Packer detection for multi-layer executables using entropy analysis

Munkhbayar Bat-Erdene, Taebeom Kim, Hyundo Park, Heejo Lee

Research output: Contribution to journalArticlepeer-review

20 Citations (Scopus)


Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.

Original languageEnglish
Article number125
Issue number3
Publication statusPublished - 2017 Mar 16

Bibliographical note

Publisher Copyright:
© 2017 by the authors.


  • Entropy analysis
  • Multi-layer packing
  • Original entry point (OEP)
  • Piecewise aggregate approximation (PAA)
  • Re-packing algorithms
  • Symbolic aggregate approximation (SAX)

ASJC Scopus subject areas

  • Information Systems
  • Mathematical Physics
  • Physics and Astronomy (miscellaneous)
  • Electrical and Electronic Engineering


Dive into the research topics of 'Packer detection for multi-layer executables using entropy analysis'. Together they form a unique fingerprint.

Cite this