Document Type
Conference Document
Date
10-2014
Keywords
malware detection
Language
English
Disciplines
Other Computer Engineering
Description/Abstract
Every day thousands of malware are released online. The vast majority of these malware employ some kind of obfuscation ranging from simple XOR encryption, to more sophisticated anti-analysis, packing and encryption techniques. Dynamic analysis methods can unpack the file and reveal its hidden code. However, these methods are very time consuming when compared to static analysis. Moreover, considering the large amount of new malware being produced daily, it is not practical to solely depend on dynamic analysis methods. Therefore, finding an effective way to filter the samples and delegate only obfuscated and suspicious ones to more rigorous tests would significantly improve the overall scanning process. Current techniques of identifying obfuscation rely mainly on signatures of known packers, file entropy score, or anomalies in file header. However, these features are not only easily bypass-able, but also do not cover all types of obfuscation. In this paper, we introduce a novel approach to identify obfuscated files based on anomalies in their instructions-based characteristics. We detect the presence of interleaving instructions which are the result of the opaque predicate anti-disassembly trick, and present distinguishing statistical properties based on the opcodes and control flow graphs of obfuscated files. Our detection system combines these features with other file structural features and leads to a very good result of detecting obfuscated malware.
Recommended Citation
Saleh, Moustafa; Ratazzi, E.Paul; Xu, Shouhuai, "Instructions-Based Detection of Sophisticated Obfuscation and Packing," Military Communications Conference (MILCOM), 2014 IEEE , vol., no., pp.1,6, 6-8 Oct. 2014 doi: 10.1109/MILCOM.2014.9 keywords: {Electronic mail;Encryption;Entropy;Feature extraction;Malware;Reverse engineering}, URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6956729&isnumber=6956719
Source
Submission updated 12/9/15
Additional Information
Published in: 2014 IEEE Military Communications Conference (MILCOM), 6-8 Oct 2014