{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,24]],"date-time":"2026-06-24T01:46:34Z","timestamp":1782265594098,"version":"3.54.5"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,6,24]],"date-time":"2026-06-24T00:00:00Z","timestamp":1782259200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,6,24]],"date-time":"2026-06-24T00:00:00Z","timestamp":1782259200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Nowadays, there are millions of executable files submitted to anti-virus companies every day. Existing anti-virus tools are basically designed on malware signature methods, which could be easily bypassed by malware using obfuscation techniques like packing algorithms. At the same time, we could not manually unpack all of the suspicious files when there was a booming growth of packed malware samples. To overcome these challenges, we designed the P2U(Packed-to-Unpacking) model and S2S(Self-to-Self) model for extracting the unpacking feature and latent feature representation of the program itself, respectively, and then presented an end-to-end packing detection method. Unlike entropy or heuristics features, the features extracted by the autoencoders are difficult to be confused and forged, with no need for manual feature selection, and can be used as a complement to existing features. We trained the models on the manually packed dataset and tested the performance on the real-world dataset. Experimental results show that the F1 scores are 0.99 and 0.89 on the training set and the large-scale real-world packed dataset. In addition, the PackingHunt model is also robust against the unseen packers of our real-world dataset and could even achieve 100% accuracy on some unseen packers, though these packing algorithms are not present in the training set.<\/jats:p>","DOI":"10.1186\/s42400-025-00508-9","type":"journal-article","created":{"date-parts":[[2026,6,24]],"date-time":"2026-06-24T01:02:17Z","timestamp":1782262937000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["An end-to-end packing detection method based on autoencoder features"],"prefix":"10.1186","volume":"9","author":[{"given":"Guga","family":"Suri","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Rui","family":"Zheng","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jianming","family":"Fu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bowen","family":"Li","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2026,6,24]]},"reference":[{"key":"508_CR1","doi-asserted-by":"crossref","unstructured":"Aghakhani H, Gritti F, Mecca F, Lindorfer M, Ortolani S, Balzarotti D, Vigna G, Kruegel C (2020) When malware is packin\u2019heat; limits of machine learning classifiers based on static analysis features. In: Network and distributed systems security (NDSS) Symposium 2020,","DOI":"10.14722\/ndss.2020.24310"},{"key":"508_CR2","unstructured":"AV-TEST Institute (2020) Malware statistics by operating system and platform. https:\/\/www.av-test.org\/en\/statistics\/malware\/"},{"issue":"3","key":"508_CR3","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1007\/s10207-016-0330-4","volume":"16","author":"M Bat-Erdene","year":"2017","unstructured":"Bat-Erdene M, Park H, Li H, Lee H, Choi M-S (2017) Entropy analysis to classify unknown packing algorithms for malware detection. Int J Inf Secur 16(3):227\u2013248","journal-title":"Int J Inf Secur"},{"key":"508_CR4","doi-asserted-by":"publisher","first-page":"436","DOI":"10.1016\/j.cose.2019.05.007","volume":"85","author":"F Biondi","year":"2019","unstructured":"Biondi F, Enescu MA, Given-Wilson T, Legay A, Noureddine L, Verma V (2019) Effective, efficient, and robust packing detection and classification. Comput Secur 85:436\u2013451","journal-title":"Comput Secur"},{"key":"508_CR5","doi-asserted-by":"crossref","unstructured":"Bueno D, Compton KJ, Sakallah KA, Bailey M (2013) Detecting traditional packers, decisively. In: International workshop on recent advances in intrusion detection, pp.