Analysis of Machine Learning Approaches to Packing Detection

TL;DR

This paper compares eleven machine learning methods using 119 features to identify the most effective and efficient approaches for malware packing detection, addressing the lack of consensus on optimal algorithms and features.

Contribution

It provides a comprehensive evaluation of multiple ML algorithms and features for packing detection, highlighting the most significant features and the best performing models.

Findings

Certain features are more significant for packing detection.

Some algorithms outperform others in accuracy and efficiency.

The study identifies the most economical algorithms for practical use.

Abstract

Packing is an obfuscation technique widely used by malware to hide the content and behavior of a program. Much prior research has explored how to detect whether a program is packed. This research includes a broad variety of approaches such as entropy analysis, syntactic signatures and more recently machine learning classifiers using various features. However, no robust results have indicated which algorithms perform best, or which features are most significant. This is complicated by considering how to evaluate the results since accuracy, cost, generalization capabilities, and other measures are all reasonable. This work explores eleven different machine learning approaches using 119 features to understand: which features are most significant for packing detection; which algorithms offer the best performance; and which algorithms are most economical.