Metamorphic Malware Detection Research Articles

Optimizing the detection of Metamorphic Malwares using ensemble learning technique

Optimizing the detection of Metamorphic Malwares using ensemble learning technique

Bespoke Sequence of Transformations for an Enhanced Entropic Wavelet Energy Spectrum Discernment for Higher Efficacy Detection of Metamorphic Malware

Bespoke Sequence of Transformations for an Enhanced Entropic Wavelet Energy Spectrum Discernment for Higher Efficacy Detection of Metamorphic Malware

Metamorphic malware detection using structural features and nonnegative matrix factorization with hidden markov model

Metamorphic malware modifies its code structure using a morphing engine to evade traditional signature-based detection. Previous research has shown the use of opcode instructions as feature representation with Hidden Markov Model in the context of metamorphic malware detection. However, it would be more feasible to extract a file feature at fine-grained level. In this paper, we propose a novel detection approach by generating structural features through computing a stream of byte chunks using compression ratio, entropy, Jaccard similarity coefficient and Chi-square statistic test. Nonnegative Matrix Factorization is also considered to reduce the feature dimensions. We then use the coefficient vectors from the reduced space to train Hidden Markov Model. Experimental results show there is different performance between malware detection and classification among the proposed structural features.

Structural features with nonnegative matrix factorization for metamorphic malware detection

Metamorphic malware is well known for evading signature-based detection by exploiting various code obfuscation techniques. Current metamorphic malware detection approaches require some prior knowledge during feature engineering stage to extract patterns and behaviors from malware. In this paper, we attempt to complement and extend previous techniques by proposing a metamorphic malware detection approach based on structure analysis by using information theoretic measures and statistical metrics with machine learning model. In particular, compression ratio, entropy, Jaccard coefficient and Chi-square tests are used as feature representations to reveal the byte information existing in malware binary file. Furthermore, by using Nonnegative Matrix Factorization, feature dimension can be reduced. The experimental results show the Jaccard coefficient on hexadecimal byte as feature representation is effective for Windows metamorphic malware detection with an accuracy rate and F-score as high as 0.9972 and 0.9958, respectively. Whereas for Linux morphed malware detection, the Chi-square statistic test shows as effective feature representation with an accuracy rate and F-score as high as 0.9878 and 0.9901, respectively. Overall, the proposed feature representations and the technique of dimension reduction can be useful for detecting metamorphic malware.

Nonnegative matrix factorization and metamorphic malware detection

Metamorphic malware change their internal code structure by adopting code obfuscation technique while maintaining their malicious functionality during each infection. This causes change of their signature pattern across each infection and makes signature based detection particularly difficult. In this paper, through static analysis, we use similarity score from matrix factorization technique called Nonnegative Matrix Factorization for detecting challenging metamorphic malware. We apply this technique using structural compression ratio and entropy features and compare our results with previous eigenvector-based techniques. Experimental results from three malware datasets show this is a promising technique as the accuracy detection is more than 95%.

Experiments with automatic software piracy detection utilising machine-learning classifiers for micro-signatures

ABSTRACTSoftware piracy has been known as unauthorised reconstruction or illegal redistribution of a licenced software. Detecting pirated from base software is a major concern since pirated software can lead to significant financial losses as well as serious security vulnerabilities. To detect software piracy, we have recently proposed Metamorphic Analysis for Automatic Software Piracy Detection (MetaSPD) with a proof-of-concept evaluation. The core idea of MetaSPD was inspired from metamorphic malware detection due to its similarity of software piracy detection. MetaSPD works primarily based on mining the opcode graph of the base software to extract micro-signatures. Then, it leverages a classifier model to decide whether a given suspicious file is a pirated version of the base software. This paper extends our prior work in several respects. First, we present a retrospective appraisal of the main literature aiming at laying bare the status quo of software piracy detection and arguments on the current problems of the field to motivate our work. We then elaborate on MetaSPD itself and the constituent components. We provide two extensive experiments to evident the effectiveness of MetaSPD. The experiments have been carried out on two different datasets. Each dataset comprises 1300 morphed variants of the respective base software that act as pirated versions of that software. We conducted our experiments using three different classifiers. The paper is also enriched with a detailed discussion of the different properties and concerns of MetaSPD. The results corroborate that an attacker, who is using a pirated version of the given software, can hardly hide illegal usage of the software even by applying superabundant obfuscations to the code.

Improving the detection of metamorphic malware through data dependency graphs indexing

Metamorphism have been successfully used in original malicious code to the creation and proliferation of new malware instances, making them harder to detect. This work presents an approach that identifies metamorphic malware through data dependency graphs comparison. Features are extracted on data dependency graphs to build an index that is used to determine which malware family a suspicious code belongs to. Experimental results on 3045 samples of metamorphic malware showed that our proposed approach obtained accuracy rate higher than most commercial anti-malware tools.