\u00a0184\u2013203. Springer","DOI":"10.1007\/978-3-642-41284-4_10"},{"key":"508_CR6","doi-asserted-by":"crossref","unstructured":"Cheng B, Ming J, Fu J, Peng G, Chen T, Zhang X, Marion J-Y (2018) Towards paving the way for large-scale windows malware analysis: generic binary unpacking with orders-of-magnitude performance boost. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp.\u00a0395\u2013411","DOI":"10.1145\/3243734.3243771"},{"key":"508_CR7","unstructured":"Cheng B, Ming J, Leal EA, Zhang H, Fu J, Peng G, Marion J-Y (2021) Obfuscation-resilient executable payload extraction from packed malware. In: 30th $$\\{$$USENIX$$\\}$$ security symposium ($$\\{$$USENIX$$\\}$$ Security 21)"},{"key":"508_CR8","doi-asserted-by":"crossref","unstructured":"Choi Y-S, Kim I-K, Oh J-T, Ryou J-C (2008) Pe file header analysis-based packed Pe file detection technique (PHAD). In: International symposium on computer science and its applications, pp.\u00a028\u201331. IEEE","DOI":"10.1109\/CSA.2008.28"},{"key":"508_CR9","doi-asserted-by":"publisher","first-page":"109373","DOI":"10.1016\/j.asoc.2022.109373","volume":"127","author":"KHT Dam","year":"2022","unstructured":"Dam KHT, Given-Wilson T, Legay A, Veroneze R (2022) Packer classification based on association rule mining. Appl Soft Comput 127:109373","journal-title":"Appl Soft Comput"},{"key":"508_CR10","doi-asserted-by":"crossref","unstructured":"David OE, Netanyahu NS (2015) Deepsign: deep learning for automatic Malware signature generation and classification. In: 2015 international joint conference on neural networks (IJCNN), pp.\u00a01\u20138. IEEE","DOI":"10.1109\/IJCNN.2015.7280815"},{"key":"508_CR11","unstructured":"Downing E, Mirsky Y, Park K, Lee W (2021) $$\\{$$DeepReflect$$\\}$$: discovering malicious functionality through binary reconstruction. In: 30th USENIX security symposium (USENIX Security 21), pp.\u00a03469\u20133486"},{"key":"508_CR12","first-page":"103267","volume":"68","author":"X Gao","year":"2022","unstructured":"Gao X, Hu C, Shan C, Han W (2022) Malicage: a packed malware family classification framework based on DNN and GAN. J Inf Secur Appl 68:103267","journal-title":"J Inf Secur Appl"},{"key":"508_CR13","doi-asserted-by":"crossref","unstructured":"Guo F, Ferrie P, Chiueh T-C (2008) A study of the packer problem and its solutions. In: International Workshop on recent advances in intrusion detection. pp.\u00a098\u2013115, Springer","DOI":"10.1007\/978-3-540-87403-4_6"},{"key":"508_CR14","doi-asserted-by":"crossref","unstructured":"Jacob G, Comparetti PM, Neugschwandtner M, Kruegel C, Vigna G (2012) A static, packer-agnostic filter to detect similar malware samples. In: International conference on detection of intrusions and malware, and vulnerability assessment, pp.\u00a0102\u2013122. Springer","DOI":"10.1007\/978-3-642-37300-8_6"},{"issue":"8","key":"508_CR15","doi-asserted-by":"publisher","first-page":"e5082","DOI":"10.1002\/cpe.5082","volume":"32","author":"B Jung","year":"2020","unstructured":"Jung B, Bae SI, Choi C, Im EG (2020) Packer identification method based on byte sequences. Concurr Comput Pract Exp 32(8):e5082","journal-title":"Concurr Comput Pract Exp"},{"key":"508_CR16","doi-asserted-by":"crossref","unstructured":"Kalash M, Rochan M, Mohammed N, Bruce ND, Wang Y, Iqbal F (2018) Malware classification with deep convolutional neural networks. In: 2018 9th IFIP international conference on new technologies, mobility and security (NTMS), pp.