Obfuscation undercover: Unraveling the impact of obfuscation layering on structural code patterns

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2024-08-16 DOI:10.1016/j.jisa.2024.103850

Sebastian Raubitzek , Sebastian Schrittwieser , Elisabeth Wimmer , Kevin Mallinger

{"title":"Obfuscation undercover: Unraveling the impact of obfuscation layering on structural code patterns","authors":"Sebastian Raubitzek , Sebastian Schrittwieser , Elisabeth Wimmer , Kevin Mallinger","doi":"10.1016/j.jisa.2024.103850","DOIUrl":null,"url":null,"abstract":"<div><p>Malware often uses code obfuscation to evade detection, employing techniques such as packing, virtualization, and data encoding or encryption. Despite widespread application, the impact of combining these techniques in a particular order – so-called obfuscation layering – on code analysis remains poorly understood. This study advances previous research by examining the effects of obfuscation layering on the classification of obfuscation techniques contained in binary code, focusing on how different layering combinations alter structural code patterns. Utilizing a dataset of 85 C programs modified with various combinations of code obfuscation techniques, we analyze the impact of obfuscation layering on structural code metrics such as its control flow complexity. Our study demonstrates that obfuscation layering significantly affects the ability to classify obfuscated code and that the order of applied obfuscations is less significant for classification than previously assumed. Through explainability methodologies our work offers novel insights for malware analysts and researchers to improve their detection strategies.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"85 ","pages":"Article 103850"},"PeriodicalIF":3.8000,"publicationDate":"2024-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2214212624001522/pdfft?md5=3de2f994e091baa96e64c5d0c427f0b4&pid=1-s2.0-S2214212624001522-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001522","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Malware often uses code obfuscation to evade detection, employing techniques such as packing, virtualization, and data encoding or encryption. Despite widespread application, the impact of combining these techniques in a particular order – so-called obfuscation layering – on code analysis remains poorly understood. This study advances previous research by examining the effects of obfuscation layering on the classification of obfuscation techniques contained in binary code, focusing on how different layering combinations alter structural code patterns. Utilizing a dataset of 85 C programs modified with various combinations of code obfuscation techniques, we analyze the impact of obfuscation layering on structural code metrics such as its control flow complexity. Our study demonstrates that obfuscation layering significantly affects the ability to classify obfuscated code and that the order of applied obfuscations is less significant for classification than previously assumed. Through explainability methodologies our work offers novel insights for malware analysts and researchers to improve their detection strategies.

查看原文本刊更多论文

卧底混淆揭示混淆分层对结构代码模式的影响

恶意软件经常利用代码混淆来逃避检测，采用的技术包括打包、虚拟化、数据编码或加密。尽管这些技术被广泛应用，但以特定顺序组合这些技术（即所谓的混淆分层）对代码分析的影响仍鲜为人知。本研究通过考察混淆分层对二进制代码中包含的混淆技术分类的影响，重点研究不同的分层组合如何改变代码结构模式，从而推进了之前的研究。利用由 85 个使用不同代码混淆技术组合修改的 C 程序组成的数据集，我们分析了混淆分层对结构代码指标（如控制流复杂性）的影响。我们的研究表明，混淆分层对混淆代码的分类能力有很大影响，而且应用混淆的顺序对分类的影响比以前假设的要小。通过可解释性方法，我们的工作为恶意软件分析师和研究人员改进检测策略提供了新的见解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.