G3MD: Mining frequent opcode sub-graphs for metamorphic malware detection of existing families

Attackers leverage various obfuscation techniques to create a metamorphic malware that can evade from detection by anti-malwares. To defeat, we propose Graph Mining for Metamorphic Malware Detection (G3MD), an intelligent system for static detection of metamorphic malwares. G3MD demonstrates one of the many aspects of what the current generation of machine-learning techniques and expert systems can do. It extends what is known about practical application of machine-learning techniques in the field of information security. It is intended to alleviate the burden of human experts and underlying costs. The novelty of G3MD is to apply graph mining on the opcode graphs of a metamorphic family of malwares to extract the frequent sub-graphs, so called micro-signatures. Based on these sub-graphs, a classifier is trained to distinguish between a benign file and a metamorphic malware. We conducted experiments on four families of metamorphic malwares common in previous studies, namely Next Generation Virus Generation Kit (NGVCK), Second Generation Virus Generator (G2), and Mass Produced Code Generation Kit (MPCGEN) viruses and Metamorphic Worm (MWOR) worms. The precision (over 99% in most cases) of metamorphic malware detection by the proposed approach corroborates its effectiveness over other existing approaches.

Effective methods to detect metamorphic malware: a systematic review

The succeeding code for metamorphic malware is routinely rewritten to remain stealthy and undetected within infected environments. This characteristic is maintained by means of encryption and decryption methods, obfuscation through garbage code insertion, code transformation and registry modification which makes detection very challenging. The main objective of this study is to contribute an evidence-based narrative demonstrating the effectiveness of recent proposals. 16 primary studies were included in this analysis based on a pre-defined protocol. The majority of the reviewed detection methods used Opcode, control flow graph (CFG) and API call graph. Key challenges facing the detection of metamorphic malware include code obfuscation, lack of dynamic capabilities to analyse code and application difficulty. Methods were further analysed on the basis of their approach, limitation, empirical evidence and key parameters such as dataset, detection rate (DR) and false positive rate (FPR).

Effective methods to detect metamorphic malware: a systematic review

The succeeding code for metamorphic malware is routinely rewritten to remain stealthy and undetected within infected environments. This characteristic is maintained by means of encryption and decryption methods, obfuscation through garbage code insertion, code transformation and registry modification which makes detection very challenging. The main objective of this study is to contribute an evidence-based narrative demonstrating the effectiveness of recent proposals. 16 primary studies were included in this analysis based on a pre-defined protocol. The majority of the reviewed detection methods used Opcode, control flow graph (CFG) and API call graph. Key challenges facing the detection of metamorphic malware include code obfuscation, lack of dynamic capabilities to analyse code and application difficulty. Methods were further analysed on the basis of their approach, limitation, empirical evidence and key parameters such as dataset, detection rate (DR) and false positive rate (FPR).

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

Achieving accurate and efficient metamorphic malware detection remains a challenge. Metamorphic malware is able to mutate and alter its code structure in each infection, with some vital functionality and codesegment remain unchanged. We exploit these unchanged features for detecting metamorphic malware detection using Support Vector Machine(SVM) classifier. n-gram features are extracted directly from sample malware binaries to avoid disassembly, which are then masked with the extracted Snort signature n-grams. These masked features reduce considerably the number of selected n-gram features. Our method is capable to accurately detect metamorphic malware with ~99 % accuracy and low false positive rate. The proposed method is also superior than commercially available anti-viruses in detecting metamorphic malware.

Metamorphic malware detection using opcode frequency rate and decision tree

Malware is defined as any type of malicious code that is the potent to harm a computer or a network. Modern malwares are accompanied with mutation characteristics, namely polymorphism and metamorphism. They let malwares to generate enormous number of variants. Rising number of metamorphic malwares entails hardship in analyzing them for signature extraction and database updates. In spite of the broad use of signature-based methods in the security products, they are not able detect the new unseen morphs of malware, and it is stemmed from changing the structure of malware as well as the signature in each infection. In this paper, a novel method is proposed in which the proportion of opcodes is used for detecting the new morphs. Decision trees are utilized for classification and detection of malware variants based on the rate of opcode frequencies. Three metrics for evaluating the proposed method are speed, efficiency and accuracy. It was observed in the course of experiments that speed and time complexity will not be challenging factors; because of the fast nature of extracting the frequencies of opcodes from source assembly file. Empirical validation reveals that the proposed method outperforms the entire commercial antivirus programs with a high level of efficiency and accuracy.

Detection of Metamorphic Malware based on HMM: A Hierarchical Approach

Recent research have depicted that hidden Markov model (HMM) is a persuasive option for malware detection. However, some advanced metamorphic malware are able to overcome the traditional methods based on HMMs. This proposed approach provides a two-layer technique to overcome these challenges. Malware contain various sequences of opcodes some of which are more important and help detect the malware and the rest cause interference. The important sequences of opcodes are extracted by eliminating partial sequences due to the fact that partial sequences of opcodes have more similarities to benign files. In this method, the sliding window technique is used to extract the sequences. In this paper, HMMs are trained using the important sequences of opcodes that will lead to better results. In comparison to previous methods, the results demonstrate that the proposed method is more accurate in metamorphic malware detection and shows higher speed at classification.

