Malware authors do their best to conceal their malicious software to increase its probability of spreading and to slow down analysis. One method used to conceal malware is packing, in which the original malware is completely hidden through compression or encryption, only to be reconstructed at run-time. In addition, packers can be metamorphic, meaning that the output of the packer will never be exactly the same, even if the same file is packed again. As the use of known off-the-shelf malware packers is declining, it is becoming increasingly more important to implement methods of detecting packed executables without having any known samples of a given packer. In this study, we evaluate the use of recurrent neural networks as a means to classify whether or not a file is packed by a metamorphic packer. We show that even with quite simple networks, it is possible to correctly distinguish packed executables from non-packed executables with an accuracy of up to {$}{$}89.36{ackslash}{%}{$}{$}89.36{%} when trained on a single packer, even for samples packed by previously unseen packers. Training the network on more packer raises this number to up to {$}{$}99.69{ackslash}{%}{$}{$}99.69{%}
Detection of Metamorphic Malware Packers Using Multilayered LSTM Networks / Bergenholtz, Erik; Casalicchio, Emiliano; Ilie, Dragos; Moss, Andrew. - 12282:(2020), pp. 36-53. (Intervento presentato al convegno ICICS 2020: Information and Communications Security tenutosi a Copenhagen, Denmark) [10.1007/978-3-030-61078-4_3].
Detection of Metamorphic Malware Packers Using Multilayered LSTM Networks
Emiliano CasalicchioSecondo
Writing – Original Draft Preparation
;
2020
Abstract
Malware authors do their best to conceal their malicious software to increase its probability of spreading and to slow down analysis. One method used to conceal malware is packing, in which the original malware is completely hidden through compression or encryption, only to be reconstructed at run-time. In addition, packers can be metamorphic, meaning that the output of the packer will never be exactly the same, even if the same file is packed again. As the use of known off-the-shelf malware packers is declining, it is becoming increasingly more important to implement methods of detecting packed executables without having any known samples of a given packer. In this study, we evaluate the use of recurrent neural networks as a means to classify whether or not a file is packed by a metamorphic packer. We show that even with quite simple networks, it is possible to correctly distinguish packed executables from non-packed executables with an accuracy of up to {$}{$}89.36{ackslash}{%}{$}{$}89.36{%} when trained on a single packer, even for samples packed by previously unseen packers. Training the network on more packer raises this number to up to {$}{$}99.69{ackslash}{%}{$}{$}99.69{%}I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
