At the 30th ACM Conference on Computer and Communications Security (ACM CCS 2023) held in Copenhagen, Denmark a few days ago, the latest achievement “PackGenome: Automatically Generating Robust YARA Rules for Accurate Malware Packer Detection” made by the team led by Chunfu Jia, a professor at the College of Cyber Science, was reported at the conference, which received great attention.
Shijia Li, the first author of the paper, is currently a PhD student in the team, whose research area is software security. Li has published two papers at top conferences (NDSS and CCS) in the field of network and information security.
This paper focuses on the identification of packers in real-world malware analysis processes. Based on the platform of YARA tool, the most widely used tool in academia and industry for large-scale inspection of packers, the team proposed an automatic YARA rule generation method for efficient identification of packers: the method involves utilizing the unpacking routine instructions as packer-specific genes, designing and implementing an automatic extraction method for packer-specific genes to generate packer detection rules. Additionally, the team proposed and implemented a novel approach to improve the matching accuracy of YARA rules, as illustrated in Figure 1. The team also established a packer detection and evaluation system, and conducted an identification experiment on more than 20 mainstream packers under the experimental dataset and the real malware dataset. The experiment results reveal that the generated rules are far more accurate and effective than the existing public-available packer detection rules. This research has significant important value for subsequent related research.

Figure 1 The overall workflow of PackGenome framework.
ACM CCS, IEEE S&P, NDSS, and USENIX Security are known as the top four international academic conferences in the field of network and information security. Founded in 1993, the highly prestigious ACM CCS has been regarded as the barometer of research in the field of network and information security, with an average acceptance rate of about 17% for its papers in the past five years. The research results accepted by the conference represent the pinnacle of current information security research progress, and receive extensive attention from academia and industry.
(Edited and translated by Nankai News Team.)
