Detection of Metamorphic Malware Packers Using Multilayered LSTM Networks
2020 (English)In: Lecture Notes in Computer Science / [ed] Weizhi Meng, Dieter Gollmann, Christian D. Jensen, and Jianying Zhou, Springer Science and Business Media Deutschland GmbH , 2020, Vol. 12282, p. 36-53Conference paper, Published paper (Refereed)
Abstract [en]
Malware authors do their best to conceal their malicious software to increase its probability of spreading and to slow down analysis. One method used to conceal malware is packing, in which the original malware is completely hidden through compression or encryption, only to be reconstructed at run-time. In addition, packers can be metamorphic, meaning that the output of the packer will never be exactly the same, even if the same file is packed again. As the use of known off-the-shelf malware packers is declining, it is becoming increasingly more important to implement methods of detecting packed executables without having any known samples of a given packer. In this study, we evaluate the use of recurrent neural networks as a means to classify whether or not a file is packed by a metamorphic packer. We show that even with quite simple networks, it is possible to correctly distinguish packed executables from non-packed executables with an accuracy of up to 89.36% when trained on a single packer, even for samples packed by previously unseen packers. Training the network on more packer raises this number to up to 99.69%.
Place, publisher, year, edition, pages
Springer Science and Business Media Deutschland GmbH , 2020. Vol. 12282, p. 36-53
Series
Lecture Notes in Computer Science, ISSN 0302-9743
Keywords [en]
packing, packer detection, security, static analysis, machine learning, deep learning
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:bth-20107DOI: 10.1007/978-3-030-61078-4_3Scopus ID: 2-s2.0-85097650138ISBN: 9783030610777 (print)OAI: oai:DiVA.org:bth-20107DiVA, id: diva2:1504603
Conference
22nd International Conference on Information and Communications Security, ICICS 2020; Online, Copenhagen; Denmark; 24 August 2020 through 26 August 2020
Note
open accessÂ
2020-11-292020-11-292021-01-04Bibliographically approved