The current signature-based mechanism implemented by free and commercial antimalware requires the presence of the signature of the malicious sample to provide protection, i.e., to detect malicious behavior. This is why malware writers are developing techniques that can change the syntax of the code but leave the semantics unchanged, i.e., the malware business logic. Among these techniques is the so-called packed malware, i.e., malware with binary code modified by packers, software aimed to pack software, compress it, and package it with a stub. It is a program capable of decompressing and executing it in memory. In this way, malware detected by antimalware is not even detected in the packed version. In this paper, we propose a technique to detect packed malware by exploiting convolutional neural networks. In a nutshell, the proposed method performs static analysis, i.e., it does not require running the application to detect the malicious samples: we start from the application’s binary code exploited to generate an image that represents the input for a set of deep learning classifiers. The classifiers aim to discern an application under analysis between trusted or (packed) malicious. In the experimental analysis, we consider three different packers (i.e., mpress, BEP, and gzexe) to generate packed malware, thus demonstrating the ability of the proposed method to detect packed and unpacked malware with interesting performances.
A method for packed (and unpacked) malware detection by means of convolutional neural networks / Ciaramella, Giovanni; Martinelli, Fabio; Santone, Antonella; Mercaldo, Francesco. - 1:(2025), pp. 557-564. ( SECRYPT 2025 - 22nd International Conference on Security and Cryptography Bilbao, Spain 11-13/06/2025) [10.5220/0013210400003979].
A method for packed (and unpacked) malware detection by means of convolutional neural networks
Ciaramella Giovanni;
2025
Abstract
The current signature-based mechanism implemented by free and commercial antimalware requires the presence of the signature of the malicious sample to provide protection, i.e., to detect malicious behavior. This is why malware writers are developing techniques that can change the syntax of the code but leave the semantics unchanged, i.e., the malware business logic. Among these techniques is the so-called packed malware, i.e., malware with binary code modified by packers, software aimed to pack software, compress it, and package it with a stub. It is a program capable of decompressing and executing it in memory. In this way, malware detected by antimalware is not even detected in the packed version. In this paper, we propose a technique to detect packed malware by exploiting convolutional neural networks. In a nutshell, the proposed method performs static analysis, i.e., it does not require running the application to detect the malicious samples: we start from the application’s binary code exploited to generate an image that represents the input for a set of deep learning classifiers. The classifiers aim to discern an application under analysis between trusted or (packed) malicious. In the experimental analysis, we consider three different packers (i.e., mpress, BEP, and gzexe) to generate packed malware, thus demonstrating the ability of the proposed method to detect packed and unpacked malware with interesting performances.| File | Dimensione | Formato | |
|---|---|---|---|
|
132104.pdf
accesso aperto
Descrizione: A Method for Packed (and Unpacked) Malware Detection by Means of Convolutional Neural Networks
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
413.4 kB
Formato
Adobe PDF
|
413.4 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