\u00a01\u20135. IEEE","DOI":"10.1109\/NTMS.2018.8328749"},{"issue":"2","key":"508_CR17","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/s11416-015-0249-8","volume":"12","author":"K Kancherla","year":"2016","unstructured":"Kancherla K, Donahue J, Mukkamala S (2016) Packer identification using byte plot and Markov plot. J Comput Virol Hack Techn 12(2):101\u2013111","journal-title":"J Comput Virol Hack Techn"},{"key":"508_CR18","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1016\/j.ins.2018.04.092","volume":"460","author":"J-Y Kim","year":"2018","unstructured":"Kim J-Y, Bu S-J, Cho S-B (2018) Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders. Inf Sci 460:83\u2013102","journal-title":"Inf Sci"},{"issue":"12","key":"508_CR19","doi-asserted-by":"publisher","first-page":"9038","DOI":"10.1007\/s10489-021-02347-w","volume":"51","author":"H Liu","year":"2021","unstructured":"Liu H, Guo C, Cui Y, Shen G, Ping Y (2021) 2-spiff: a 2-stage packer identification method based on function call graph and file attributes. Appl Intell 51(12):9038\u20139053","journal-title":"Appl Intell"},{"issue":"2","key":"508_CR20","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1109\/MSP.2007.48","volume":"5","author":"R Lyda","year":"2007","unstructured":"Lyda R, Hamrock J (2007) Using entropy analysis to find encrypted and packed malware. IEEE Secur Priv 5(2):40\u201345","journal-title":"IEEE Secur Priv"},{"key":"508_CR21","doi-asserted-by":"crossref","unstructured":"Mantovani A, Aonzo S, Ugarte-Pedrero X, Merlo A, Balzarotti D (2020) Prevalence and impact of low-entropy packing schemes in the malware ecosystem. In: NDSS","DOI":"10.14722\/ndss.2020.24297"},{"issue":"4","key":"508_CR22","doi-asserted-by":"publisher","first-page":"395","DOI":"10.3390\/e23040395","volume":"23","author":"HD Men\u00e9ndez","year":"2021","unstructured":"Men\u00e9ndez HD, Clark D, Barr ET (2021) Getting ahead of the arms race: hothousing the coevolution of virustotal with a packer. Entropy 23(4):395","journal-title":"Entropy"},{"key":"508_CR23","doi-asserted-by":"crossref","unstructured":"Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: an ensemble of autoencoders for online network intrusion detection, arXiv:1802.09089","DOI":"10.14722\/ndss.2018.23204"},{"key":"508_CR24","unstructured":"Morgenstern M, Pilz H (2010) Useful and useless statistics about viruses and anti-virus programs. In: Proceedings of the CARO Workshop"},{"issue":"5","key":"508_CR25","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3530810","volume":"55","author":"T Muralidharan","year":"2022","unstructured":"Muralidharan T, Cohen A, Gerson N, Nissim N (2022) File packing from the malware perspective: techniques, analysis approaches, and directions for enhancements. ACM Comput Surv 55(5):1\u201345","journal-title":"ACM Comput Surv"},{"key":"508_CR26","doi-asserted-by":"crossref","unstructured":"Naseem F, Aris A, Babun L, Tekiner E, Uluagac AS (2021) Minos*: a lightweight real-time cryptojacking detection system. In: Network and distributed systems security (NDSS) symposium, pp.\u00a021\u201325","DOI":"10.14722\/ndss.2021.24444"},{"key":"508_CR27","doi-asserted-by":"crossref","unstructured":"Nataraj L, Karthikeyan S, Jacob G, Manjunath BS (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security, pp.