HOME > Detail View

Detail View

Entropy analysis of packing algorithms for malware detection

Entropy analysis of packing algorithms for malware detection

Material type
학위논문
Personal Author
Munkhbayar, Bat-Erdene
Title Statement
Entropy analysis of packing algorithms for malware detection / Munkhbayar Bat-Erdene
Publication, Distribution, etc
Seoul :   Graduate School, Korea University,   2017  
Physical Medium
xiv, 95장 : 도표 ; 26 cm
기타형태 저록
Entropy analysis of packing algorithms for malware detection   (DCOLL211009)000000076355  
학위논문주기
학위논문(박사)-- 고려대학교 대학원: 컴퓨터·전파통신공학과, 2017. 8
학과코드
0510   6YD36   333  
General Note
지도교수: 李喜造  
Bibliography, Etc. Note
참고문헌: 장 87-95
이용가능한 다른형태자료
PDF 파일로도 이용가능;   Requires PDF file reader(application/pdf)  
비통제주제어
original entry point (OEP); single-layer packing algorithms; re-packing algorithms; multi-layer packing; piecewise aggregate approximation (PAA); symbolic aggregate approximation (SAX); entropy analysis,,
000 00000nam c2200205 c 4500
001 000045915416
005 20171012171602
007 ta
008 170626s2017 ulkd bmAC 000c eng
040 ▼a 211009 ▼c 211009 ▼d 211009
085 0 ▼a 0510 ▼2 KDCP
090 ▼a 0510 ▼b 6YD36 ▼c 333
100 1 ▼a Munkhbayar, Bat-Erdene
245 1 0 ▼a Entropy analysis of packing algorithms for malware detection / ▼d Munkhbayar Bat-Erdene
246 1 1 ▼a 악성코드 탐지를 위한 패킹 알고리즘의 엔트로피 분석
260 ▼a Seoul : ▼b Graduate School, Korea University, ▼c 2017
300 ▼a xiv, 95장 : ▼b 도표 ; ▼c 26 cm
500 ▼a 지도교수: 李喜造
502 1 ▼a 학위논문(박사)-- ▼b 고려대학교 대학원: ▼c 컴퓨터·전파통신공학과, ▼d 2017. 8
504 ▼a 참고문헌: 장 87-95
530 ▼a PDF 파일로도 이용가능; ▼c Requires PDF file reader(application/pdf)
653 ▼a original entry point (OEP); single-layer packing algorithms; re-packing algorithms; multi-layer packing; piecewise aggregate approximation (PAA); symbolic aggregate approximation (SAX); entropy analysis
776 0 ▼t Entropy analysis of packing algorithms for malware detection ▼w (DCOLL211009)000000076355
900 1 0 ▼a 뭉흐바야르, 바트-에르데느, ▼e
900 1 0 ▼a 이희조 ▼g 李喜造, ▼e 지도교수
945 ▼a KLPA

Electronic Information

No. Title Service
1
Entropy analysis of packing algorithms for malware detection (25회 열람)
View PDF Abstract Table of Contents

Holdings Information

No. Location Call Number Accession No. Availability Due Date Make a Reservation Service
No. 1 Location Science & Engineering Library/Stacks(Thesis)/ Call Number 0510 6YD36 333 Accession No. 123056939 Availability Available Due Date Make a Reservation Service B M

Contents information

Abstract

Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly.
However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way.
Few studies on detecting packing algorithms have been conducted during last two decades.

In this thesis, we propose a method to classify single-layer packing, re-packing, or multi-layer packing algorithms of given packed executables.
First, we scale the entropy values of a single-layer packed, re-packed, or multi-layer packed executable and convert the entropy values of a particular location of memory into symbolic representations.

Our proposed method uses symbolic aggregate approximation (SAX), which is known to be effective for large data conversions.
Second, we classify the distribution of symbols using supervised learning classification methods, i.e., naive Bayes and support vector machines for detecting packing algorithms.

The results of our experiments involving a collection of 324 single-layer packed benign programs and 326 single-layer packed malware programs with 19 packing algorithms demonstrate that our method can identify single-layer packing algorithms of given executables with a high  accuracy of 95.35 %, a recall of 95.83%, and a precision of 94.13%.

We propose four similarity measurements for detecting packing algorithms based on SAX representations of the entropy values and an incremental aggregate analysis.
Among these four metrics, the fidelity similarity measurement demonstrates the best matching result, i.e., a rate of accuracy ranging from 95.0 to 99.9 %, which is from 2 to 13 higher than that of the other three metrics.

Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7 %), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying re-packing and multi-layer packing algorithms.

Our study confirms that packing algorithms can be identified through an entropy analysis based on a measure of the uncertainty of the running processes and without prior knowledge of the executables.

Table of Contents

Entropy Analysis of Packing Algorithms for Malware Detection