A consistently-executing graph-based approach for malware packer identification

Abstract

Packing is the most common malware obfuscation technique employed to evade detection by anti-virus systems. With the explosive growth of packed malware, packer identification has become increasingly important in current cybersecurity. Most prior studies lack resilience since they neglect the significance of preserving the semantic integrity for pursuing efficiency. Therefore, in this paper, we propose a novel approach based on consistently executing graph (CEG) mining, which can maximize semantics and facilitate the execution intents of executables for identification. We elaborate on the concepts of consistent execution and represent malware packers as structured CEGs. Then, we employ the bipartite matching algorithm built on a designed block proximity metric to extract the critical matching subgraphs. Weisfeiler-Lehman shortest path graph kernel is adopted for pairwise comparison to make the prediction. We have evaluated the efficacy extensively with several experiments on large-scale datasets containing manually packed benign apps, wild-packed malware, and wild-unpacked malware. The promising results demonstrate that our approach is valid and practical when applied to real-world packed malware analysis.