MalPEFinder: Fast and retrospective assessment of data breaches in malware attacks

Shun Te Liu, Yi Ming Chen

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


A successful data breach is often caused by malware installed by attackers. In a large-scale computer environment, it is difficult and costly for information technology managers to identify the victims and to assess the scope of the data breach when a malware attack occurs. Therefore, a quick and retrospective mechanism that can find victims is required. One such technology is Search. However, most search techniques are not designed for searching executable files; indeed, they become worse in identifying malware files because of polymorphism and/or metamorphism. In this paper, we propose a portable executable format file search mechanism, called MalPEFinder. Instead of searching malware files, this mechanism searches the malware-related files retrospectively. Based on these files and their ownership, MalPEFinder can locate malware files on a large scale quickly. Furthermore, the possibly breached files also can be identified. A MalPEFinder prototype has been implemented on the hadoop platform in order to perform three functions: (i) searching retrospectively; (ii) protecting evidence against tampering; and (iii) dealing with future data growth. We used 72 malware to evaluate the accuracy and efficiency of our system. The experimental results show that MalPEFinder has a higher detection rate as well as a lower false positive rate than the famous splunk tool.

Original languageEnglish
Pages (from-to)899-915
Number of pages17
JournalSecurity and Communication Networks
Issue number8
StatePublished - Aug 2012


  • Data breach assessment
  • Malware detection
  • Retrospective detection


Dive into the research topics of 'MalPEFinder: Fast and retrospective assessment of data breaches in malware attacks'. Together they form a unique fingerprint.

Cite this