PackGenome: Automatically Generating Robust YARA Rules for Accurate Malware Packer Detection

In our paper, we developed PackGenome to generate YARA rules for accurate packer detection, and compared PackGenome-generated rules with public-available packer signature collections and state-of-the-art automatic rule generation tools. Our artifact provides source code, PackGenome-generated YARA rules, and datasets used in our experiments. Considering our paper's datasets contain real-world Windows (and Linux) malware samples that take over 1 TB of disk space, we provide non-malicious samples in this artifact. In the evaluation, AE reviewers can reproduce three main experiment results of the paper, including: (i) using PackGenome to generate YARA rules from 20 off-the-shelf packers, (ii) comparing PackGenome-generated rules with other rules on the labeled packed samples dataset LPD and the non-packed samples dataset NPD (shown in Table 2 and Table 3 of the paper), and, (iii) using PackGenome to generate YARA rules from 5 inaccessible packers and comparing PackGenome-generated rules with other rules on the inaccessible packer dataset LPD1 (shown in Table 6 of the paper). packgenome.tar is a pre-built docker image with the necessary component to execute the artifact. PackGenome-code.zip contains the source code of PackGenome.