Control Flow Graph Based Multiclass Malware Detection Using Bi-normal Separation

<p>Control flow graphs (CFG) and OpCodes extracted from disassembled executable files are widely used for malware detection. Most of the research in static analysis is focused on binary class malware detection which only classifies an executable as benign or malware. To overcome this issue, CFG based multiclass malware detection system that automatically classifies the malware into their respective families is proposed. The use Bi-normal separation (BNS) as a feature scoring metric. Experimental results show that proposed method using BNS outperforms compared to hitherto use technique of document Frequency for multiclass metamorphic malware detection and achieves detection accuracy of 99.5 per cent.</p><p> </p>

Annotated Control Flow Graph for Metamorphic Malware Detection

Metamorphism is a technique that mutates the binary code using different obfuscations and never keeps the same sequence of opcodes in the memory. This stealth technique provides the capability to a malware for evading detection by simple signature-based (such as instruction sequences, byte sequences and string signatures) anti-malware programs. In this paper, we present a new scheme named Annotated Control Flow Graph (ACFG) to efficiently detect such kinds of malware. ACFG is built by annotating CFG of a binary program and is used for graph and pattern matching to analyse and detect metamorphic malware. We also optimize the runtime of malware detection through parallelization and ACFG reduction, maintaining the same accuracy (without ACFG reduction) for malware detection. ACFG proposed in this paper: (i) captures the control flow semantics of a program; (ii) provides a faster matching of ACFGs and can handle malware with smaller CFGs, compared with other such techniques, without compromising the accuracy; (iii) contains more information and hence provides more accuracy than a CFG. Experimental evaluation of the proposed scheme using an existing dataset yields malware detection rate of 98.9% and false positive rate of 4.5%.

Sliding window and control flow weight for metamorphic malware detection

The latest stealth techniques, such as metamorphism, allow malware to evade detection by today’s signature-based anti-malware programs. Current techniques for detecting malware are compute intensive and unsuitable for real-time detection. Techniques based on opcode patterns have the potential to be used for real-time malware detection, but have the following issues: (1) The frequencies of opcodes can change by using different compilers, compiler optimizations and operating systems. (2) Obfuscations introduced by polymorphic and metamorphic malware can change the opcode distributions. (3) Selecting too many features (patterns) results in a high detection rate but also increases the runtime and vice versa. In this paper we present a novel technique named SWOD-CFWeight (Sliding Window of Difference and Control Flow Weight) that helps mitigate these effects and provides a solution to these problems. The SWOD size can be changed; this property gives anti-malware tool developers the ability to select appropriate parameters to further optimize malware detection. The CFWeight feature captures control flow information to an extent that helps detect metamorphic malware in real-time. Experimental evaluation of the proposed scheme using an existing dataset yields a malware detection rate of 99.08 % and a false positive rate of 0.93 %.

Singular value decomposition and metamorphic detection

Metamorphic malware changes its internal structure with each infection, while maintaining its original functionality. Such malware can be difficult to detect, particularly using static analysis, since there may be no common signature across infections. In this paper, we apply a score based on Singular Value Decomposition (SVD) to the challenging problem of metamorphic detection. SVD, which can be viewed as a specific implementation of Principal Component Analysis, is a linear algebraic technique that is applicable to the wide range of problems where eigenvector analysis is useful. Previous research has shown that an eigenvector-based score derived from the facial recognition problem yields good results when applied to metamorphic malware detection. In this paper, we reconsider these previous results in the context of SVD, and we outline a strategy to defeat such a detection scheme.

Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey

Malwares are big threat to digital world and evolving with high complexity. It can penetrate networks, steal confidential information from computers, bring down servers and can cripple infrastructures etc. To combat the threat/attacks from the malwares, anti- malwares have been developed. The existing anti-malwares are mostly based on the assumption that the malware structure does not changes appreciably. But the recent advancement in second generation malwares can create variants and hence posed a challenge to anti-malwares developers. To combat the threat/attacks from the second generation malwares with low false alarm we present our survey on malwares and its detection techniques.

Metamorphic malware detection using base malware identification approach

ABSTRACTMalware is a malicious program that is intentionally developed to harm computer systems. Because the metamorphic malwares are advanced in nature, they mutate their code in each generation by employing code obfuscation techniques to thwart detection. Conventional scanners even fail to detect all variants of such malware. In the view of metamorphic malware detection, we have proposed the concept of machine learning approach like support vector machine with histogram intersection kernel. It has been successfully implemented in the area of image classification, bioinformatics (protein classification and cancer classification). This method provides more accuracy in terms of detection rate to build the effective detection system for metamorphic malwares. In the proposed method, we first extract feature histograms from each portable executable file and map them into the feature space using a histogram intersection kernel. The histogram intersection kernel helps us to find the optimal hyperplane for separating the metamorphic variants from benign programs in a feature space of very high dimension. The results show that our proposed method is capable of detecting metamorphic variants with few false alarms or misses. Copyright © 2013 John Wiley & Sons, Ltd.

Opcode graph similarity and metamorphic detection

In this paper, we consider a method for computing the similarity of executable files, based on opcode graphs. We apply this technique to the challenging problem of metamorphic malware detection and compare the results to previous work based on hidden Markov models. In addition, we analyze the effect of various morphing techniques on the success of our proposed opcode graph-based detection scheme.