Skip to main content
SpringerLink
Log in

2-SPIFF: a 2-stage packer identification method based on function call graph and file attributes

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Most malware employs packing technology to escape detection; thus, packer identification has become increasingly important in malware detection. To improve the accuracy of packer identification, this article analyses the differences in the function call graph (FCG) and file attributes between the non-packed executable files and the executable files packed by different packers, and further proposes a 2-stage packer i dentification method based on FCG and file attributes (2-SPIFF). In 2-SPIFF, the detection model of stage I distinguishes non-packed executable files from packed executable files based on the graph features extracted from the FCG, while the identification model of stage II identifies the packer used for packing the original executable file by using the concatenated features extracted from the FCG and file attributes. The experimental results show that 2-SPIFF can achieve an accuracy of 99.80% for packer detection and an accuracy of 98.49% for packer identification.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. ASPack Software—Application for compression, packing and protection of software. http://www.aspack.com/

  2. Software Protection, Software Licensing, Software Virtualization. https://www.enigmaprotector.com/

  3. UPX: the Ultimate Packer for eXecutables—Homepage. https://upx.github.io/

  4. https://scikit-learn.org

  5. MPRESS—Free high-performance executable packer for PE32+/.NET/MAC-OS-X. https://www.matcode.com/mpress.html

  6. Oreans Technologies: Software Security Defined. https://www.oreans.com/

  7. Zprotect.http://www.jiami.net/

  8. Safengine.http://www.safengine.com/downloads/get-demo

References

  1. Afianian A, Niksefat S, Sadeghiyan B, Baptiste D (2019) Malware dynamic analysis evasion techniques: a survey. ACM Comput Surv 52(6):126. https://doi.org/10.1145/3365001

    Google Scholar 

  2. Alasmary H, Khormali A, Anwar A, Park J, Choi J, Abusnaina A, Awad A, Nyang D, Mohaisen A (2019) Analyzing and detecting emerging internet of things malware: a graph-based approach. IEEE Internet Things J 6(5):8977–8988

    Article  Google Scholar 

  3. aldeid (2020) PEiD—aldeid https://www.aldeid.com/wiki/PEiD

  4. Asghar T, Mahdi A (2019) Ramd: registry-based anomaly malware detection using one-class ensemble classifiers. Appl Intell 49:2641–2658

    Article  Google Scholar 

  5. A.S.L. (2020) Exeinfo PE by A.S.L.—compression detector and data detector http://www.exeinfo.xn.pl/

  6. Baldini G, Geneiatakis D (2019) A performance evaluation on distance measures in knn for mobile malware detection. In: 2019 6th International conference on control, decision and information technologies (CoDIT), pp 193–198

  7. Bat-Erdene M, Park H, Li H, Lee H, Choi MS (2017) Entropy analysis to classify unknown packing algorithms for malware detection. Int J Inf Secur 16:227–248

    Article  Google Scholar 

  8. Biondi F, Enescu MA, Given-Wilson T, Legay A, Noureddine L, Verma V (2019) Effective, efficient, and robust packing detection and classification. Comput Secur 85:436–451

    Article  Google Scholar 

  9. Bruni R, Giacobazzi R, Gori R (2018) Code obfuscation against abstraction refinement attacks. Formal Aspects Comput 30:685–711

    Article  MathSciNet  Google Scholar 

  10. Bulazel A, Yener B (2017) A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Proceedings of the 1st reversing and offensive-oriented trends symposium, Vienna, pp 1–21. https://doi.org/10.1145/3150376.3150378

  11. Çavusoglu Ü (2019) A new hybrid approach for intrusion detection using machine learning methods. Appl Intell 49(7):2735–2761

    Article  Google Scholar 

  12. Cheng B, Ming J, Fu J, Peng G, Chen T, Zhang X, Marion JY (2018) Towards paving the way for large-scale windows malware analysis: generic binary unpacking with orders-of-magnitude performance boost. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, CCS ’18. Association for Computing Machinery, New York, pp 395–411. https://doi.org/10.1145/3243734.3243771

  13. Ding Y, Zhu S, Xia X (2016) Android malware detection method based on function call graphs. In: Neural information processing. Cham, pp 70–77

  14. Ding Y, Xia X, Chen S, Li Y (2018) A malware detection method based on family behavior graph. Comput Secur 73:73–86

    Article  Google Scholar 

  15. Esmaeel R, Sattar H, Alireza KH, Maryam AH (2018) An entropy-based distance measure for analyzing and detecting metamorphic malware. Appl Intell 48:1536–1546

    Article  Google Scholar 

  16. Gibert D, Mateu C, Planes J, Vicens R (2018) Classification of malware by using structural entropy on convolutional neural networks. In: Thirty-second AAAI conference on artificial intelligence, pp 7759–7764

  17. Gibert D, Mateu C, Planes J (2020) The rise of machine learning for detection and classification of malware: research developments, trends and challenges. J Netw Comput Appl 153:102526. https://doi.org/10.1016/j.jnca.2019.102526

    Article  Google Scholar 

  18. Hai NM, Ogawa M, Tho QT (2017) Packer identification based on meatadata signature. In: 7th Software security, protection, and reverse engineering workshop (collocated with ACSAC 2017), Orlando, pp 1–11. https://doi.org/10.1145/3151137.3160687

