Heterogeneous Opcode Space for Metamorphic Malware Detection

Abstract

Metamorphic viruses are equipped with morphing engine responsible for transforming the structure of the code in subsequent generations, thereby retaining the malicious behavior. Thus, commercial anti-virus software based on signature approach is unable to identify the unknown or zero-day malware. Each metamorphic malware has its own unique pattern since its internal structure changes from generation to generation. Hence, detection of these viruses is a challenge for researchers working on computer security. The degree of metamorphism in the dataset is estimated by aligning the locations of common opcodes using Smith–Waterman sequence alignment method suggesting that a generic pattern representing malware or benign classes cannot be extracted, thus demonstrating the failure of signature-based approach. The proposed statistical non-signature-based detector creates two different meta feature spaces each comprising 25 attributes for their detection. Three categories of opcode features are extracted from each sample: (a) branch opcodes, (b) unigrams and (c) bigrams. Insignificant features are initially eliminated using the Naive Bayes approach; obtained feature space is further reduced using two feature reduction techniques: (1) Discriminant Feature Variance-based Approach (DFVA) and (2) Markov Blanket. Learning models are created using the prominent attributes obtained from each dimensionality reduction methods. The models which provided the highest accuracy at minimum feature length were retained, and unseen instances are classified using these optimal models. Later, two meta feature spaces were generated by ensembling the prominent branch, unigram and bigram opcodes obtained from DFVA and Markov Blanket. Both feature reduction techniques were found to be equally efficient in detecting the metamorphic malware samples. The proposed system detected Metamorphic Worm and Next Generation Virus Construction Kit viruses with 100 % accuracy, Precision 1.0, Recall 1.0 and a promising F1-score of 1.0 is achieved. The results demonstrate the efficiency of the proposed metamorphic malware detector, and we thus recommend that this approach can be used to assist commercial AV scanners.