An Efficient Multi-Step Framework for Malware Packing Identification

Abstract

Abstract Packing is a disruptive factor in the field of cybersecurity, as it obstructs the analysis of packed malware and prolongs the lifespan of malware samples. Malware equipped with anti-analysis technologies evades antivirus software and analysis tools. Therefore, detecting and analyzing packed malware is a technically challenging and resource-intensive task. The situation becomes even worse when malware classifiers are trained on the characteristics of packers instead of malware itself. Training models with numerous inadequate data inadvertently renders them impractical for classifying actual malware. Therefore, researchers should consider packetizing to construct practical malware classifier models. In this paper, we aim to propose an opportunity to reconcile the problem of packetizing with identifying it. We present a dataset consisting of over 200K actual malware samples. We propose a multi-step framework for classifying and identifying packed samples. The framework includes pseudo-optimal feature selection, machine learning-based classifiers, and packer identification steps. The framework preselects the top 20 important features using the CART algorithm and permutation importance in the first step. In the second step, each model trains on the preselected 20 features to classify the packed files with the highest performance. The XGBoost algorithm, trained on the features preselected by XGBoost with the permutation importance, demonstrated the best performance among all experimental scenarios, achieving an accuracy of 99.67%, an F1-Score of 99.46%, and an area under the curve of 99.98%. The proposed framework identifies the packer only for samples classified as Well-Known Packed in the third step.