An Improved Method for Packed Malware Detection using PE Header and Section Table Information

Full Text (PDF, 455KB), PP.9-17

Views: 0 Downloads: 0


Nahid Maleki 1,* Mehdi Bateni 2 Hamid Rastegari 1

1. Computer Engineering Faculty, Najafabad Branch, Islamic Azad University, Najafabad, Iran

2. Department of Computer Engineering, Sheikhbahaee University, Isfahan, Iran

* Corresponding author.


Received: 16 Sep. 2018 / Revised: 1 Oct. 2018 / Accepted: 16 Oct. 2018 / Published: 8 Sep. 2019

Index Terms

Static Malware Analysis, PE Header, Section Table, Classification, Machine Learning


Malware poses one of the most serious threats to computer information systems. The current detection technology of malware has several inherent constraints. Because signature-based traditional techniques embedded in commercial antiviruses are not capable of detecting new and obfuscated malware, machine learning algorithms are applied in identifing patterns of malware behavior through features extracted from programs. There, a method is presented for detecting malware based on the features extracted from the PE header and section table PE files. The packed files are detected and then unpacke them. The PE file features are extracted and their static features are selected from PE header and section tables through forward selection method. The files are classified into malware files and clean files throughs different classification methods. The best results are obtained through DT classifier with an accuracy of 98.26%. The results of the experiments consist of 971 executable files containing 761 malware and 210 clean files with an accuracy of 98.26%.

Cite This Paper

Nahid Maleki, Mehdi Bateni, Hamid Rastegari, "An Improved Method for Packed Malware Detection using PE Header and Section Table Information", International Journal of Computer Network and Information Security(IJCNIS), Vol.11, No.9, pp.9-17, 2019.DOI:10.5815/ijcnis.2019.09.02