\u00a01\u20137","DOI":"10.1145\/2016904.2016908"},{"issue":"14","key":"508_CR28","doi-asserted-by":"publisher","first-page":"1941","DOI":"10.1016\/j.patrec.2008.06.016","volume":"29","author":"R Perdisci","year":"2008","unstructured":"Perdisci R, Lanzi A, Lee W (2008) Classification of packed executables for accurate computer virus detection. Pattern Recogn Lett 29(14):1941\u20131946","journal-title":"Pattern Recogn Lett"},{"key":"508_CR29","doi-asserted-by":"crossref","unstructured":"Perdisci R, Lanzi A, Lee W (2008) Mcboost: boosting scalability in malware collection and analysis using statistical classification of executables. In: 2008 annual computer security applications conference (ACSAC), pp.\u00a0301\u2013310. IEEE","DOI":"10.1109\/ACSAC.2008.22"},{"key":"508_CR30","unstructured":"Raff E, Barker J, Sylvester J, Brandon R, Catanzaro B, Nicholas CK (2018) Malware detection by eating a whole exe. In: Workshops at the thirty-second AAAI conference on artificial intelligence"},{"key":"508_CR31","doi-asserted-by":"crossref","unstructured":"Royal P, Halpin M, Dagon D, Edmonds R, Lee W (2006) Polyunpack: automating the hidden-code extraction of unpack-executing malware. In: 2006 22nd annual computer security applications conference (ACSAC\u201906), pp.\u00a0289\u2013300. IEEE","DOI":"10.1109\/ACSAC.2006.38"},{"key":"508_CR32","doi-asserted-by":"crossref","unstructured":"Santos I, Ugarte-Pedrero X, Sanz B, Laorden C, Bringas PG (2011) Collective classification for packed executable identification. In: Proceedings of the 8th annual collaboration, electronic messaging, anti-abuse and spam conference, pp.\u00a023\u201330","DOI":"10.1145\/2030376.2030379"},{"key":"508_CR33","doi-asserted-by":"crossref","unstructured":"Shafiq MZ, Tabish SM, Mirza F, Farooq M (2009) Pe-miner: mining structural information to detect malicious executables in realtime. In: International workshop on recent advances in intrusion detection, pp.\u00a0121\u2013141. Springer","DOI":"10.1007\/978-3-642-04342-0_7"},{"key":"508_CR34","doi-asserted-by":"crossref","unstructured":"Shafiq MZ, Tabish S, Farooq M (2009) Pe-probe: leveraging packer detection and structural information to detect malicious portable executables. In: Proceedings of the virus bulletin conference (VB), vol.\u00a08. Citeseer","DOI":"10.1007\/978-3-642-04342-0_7"},{"key":"508_CR35","doi-asserted-by":"crossref","unstructured":"Sun Q, Abuhamad M, Abdukhamidov E, Chan-Tin E, Abuhmed T (2022) Mlxpack: investigating the effects of packers on ml-based malware detection systems using static and dynamic traits. In: Proceedings of the 1st workshop on cybersecurity and social sciences, pp.\u00a011\u201318","DOI":"10.1145\/3494108.3522768"},{"key":"508_CR36","doi-asserted-by":"crossref","unstructured":"Sun L, Versteeg S, Bozta\u015f S, Yann T (2010) Pattern recognition techniques for the classification of malware packers. In: Australasian conference on information security and privacy, pp.\u00a0370\u2013390. Springer","DOI":"10.1007\/978-3-642-14081-5_23"},{"issue":"11","key":"508_CR37","doi-asserted-by":"publisher","first-page":"1596","DOI":"10.3390\/e24111596","volume":"24","author":"Y Tang","year":"2022","unstructured":"Tang Y, Chen Y, Zhou D (2022) Measuring uncertainty in the negation evidence for multi-source information fusion. Entropy 24(11):1596","journal-title":"Entropy"},{"issue":"5","key":"508_CR38","doi-asserted-by":"publisher","first-page":"7163","DOI":"10.1007\/s13369-022-07560-4","volume":"48","author":"Y Tang","year":"2023","unstructured":"Tang Y, Tan S, Zhou D. An improved failure mode and effects analysis method using belief Jensen\u2013Shannon divergence and entropy measure in the evidence theory[J]. Arabian Journal for Science and Engineering, 2023, 48(5): 7163-7176.","journal-title":"Arabian Journal for Science and Engineering"},{"key":"508_CR39","doi-asserted-by":"publisher","first-page":"126","DOI":"10.1016\/j.cose.2014.03.012","volume":"43","author":"X Ugarte-Pedrero","year":"2014","unstructured":"Ugarte-Pedrero X, Santos I, Garc\u00eda-Ferreira I, Huerta S, Sanz B, Bringas PG (2014) On the adoption of anomaly detection for packed executable filtering. Comput Secur 43:126\u2013144","journal-title":"Comput Secur"},{"key":"508_CR40","doi-asserted-by":"crossref","unstructured":"Ugarte-Pedrero X, Balzarotti D, Santos I, Bringas PG (2015) Sok: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: 2015 IEEE symposium on security and privacy, pp.