  19. Hassen M, Chan PK (2017) Scalable function call graph-based malware classification. In: Proceedings of the seventh ACM on conference on data and application security and privacy, New York, pp 239–248

  20. Hex-Rays (2020) IDA Pro—Hex Rays. https://www.hex-rays.com/products/ida/

  21. Hors (2020) Github—horsicq/detect-it-easy: program for determining types of files for windows, linux and macos https://github.com/horsicq/Detect-It-Easy

  22. Jin Q, Duan J, Vasudevan S, Bailey M (2015) Packer classifier based on PE header information. In: Proceedings of the 2015 symposium and bootcamp on the science of security, New York, pp 1–2. https://doi.org/10.1145/2746194.2746213

  23. Jung B, Bae SI, Choi C, Im EG (2020) Packer identification method based on byte sequences. Concurr Comput: Pract Exp 32:e5082. https://doi.org/10.1002/cpe.5082

    Article  Google Scholar 

  24. Kancherla K, Donahue J, Mukkamala S (2016) Packer identification using byte plot and markov plot. J Comput Virol Hacking Tech 12(2):101–111

    Article  Google Scholar 

  25. Kim Y, Paik J, Choi S, Cho E (2019) Efficient svm based packer identification with binary diffing measures. In: 2019 IEEE 43rd annual computer software and applications conference (COMPSAC), vol 1, pp 795–800

  26. Li X, Shan Z, Liu F, Chen Y, Hou Y (2019) A consistently-executing graph-based approach for malware packer identification. IEEE Access 7:51620–51629

    Article  Google Scholar 

  27. Li Z, Li W, Lin F, Sun Y, Yang M, Zhang Y, Wang Z (2020) Hybrid malware detection approach with feedback-directed machine learning. Sci China Inf Sci 63:139103

    Article  Google Scholar 

  28. Lysenko S, Bobrovnikova K, Nicheporuk A, Shchuka R (2019) Svm-based technique for mobile malware detection. In: Proceedings of the second international workshop on computer modeling and intelligent systems (CMIS-2019), Zaporizhzhia, pp 85– 97

  29. Ma Z, Ge H, Liu Y, Zhao M, Ma J (2019) A combination method for android malware detection based on control flow graphs and machine learning algorithms. IEEE Access 7:21235– 21245

    Article  Google Scholar 

  30. Mills A, Spyridopoulos T, Legg P (2019) Efficient and interpretable real-time malware detection using random-forest. In: 2019 International conference on cyber situational awareness, data analytics and assessment (Cyber SA), pp 1–8. https://doi.org/10.1109/CyberSA.2019.8899533

  31. Mpanti A, Nikolopoulos SD, Polenakis I (2018) A graph-based model for malicious software detection exploiting domination relations between system-call groups. In: Proceedings of the 19th international conference on computer systems and technologies, CompSysTech 2018, Ruse, Bulgaria, September 13–14, 2018, pp 20–26

  32. Osaghae EO (2016) Classifying packed programs as malicious software detected. Inf Technol Electr Eng 5:22–25

    Google Scholar 

  33. Rhode M, Tuson L, Burnap P, Jones K (2019) Lab to soc: robust features for dynamic malware detection. In: 2019 49th annual IEEE/IFIP international conference on dependable systems and networks—industry track (DSN), pp 13–16

  34. Tran HM, Van Nguyen S, Ha SVU, Le TQ (2018) An analysis of software bug reports using random forest. In: Future data and security engineering. Cham, pp 273–285

  35. Wuchner T, Cislak A, Ochoa M, Pretschner A (2019) Leveraging compression-based graph mining for behavior-based malware detection. IEEE Trans Depend Secur Comput 16(1):99–112

    Article  Google Scholar 

  36. Yan J, Yan G, Jin D (2019) Classifying malware represented as control flow graphs using deep graph convolutional neural network. In: 2019 49th annual IEEE/IFIP international conference on dependable systems and networks (DSN), pp 52–63

Download references

Acknowledgements

The authors thank the anonymous referees for their valuable comments and suggestions, which improved the technical content and the presentation of the article. This work is supported by the National Natural Science Foundation of China under Grant 62062022, the Science and Technology Foundation of Guizhou Province No. [2017]1051, the Program for Science&Technology Innovation Talents in Universities of He’nan Province under Grant No. 18HASTIT022, the Key Technologies R & D Program of He’nan Province under Grant No. 212102210084.

Author information

Authors and Affiliations

  1. Guizhou Provincial Key Laboratory of Public Big Data, College of Computer Science and Technology, Guizhou University, Guiyang, 550025, People’s Republic of China

    Hao Liu, Chun Guo, Yunhe Cui & Guowei Shen

  2. School of Information Engineering, Xuchang University, Xuchang, 461000, People’s Republic of China

    Yuan Ping

Authors
  1. Hao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chun Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yunhe Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Guowei Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yuan Ping
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chun Guo.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, H., Guo, C., Cui, Y. et al. 2-SPIFF: a 2-stage packer identification method based on function call graph and file attributes. Appl Intell 51, 9038–9053 (2021). https://doi.org/10.1007/s10489-021-02347-w

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-021-02347-w

Keywords

Search

Navigation