Needleman-Wunsch and Smith-Waterman Algorithms for Identifying Viral Polymorphic Malware Variants

Abstract

Polymorphic malware is currently hard to detect. Such malware is able to mutate into functionally identical variants of themselves. There are no known techniques for automatically identifying such polymorphic malware. Even the most state-of-the-art malware identification system which uses heuristic-based techniques requires ongoing analysis and refinement by humans to compete with new (unknown) malware variants. Initial work investigating string-based approaches for the automatic generation of signatures for the identification of some or all new polymorphic variants was originally encouraging. Nevertheless, that initial work was restricted by a number of experimental aspects. The objective of the research addressed here is to examine the effects of using Needleman-Wunsch and Smith-Waterman algorithms (both enhanced by dynamic programming) in string-based approaches for the automatic identification of signatures for the detection of some or all new polymorphic variants. We show how our proposed syntactic-based technique using the widely known string matching Needleman-Wunsch (global alignment) and Smith-Waterman (local alignment) algorithms can successfully identify the known viral polymorphic malware variants of JS.Cassandra virus and W32.Kitti virus. This string-matching technique, if generalizable to other viruses, may transform our understanding of polymorphic variant generation and may facilitate a new age of syntactic-based anti-viral approaches.