Packed PE file detection for malware forensics

Seungwon Han; Keungi Lee; Sangjin Lee

doi:10.1109/CSA.2009.5404211

Packed PE file detection for malware forensics

Seungwon Han, Keungi Lee, Sangjin Lee

School of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

11 Citations (Scopus)

Abstract

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

Original language	English
Title of host publication	Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009
DOIs	https://doi.org/10.1109/CSA.2009.5404211
Publication status	Published - 2009
Event	2009 2nd International Conference on Computer Science and Its Applications, CSA 2009 - Jeju Island, Korea, Republic of Duration: 2009 Dec 10 → 2009 Dec 12

Publication series

Name	Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009

Other

Other	2009 2nd International Conference on Computer Science and Its Applications, CSA 2009
Country/Territory	Korea, Republic of
City	Jeju Island
Period	09/12/10 → 09/12/12

Keywords

Component
Entropy
Malware forensics
PE file analysis
Packing detection

ASJC Scopus subject areas

Computational Theory and Mathematics
Computer Science Applications

Access to Document

10.1109/CSA.2009.5404211

Cite this

Packed PE file detection for malware forensics. / Han, Seungwon; Lee, Keungi; Lee, Sangjin.
Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009. 2009. 5404211 (Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Han, S, Lee, K & Lee, S 2009, Packed PE file detection for malware forensics. in Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009., 5404211, Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009, 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009, Jeju Island, Korea, Republic of, 09/12/10. https://doi.org/10.1109/CSA.2009.5404211

@inproceedings{4ba02ae82941499e9d8e2e88c1f381d3,

title = "Packed PE file detection for malware forensics",

abstract = "In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.",

keywords = "Component, Entropy, Malware forensics, PE file analysis, Packing detection",

author = "Seungwon Han and Keungi Lee and Sangjin Lee",

year = "2009",

doi = "10.1109/CSA.2009.5404211",

language = "English",

isbn = "9781424449460",

series = "Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009",

booktitle = "Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009",

note = "2009 2nd International Conference on Computer Science and Its Applications, CSA 2009 ; Conference date: 10-12-2009 Through 12-12-2009",

}

TY - GEN

T1 - Packed PE file detection for malware forensics

AU - Han, Seungwon

AU - Lee, Keungi

AU - Lee, Sangjin

PY - 2009

Y1 - 2009

N2 - In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

AB - In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus software have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of the entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

KW - Component

KW - Entropy

KW - Malware forensics

KW - PE file analysis

KW - Packing detection

UR - http://www.scopus.com/inward/record.url?scp=80655148024&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80655148024&partnerID=8YFLogxK

U2 - 10.1109/CSA.2009.5404211

DO - 10.1109/CSA.2009.5404211

M3 - Conference contribution

AN - SCOPUS:80655148024

SN - 9781424449460

T3 - Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009

BT - Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009

T2 - 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009

Y2 - 10 December 2009 through 12 December 2009

ER -

Packed PE file detection for malware forensics

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this