By request, here's a brief live thread on "When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features" ndss-symposium.org/wp-content/upl…
Background: packing is pervasive, and packers are now quite complex. Some have multiple layers of packing, use anti-debugging/emulation, or unpack only small fragments of code at a time.
Machine learning for malware is the new hotness 
Packing is not itself a sign of maliciousness, but there are many false positives
So question of the current paper: is there enough signal left in the binary after packing for ML-based static analysis to work? The authors will use a "wild" dataset (50K executables) and a "lab" dataset (~300K malicious and binaries packed with diff. packers)
Classifier performance depends on how many benign packed samples are present - when you include many benign, it stops assuming packing = malicious
Surprisingly, there is lots of signal left (section names, Rich header, etc)
The authors also tried training on the "lab" dataset and testing on the "wild" dataset. Very poor showing from the ML classifier at this point: FN rate ~42%, FP rate ~7%. Many malware authors using custom packers.
The static features learned are not very robust though. By adding in strings from a benign binary, can achieve very high evasion rates
The code and dataset used for all analyses are available (nice!) github.com/ucsb-seclab/pa…
