{"title":"基于元数据签名的封隔器识别","authors":"Nguyen Minh Hai, Mizuhito Ogawa, Q. T. Tho","doi":"10.1145/3151137.3160687","DOIUrl":null,"url":null,"abstract":"Malware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of classified obfuscation techniques. First, BE-PUM (Binary Emulator for PUshdown Model generation) disassembles and generates the control flow graph of malware in an on-the-fly manner, using concolic testing. Second, obfuscation techniques in the generated control flow graph are detected based on the formal criteria of each obfuscation technique. Last, the used packer is identified with the chisquare test on the metadata signature of a packed code. The precision is evaluated with experiments on 12814 malware from VX heaven and Virusshare, in which 608 examples are detected inconsistent with commercial packer identification at PEiD, CFF Explore, and VirusTotal. We manually confirm that, except for 1 example, BE-PUM is correct. The only case that BE-PUM misunderstands is between MEW and FSG, which are quite similar packers and current BE-PUM extension does not support MEW.","PeriodicalId":68286,"journal":{"name":"中国安防产品信息","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":"{\"title\":\"Packer identification based on metadata signature\",\"authors\":\"Nguyen Minh Hai, Mizuhito Ogawa, Q. T. Tho\",\"doi\":\"10.1145/3151137.3160687\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Malware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of classified obfuscation techniques. First, BE-PUM (Binary Emulator for PUshdown Model generation) disassembles and generates the control flow graph of malware in an on-the-fly manner, using concolic testing. Second, obfuscation techniques in the generated control flow graph are detected based on the formal criteria of each obfuscation technique. Last, the used packer is identified with the chisquare test on the metadata signature of a packed code. The precision is evaluated with experiments on 12814 malware from VX heaven and Virusshare, in which 608 examples are detected inconsistent with commercial packer identification at PEiD, CFF Explore, and VirusTotal. We manually confirm that, except for 1 example, BE-PUM is correct. The only case that BE-PUM misunderstands is between MEW and FSG, which are quite similar packers and current BE-PUM extension does not support MEW.\",\"PeriodicalId\":68286,\"journal\":{\"name\":\"中国安防产品信息\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-12-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"10\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"中国安防产品信息\",\"FirstCategoryId\":\"96\",\"ListUrlMain\":\"https://doi.org/10.1145/3151137.3160687\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"中国安防产品信息","FirstCategoryId":"96","ListUrlMain":"https://doi.org/10.1145/3151137.3160687","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10
摘要
恶意软件应用了许多混淆技术,这些技术通常是由使用打包程序自动生成的。本文提出了一种基于元数据签名的打包代码的打包识别方法,元数据签名是分类混淆技术出现的频率向量。首先,BE-PUM (Binary Emulator for PUshdown Model generation,下推模型生成二进制仿真器)利用集合测试,以动态方式对恶意软件的控制流图进行反汇编和生成。其次,根据每种混淆技术的形式化标准检测生成的控制流图中的混淆技术。最后,对打包代码的元数据签名进行chisquare测试,对所使用的封隔器进行识别。通过对来自VX天堂和Virusshare的12814个恶意软件进行实验来评估精度,其中检测到608个示例与PEiD, CFF Explore和VirusTotal的商业封隔器识别不一致。我们手工确认,除了1个例子外,BE-PUM都是正确的。BE-PUM误解的唯一情况是在MEW和FSG之间,它们是非常相似的包装器,并且当前的BE-PUM扩展不支持MEW。
Malware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of classified obfuscation techniques. First, BE-PUM (Binary Emulator for PUshdown Model generation) disassembles and generates the control flow graph of malware in an on-the-fly manner, using concolic testing. Second, obfuscation techniques in the generated control flow graph are detected based on the formal criteria of each obfuscation technique. Last, the used packer is identified with the chisquare test on the metadata signature of a packed code. The precision is evaluated with experiments on 12814 malware from VX heaven and Virusshare, in which 608 examples are detected inconsistent with commercial packer identification at PEiD, CFF Explore, and VirusTotal. We manually confirm that, except for 1 example, BE-PUM is correct. The only case that BE-PUM misunderstands is between MEW and FSG, which are quite similar packers and current BE-PUM extension does not support MEW.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
