Information Technology Reference
In-Depth Information
Table 1.
Results for different combination rules and distance measures. The results in
bold are the best for each combination rule and distance measure. Our method is able
to detect more than 99 % of the packed executable while maintaining FPR lower than
1%.
− Cosine Similarity EuclideanDistance ManhattanDistance
Combination Threshold FNR FPR Threshold FNR FPR Threshold FNR FPR
1
0.05000
0.000 0.332
0.70000
0.000 0.816
1.70000
0.000 0.544
0.08400
0.001 0.166
0.84000
0.001 0.288
2.17000
0.001 0.260
0.11800
0.001 0.126
0.98000
0.001 0.172
2.64000
0.001 0.150
0.15200
0.001 0.018
1.12000
0.001 0.130
3.11000
0.001 0.048
0.18600 0.001 0.012
1.26000
0.001 0.014
3.58000
0.001 0.012
Mean
0.22000
0.042 0.010
1.40000
0.001 0.010
4.0500
0.002 0.010
0.25400
0.532 0.010
1.54000 0.002 0.008
4.52000
0.017 0.008
0.28800
0.625 0.006
1.68000
0.096 0.006
4.9900
0.086 0.006
0.32200
0.728 0.004
1.82000
0.298 0.006
5.4600
0.247 0.002
0.35600
0.888 0.000
1.96000
0.568 0.000
5.93000
0.379 0.000
0.36300
0.000 0.262
1.90000
0.000 0.768
5.90000
0.000 0.570
0.38200
0.003 0.138
1.96000
0.000 0.594
6.20000
0.000 0.340
0.40100
0.004 0.118
2.02000
0.000 0.232
6.50000
0.000 0.194
0.42100 0.020 0.108
2.08000
0.00 0.050
6.80000
0.001 0.048
0.43900
0.085 0.100
2.14000
0.001 0.024
7.10000
0.002 0.028
Maximum
0.45800
0.102 0.098
2.20000 0.002 0.014 7.40000 0.008 0.018
0.47700
0.122 0.086
2.26000
0.004 0.012
7.70000
0.033 0.008
0.49600
0.195 0.012
2.32000
0.020 0.008
8.00000
0.077 0.004
0.51500
0.329 0.010
2.38000
0.061 0.008
8.30000
0.239 0.004
0.53400
0.509 0.000
2.44000
0.146 0.000
8.60000
0.378 0.000
0.00032
0.000 0.682
0.06000
0.000 0.736
0.06000
0.000 0.736
0.01962 0.003 0.012
0.20000
0.001 0.396
0.20000
0.001 0.396
0.03892
0.107 0.008
0.34000
0.001 0.106
0.34000
0.001 0.106
0.05822
0.189 0.004
0.48000
0.001 0.030
0.48000
0.001 0.03
0.07752
0.213 0.004
0.62000 0.002 0.014 0.62000 0.002 0.014
Minimum
0.09682
0.374 0.004
0.76000
0.032 0.006
0.76000
0.032 0.006
0.11612
0.477 0.002
0.90000
0.054 0.004
0.90000
0.054 0.004
0.13542
0.692 0.002
1.04000
0.163 0.004
1.04000
0.163 0.004
0.15472
0.792 0.002
1.18000
0.262 0.002
1.18000
0.262 0.002
0.17402
0.860 0.000
1.32000
0.386 0.000
1.32000
0.386 0.000
the number of packed executable cases misclassified as not packed software (false
negatives). FPR is defined as:
FPR
(
α
)=
FP
FP
+
TN
where
FP
is the number of
not packed executables incorrectly detected as packed while
TN
is the number
of not packed executables correctly classified.
Table 1 shows the obtained results. Euclidean and Manhattan distances,
despite of consuming less processing time, have achieved better results than
cosine-similarity-based distance for the tested thresholds. In particular, our
anomaly-based packed executable detector is able to correctly detect more than
99 % of unknown packers while maintaining the rate of misclassified not packed
executable lower than 1 %. As it can be observed, mean combination rule presents
slightly better results both for
FNR
and
FPR
. These results show that this
method is a valid pre-process step for a generic unpacking schema. Since the
main limitation of these unpackers is their performance overhead, a packed ex-
ecutable detector like our anomaly-based method can improve their workload,
acting as a filter for these systems.
Search WWH ::
Custom Search