Intra-procedural Path-insensitve Grams (I-GRAMS) and Disassembly Based Features for Packer Tool Classification and Detection

Abstract

The DoD relies on over seven million computing devices worldwide to accomplish a wide range of goals and missions. Malicious software, or malware, jeopardizes these goals and missions. However, determining whether an arbitrary software executable is malicious can be difficult. Obfuscation tools, called packers, are often used to hide the malicious intent of malware from anti-virus programs. Therefore detecting whether or not an arbitrary executable file is packed is a critical step in software security. This research uses machine learning methods to build a system, the Polymorphic and Non-Polymorphic Packer Detection (PNPD) system, that detects whether an executable is packed using both sequences of instructions, called i-grams, and disassembly information as features for machine learning. Both i-grams and disassembly features successfully detect packed executables with top configurations achieving average accuracies above 99.5\%, average true positive rates above 0.977, and average false positive rates below 1.6e-3 when detecting polymorphic packers.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 14, 2012
Accession Number
ADA563230

Entities

People

  • Scott E. Gerics

Organizations

  • Air Force Institute of Technology

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Air Force
  • Anti-Virus Software
  • Computer Programming
  • Computers
  • Computing Devices
  • Data Mining
  • Department Of Defense
  • Detection
  • Engineering
  • Feature Extraction
  • Governments
  • Information Science
  • Machine Learning
  • Malware
  • Operating Systems
  • Supervised Machine Learning
  • United States Government

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Materials Science.
  • Software Engineering.

Technology Areas

  • AI & ML
  • Cyber