\u00a0659\u2013673. IEEE","DOI":"10.1109\/SP.2015.46"},{"key":"508_CR41","doi-asserted-by":"crossref","unstructured":"Ugarte-Pedrero X, Santos I, Bringas PG (2011) Structural feature based anomaly detection for packed executable identification. In: Computational intelligence in security for information systems, pp.\u00a0230\u2013237. Springer","DOI":"10.1007\/978-3-642-21323-6_29"},{"key":"508_CR42","unstructured":"Van Ouytsel C-HB, Given-Wilson T, Minet J, Roussieau J, Legay A (2021) Analysis of machine learning approaches to packing detection, arXiv:2105.00473"},{"key":"508_CR43","doi-asserted-by":"publisher","first-page":"101748","DOI":"10.1016\/j.cose.2020.101748","volume":"92","author":"D Vasan","year":"2020","unstructured":"Vasan D, Alazab M, Wassan S, Safaei B, Zheng Q (2020) Image-based malware classification using ensemble of CNN architectures (IMCEC). Comput Secur 92:101748","journal-title":"Comput Secur"},{"issue":"5","key":"508_CR44","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1109\/MSP.2008.126","volume":"6","author":"W Yan","year":"2008","unstructured":"Yan W, Zhang Z, Ansari N (2008) Revealing packed malware. IEEE Secur Priv 6(5):65\u201369","journal-title":"IEEE Secur Priv"},{"key":"508_CR45","doi-asserted-by":"crossref","unstructured":"Yousefi-Azar M, Varadharajan V, Hamey L, Tupakula U (2017) Autoencoder-based feature learning for cyber security applications. In: 2017 International joint conference on neural networks (IJCNN), pp.\u00a03854\u20133861. IEEE","DOI":"10.1109\/IJCNN.2017.7966342"},{"issue":"17","key":"508_CR46","doi-asserted-by":"publisher","first-page":"3015","DOI":"10.1002\/sec.1228","volume":"8","author":"M Zakeri","year":"2015","unstructured":"Zakeri M, Faraji Daneshgar F, Abbaspour M (2015) A static heuristic approach to detecting malware targets. Secur Commun Netw 8(17):3015\u20133027","journal-title":"Secur Commun Netw"},{"issue":"1","key":"508_CR47","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s42400-018-0005-8","volume":"1","author":"J Zhang","year":"2018","unstructured":"Zhang J, Zhang K, Qin Z, Yin H, Wu Q (2018) Sensitive system calls based packed malware variants detection using principal component initialized multilayers neural networks. Cybersecurity 1(1):1\u201313","journal-title":"Cybersecurity"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00508-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-025-00508-9","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00508-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,24]],"date-time":"2026-06-24T01:02:27Z","timestamp":1782262947000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-025-00508-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6,24]]},"references-count":47,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["508"],"URL":"https:\/\/doi.org\/10.1186\/s42400-025-00508-9","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,6,24]]},"assertion":[{"value":"11 December 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 November 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 June 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"No potential conflict of interest was reported by the authors.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interest"}}],"article-number":"92"}}