[1]J. Raphel and P. Vinod, "Information theoretic method for classification of packed and encoded files", Procedings of the 8th International Conference on Security of Information and Networks - SIN ’15, 2015.
[2]P. Morley, Processing virus collections, in: Proceedings of the 2001 Virus Bulletin Conference (VB2001), Virus Bulletin, 2001, pp. 129–134.
[3]I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. Bringas, “Opcode sequences as representation of executables for data-mining-based unknown malware detection,” Information Sciences, vol. 231, pp. 64–82, May 2013.
[4]N. Kuzurin, A. Shokurov, N. Varnovsky, V. Zakharov, On the concept of software obfuscation in computer security, Lecture Notes in Computer Science 4779 (2007) 281.
[5]D. Bruschi, L. Martignoni, M. Monga, Detecting self-mutating malware using control-flow graph matching, Lecture Notes in Computer Science 4064 (2006) 129.
[6]Q. Zhang, D. Reeves, Metaaware: identifying metamorphic malware, in: Proceedings of the 2007 Annual Computer Security Applications Conference (ACSAC), 2007, pp. 411–420.
[7]M. Chouchane, A. Lakhotia, Using engine signature to detect metamorphic malware, in: Proceedings of the 2006 ACM workshop on Recurring Malcode, ACM, New York, NY, USA, 2006, pp. 73–78.
[8]M. Karim, A. Walenstein, A. Lakhotia, L. Parida, Malware phylogeny generation using permutations of code, Journal in Computer Virology 1 (2005) 13–23.
[9]M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq, “PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime,” Recent Advances in Intrusion Detection, pp. 121–141, 2009.
[10]Nwokedi Idike and Aditya P. Mathur, “A Survey of Malware Detection Techniques”, Technical Report, Purdue University, 2007.
[11]P. OKane, S. Sezer, and K. McLaughlin, "Obfuscation: The Hidden Malware", IEEE Security & Privacy Magazine, vol. 9, no. 5, pp. 41–47, Sep. 2011.
[12]Sikorski M. and Honig A., Practical Malware Analysis: the Hand-On Guide to Dissecting Malicious Software, no starch press, 2012.
[13]Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J., “Data mining methods for detection of new malicious executables,” in Proceedings of the 2001 IEEE Symposium on Security and Privacy, 2001.
[14]Moskovitch, R., Stopel, D., Feher, C., Nissim, N., and Elovici, Y. 2008. Unknown Malcode Detection via Text Categorization and the Imbalance Problem. In Proceedings of 6th IEEE International Conference on Intelligence and Security Informatics (ISI), Taiwan, 2008, 156–161.
[15]Tian, R., Batten, L., Islam, R., and Versteeg, S. 2009. An automated classification system based on the strings of Trojan and virus families. In Proceedings of 4th International Conference on Malicious and Unwanted Software, Montréal, Quebec, Canada, 2009, 23-30.
[16]Wang, C., Pang, J., Zhao, R., and Liu, X. 2009. Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior. In Proceedings of International Conference on Communication Software and Networks, IEEE Computer Society Washington, DC, USA, 2009, 544–548.
[17]Ye, Y., Li, T., Jiang, Q., and Wang, Y. 2010. ‘CIMDS: Adapting Post processing Techniques of Associative Classification for Malware Detection’, IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, 2010, 40, 3 (2010), 298-307.
[18]Belaoued, M., Mazouzi, S., "A real-time pe-malware detection system based on chi-square test and pe-file features", In: IFIP International Conference on Computer Science and its Applications. Springer, pp. 416–425, 2015.
[19]Sikorski M. and Honig A., Practical Malware Analysis: the Hand-On Guide to Dissecting Malicious Software, no starch press, 2012.
[20]Goppit, Portable Executable File Format - A Reverse Engineer View, Code Breakers Journal - Aug 15, 2005.
[21]S. Alam, R. N. Horspool, and I. Traore, "MARD: A framework for metamorphic malware analysis and real-time detection", Proc. - Int. Conf. Adv. Inf. Netw. Appl. AINA, vol. 48, pp. 480–489, 2014.
[22]Goppit, Portable Executable File Format - A Reverse Engineer View, Code Breakers Journal - Aug 15, 2005.
[23]T. Brosch and M. Morgenstern, "Runtime Packers: The Hidden Problem," Proc. Black Hat USA, Black Hat, 2006; BH-US-06- Morgenstern.pdf.
[24]Y. Choi, I. Kim, J. Oh, and J. Ryou, “PE File Header Analysis-Based Packed PE File Detection Technique (PHAD),” International Symposium on Computer Science and its Applications, Oct. 2008.
[25]A. Elhadi, M. A. Maarof and A. H. Osman, "Malware Detection Based on Hybrid Signature Behaviour Application Programming Interface Call Graph", American Journal of Applied Sciences, vol. 9, no. 3, pp. 283–288, Mar. 2012.
[26]K. Mathur and S. Hiranwal, "A survey on techniques in detection and analyzing malware executables", Int. J. Adv. Res. Comp. Sci. and Soft. Eng., vol. 3, no. 4, pp. 422-428, 2013.
[27]E. Gandotra, D. Bansal, and S. Sofat, "Malware Analysis and Classification: A Survey", Journal of Information Security, vol. 05, no. 02, pp. 56–64, 2014.
[28]I. Basu, N. Sinha, D. Bhagat, and S. Goswami, "Malware Detection Based on Source Data using Data Mining: A Survey", American Journal of Advanced Computing, Vol. 03, no. 01, pp. 18-37, 2016.
[29]Z. Bazrafshan, H. Hashemi, S. M. H. Fard, and A. Hamzeh, "A survey on heuristic malware detection techniques", in Proc. 5th Conf. Inf. Knowl. Technol. (IKT), 2013, pp. 113–120.
[30]S. Alqurashi and O. Batarfi, "A Comparison of Malware Detection Techniques Based on Hidden Markov Model", Journal of Information Security, vol. 07, no. 03, pp. 215–223, 2016.
[31]Ammar Ahmed E. Elhadi, Mohd Aizaini Maarof and Bazara I. A. Barry, "Improving the Detection of Malware Behaviour Using Simplified Data Dependent API Call Graph", International Journal of Security and Its Applications Vol.7, No.5, pp.29-42, 2013.
[32]Ms. Shital Balkrishna Kuber. "A Survey on Data Mining Methods for Malware Detection" International Journal of Engineering Research and General Science Volume 2, Issue 6, October-November, 2014.
[33]M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant, "Semantics-aware Malware Detection", In IEEE Symposium on Security and Privacy, 2005.
[34]K. Wang and S.J. Stolfo, "Anomalous Payload-Based Network Intrusion Detection", Proc. Seventh Int’l Symp Recent Advances in Intrusion Detection, pp. 203-222, 2004.
[35]Chitrakar R., Chuanhe H., "Anomaly based Intrusion Detection using Hybrid Learning Approach of combining k-Medoids Clustering and Naïve Bayes Classification", In Proceedings of 8th IEEE International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM), pp. 1-5, 2012.
[36]M. Milenković, A. Milenković, and E. Jovanov, “Using instruction block signatures to counter code injection attacks,” ACM SIGARCH Computer Architecture News, vol. 33, no. 1, p. 108, Mar. 2005.
[37]C. Hu, X. Wang, N. Li, H. Bai, and X. Jing, "Approach for malware identification using dynamic behaviour and outcome triggering", IET Information Security, vol. 8, no. 2, pp. 140–151, Mar. 2014.
[38]U. Baldangombo, N. Jambaljav, and S.-J. Horng, “A Static Malware Detection System Using Data Mining Methods,” International Journal of Artificial Intelligence & Applications, vol. 4, no. 4, pp. 113–126, Jul. 2013.
[39]E. Gandotra, D. Bansal, S. Sofat, "Integrated Framework for Classification of Malware", Proc. of 7th International Conference on Security of Information and Networks, ACM, University of Glasgow, UK. September, 2014.
[40]J. Bai, J. Wang, and G. Zou, "A Malware Detection Scheme Based on Mining Format Information", The Scientific World Journal, vol. 2014, pp. 1–11, 2014.