Packer Identification using Grayscale Images of Binaries

Malware frequently uses packing techniques, making the analysis of packed executables essential for developing robust malware defences. This paper focuses on the identification of packers used in MS Windows binaries. Our approach first converts these binaries into grayscale images of 128 pixels in width and arbitrary height, and then applies convolutional neural networks (CNN), as a sliding window, along the vertical dimension of the image for extracting a sequence of high-level features. Finally, this sequence is fed into a recurrent neural network (RNN) that classifies the binary image. Using a CNN to extract features eliminates the need for manual feature engineering, which is time-consuming and resource-intensive. An advantage of our approach is that we do not rely on code analysis, hence removing dependencies on third-party software, which results in our method being able to handle all files. Another advantage of our approach, compared with traditional CNNs, is that it does not require image resizing, which prevents information loss. Overall, our results can improve the state-of-the-art by up to 23.506\% while removing third-party dependencies on external software to analyse code.