PackHero: A Scalable Graph-based Approach for Efficient Packer Identification

TL;DR

PackHero introduces a scalable, graph-based static method for packer identification that outperforms existing tools in accuracy, scalability, and handling virtualization-based packers, with minimal training data.

Contribution

The paper presents PackHero, a novel static approach using Graph Matching Networks and clustering to improve packer identification efficiency and scalability.

Findings

Achieves 93.7% F1-score with 10 samples per packer

Reaches 98.3% F1-score with 100 samples

Outperforms signature-based tools on virtualization packers

Abstract

Anti-analysis techniques, particularly packing, challenge malware analysts, making packer identification fundamental. Existing packer identifiers have significant limitations: signature-based methods lack flexibility and struggle against dynamic evasion, while Machine Learning approaches require extensive training data, limiting scalability and adaptability. Consequently, achieving accurate and adaptable packer identification remains an open problem. This paper presents PackHero, a scalable and efficient methodology for identifying packers using a novel static approach. PackHero employs a Graph Matching Network and clustering to match and group Call Graphs from programs packed with known packers. We evaluate our approach on a public dataset of malware and benign samples packed with various packers, demonstrating its effectiveness and scalability across varying sample sizes. PackHero achieves a macro-average F1-score of 93.7% with just 10 samples per packer, improving to 98.3% with 100 samples. Notably, PackHero requires fewer samples to achieve stable performance compared to other Machine Learning-based tools. Overall, PackHero matches the performance of State-of-the-art signature-based tools, outperforming them in handling Virtualization-based packers such as Themida/Winlicense, with a recall of 100%.