |
dc.date.created | 2021-06-16 | - |
dc.date.issued | 2017-06 | - |
dc.identifier.issn | 1615-5262 | - |
dc.identifier.uri | https://scholar.korea.ac.kr/handle/2021.sw.korea/83267 | - |
dc.description.abstract | The proportion of packed malware has been growing rapidly and now comprises more than 80 % of all existing malware. In this paper, we propose a method for classifying the packing algorithms of given unknown packed executables, regardless of whether they are malware or benign programs. First, we scale the entropy values of a given executable and convert the entropy values of a particular location of memory into symbolic representations. Our proposed method uses symbolic aggregate approximation (SAX), which is known to be effective for large data conversions. Second, we classify the distribution of symbols using supervised learning classification methods, i.e., naive Bayes and support vector machines for detecting packing algorithms. The results of our experiments involving a collection of 324 packed benign programs and 326 packed malware programs with 19 packing algorithms demonstrate that our method can identify packing algorithms of given executables with a high accuracy of 95.35 %, a recall of 95.83 %, and a precision of 94.13 %. We propose four similarity measurements for detecting packing algorithms based on SAX representations of the entropy values and an incremental aggregate analysis. Among these four metrics, the fidelity similarity measurement demonstrates the best matching result, i.e., a rate of accuracy ranging from 95.0 to 99.9 %, which is from 2 to 13 higher than that of the other three metrics. Our study confirms that packing algorithms can be identified through an entropy analysis based on a measure of the uncertainty of the running processes and without prior knowledge of the executables. | - |
dc.language | English | - |
dc.language.iso | en | - |
dc.publisher | SPRINGER | - |
dc.subject | APPROXIMATE ENTROPY | - |
dc.title | Entropy analysis to classify unknown packing algorithms for malware detection | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Lee, Heejo | - |
dc.contributor.affiliatedAuthor | Choi, Mahn-Soo | - |
dc.identifier.doi | 10.1007/s10207-016-0330-4 | - |
dc.identifier.scopusid | 2-s2.0-85027987515 | - |
dc.identifier.wosid | 000401126500001 | - |
dc.identifier.bibliographicCitation | INTERNATIONAL JOURNAL OF INFORMATION SECURITY, v.16, no.3, pp.227 - 248 | - |
dc.relation.isPartOf | INTERNATIONAL JOURNAL OF INFORMATION SECURITY | - |
dc.citation.title | INTERNATIONAL JOURNAL OF INFORMATION SECURITY | - |
dc.citation.volume | 16 | - |
dc.citation.number | 3 | - |
dc.citation.startPage | 227 | - |
dc.citation.endPage | 248 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.journalRegisteredClass | scie | - |
dc.description.journalRegisteredClass | scopus | - |
dc.relation.journalResearchArea | Computer Science | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Information Systems | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Software Engineering | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Theory & Methods | - |
dc.subject.keywordPlus | APPROXIMATE ENTROPY | - |
dc.subject.keywordAuthor | Entropy analysis | - |
dc.subject.keywordAuthor | Original entry point (OEP) | - |
dc.subject.keywordAuthor | Symbolic aggregate approximation (SAX) | - |
dc.subject.keywordAuthor | Piecewise aggregate approximation (PAA) | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
(02841) 서울특별시 성북구 안암로 14502-3290-1114
COPYRIGHT © 2021 Korea University. All Rights Reserved.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.