打包和编码文件分类的信息理论方法

Proceedings of the 8th International Conference on Security of Information and Networks Pub Date : 2015-09-08 DOI:10.1145/2799979.2800015

Jithu Raphel, P. Vinod

{"title":"打包和编码文件分类的信息理论方法","authors":"Jithu Raphel, P. Vinod","doi":"10.1145/2799979.2800015","DOIUrl":null,"url":null,"abstract":"Malware authors make use of some anti-reverse engineering and obfuscation techniques like packing and encoding in-order to conceal their malicious payload. These techniques succeeded in evading the traditional signature based AV scanners. Packed or encoded malware samples are difficult to be analysed directly by the AV scanners. So, such samples must be initially unpacked or decoded for efficient analysis of the malicious code. This paper illustrates a static information theoretic method for the classification of packed and encoded files. The proposed method extracts fragments of fixed size from the files and calculates the entropy scores of the fragments. These entropy scores are then used for computing the Similarity Distance Matrix for fragments in a file-pair. The proposed system classifies all the encoded and packed samples properly, thereby obtaining improved detection. The proposed system is also capable of differentiating the type of packers used for the packing or encoding process.","PeriodicalId":293190,"journal":{"name":"Proceedings of the 8th International Conference on Security of Information and Networks","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2015-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":"{\"title\":\"Information theoretic method for classification of packed and encoded files\",\"authors\":\"Jithu Raphel, P. Vinod\",\"doi\":\"10.1145/2799979.2800015\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Malware authors make use of some anti-reverse engineering and obfuscation techniques like packing and encoding in-order to conceal their malicious payload. These techniques succeeded in evading the traditional signature based AV scanners. Packed or encoded malware samples are difficult to be analysed directly by the AV scanners. So, such samples must be initially unpacked or decoded for efficient analysis of the malicious code. This paper illustrates a static information theoretic method for the classification of packed and encoded files. The proposed method extracts fragments of fixed size from the files and calculates the entropy scores of the fragments. These entropy scores are then used for computing the Similarity Distance Matrix for fragments in a file-pair. The proposed system classifies all the encoded and packed samples properly, thereby obtaining improved detection. The proposed system is also capable of differentiating the type of packers used for the packing or encoding process.\",\"PeriodicalId\":293190,\"journal\":{\"name\":\"Proceedings of the 8th International Conference on Security of Information and Networks\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-09-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"14\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 8th International Conference on Security of Information and Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2799979.2800015\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 8th International Conference on Security of Information and Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2799979.2800015","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

摘要

恶意软件作者利用一些反逆向工程和混淆技术，如打包和编码，以隐藏他们的恶意负载。这些技术成功地避开了传统的基于签名的反病毒扫描器。打包或编码的恶意软件样本很难被反病毒扫描器直接分析。因此，为了有效地分析恶意代码，这些样本必须首先解压缩或解码。本文阐述了一种静态信息论方法对压缩和编码文件进行分类。该方法从文件中提取固定大小的碎片，并计算碎片的熵值。这些熵分数然后用于计算文件对中片段的相似距离矩阵。该系统对所有编码和包装的样本进行了正确的分类，从而提高了检测效率。所提出的系统还能够区分用于包装或编码过程的包装器的类型。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Information theoretic method for classification of packed and encoded files

Malware authors make use of some anti-reverse engineering and obfuscation techniques like packing and encoding in-order to conceal their malicious payload. These techniques succeeded in evading the traditional signature based AV scanners. Packed or encoded malware samples are difficult to be analysed directly by the AV scanners. So, such samples must be initially unpacked or decoded for efficient analysis of the malicious code. This paper illustrates a static information theoretic method for the classification of packed and encoded files. The proposed method extracts fragments of fixed size from the files and calculates the entropy scores of the fragments. These entropy scores are then used for computing the Similarity Distance Matrix for fragments in a file-pair. The proposed system classifies all the encoded and packed samples properly, thereby obtaining improved detection. The proposed system is also capable of differentiating the type of packers used for the packing or encoding process.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 8th International Conference on Security of Information and Networks

自引率

0.00%

发文量