Metamorphic malware detection using base malware identification approach

Mahawer, Devendra Kumar; Nagaraju, A.

doi:10.1002/sec.869

Cited by 8 publications

(17 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Earlier studies on metamorphic detection [3][4][5]14] mostly employed opcode-based feature extraction, which is applicable only in host-based detection because of the disassembly requirement. The proposed method overcomes it by extracting the features directly from binaries.…”

Section: Proposed Methods For Metamorphic Malware Detectionmentioning

confidence: 99%

“…Some features in old metamorphic malware are kept unchanged in the mutated malware, as malware writers reuse old code segments [1]. Complete mutation of a metamorphic malware is deemed impossible due to the need to keep the same functionality [14]. Most versions of the same malware share a combination of several unchanged code segments [16].…”

Section: Proposed Methods For Metamorphic Malware Detectionmentioning

confidence: 99%

“…The learning algorithm trains the SVM classifier to predict if a new file is malware or non-malware. Moreover, the SVM kernal methods can map the features into higher dimensional space by converting nonlinear features into linear ones [14]. Compared to other ML techniques, SVM has been reported to provide the highest malware attack detection accuracy [20].…”

Section: Issn: 1693-6930mentioning

confidence: 99%

“…Generally, static metamorphic malware detection uses opcodes or opcode n-grams as extracted features for different detection techniques such as ML and statistical analysis [3][4][5]14]. Lately, control flow based method such as by Alam et al [1] statistically analyzed the performance of host-based metamorphic malware detection.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

et al. 2016

View full text Add to dashboard Cite

Achieving accurate and efficient metamorphic malware detection remains a challenge. Metamorphic malware is able to mutate and alter its code structure in each infection that can circumvent signature matching detection. However, some vital functionalities and code segments remain unchanged between mutations. We exploit these unchanged features by the mean of classification using Support Vector Machine (SVM). N-gram features are extracted directly from malware binaries to avoid disassembly, which these features are then masked with the extracted known malware signature n-grams. These masked features reduce the number of selected n-gram features considerably. Our method is capable to accurately detect metamorphic malware with~99% accuracy and low false positive rate. The proposed method is also superior to commercially available anti-viruses for detecting metamorphic malware. Keyword: SVM classification, Metamorphic, n-gram, SnortCopyright © 2016 Universitas Ahmad Dahlan. All rights reserved. IntroductionMalware is one of security attacks to Internet users as it breaches computer security and data confidentiality, which are categorized into general (non-mutable) and mutable types. Antivirus softwares rely on signature-based detection as the primary detection mechanism. Mutatable malware such as packing, polymorphic, and metamorphic make the detection based on signature matching difficult. Metamorphic malwares mutate and change their codes structure and signatures in each infection that is difficult to detect [1]. Lately, several host-based dynamical analysis techniques were proposed for metamorphic malware detection [2]. However, these techniques require separate environment to analyze malware in order to be able to be detected. At the same time, the requirement of binary code disassembly in opcode-based methods [3][4][5] is not suitable for timely metamorphic detection on host-level intrusion detection systems.We propose metamorphic malware detection based on static analysis of metamorphic malware binaries without disassembly. Features are extracted from binary, which can be in the form of packets payload in network detection system or files in host based detection system using n-gram feature extraction and machine learning SVM classification. Besides, extracted ngram features are masked with known malware signature n-grams to represent only informative malware features. This technique can reduce the n-gram search space. This paper is organized as follows. Section 2 provides a critical review on relevant literatures. The methodology for metamorphic malware detection in network and host-based IDS are described in Section 3. Section 4 highlights the experimental setup, datasets, and evaluation criteria. The data analysis and comparison with commercial anti-virus software are presented in Section 5. Section 6 concludes the research findings, and contributions of the paper.

show abstract

Section: Proposed Methods For Metamorphic Malware Detectionmentioning

confidence: 99%

Section: Proposed Methods For Metamorphic Malware Detectionmentioning

confidence: 99%

Section: Issn: 1693-6930mentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

et al. 2016

View full text Add to dashboard Cite

show abstract

“…However, processing overhead (Carrillo and Lipman, 1988;Santos et al, 2013) and compiler optimisation (Alam et al, 2014a) are examples of challenges to be addressed when Opcode detection is utilised. Further, Opcode distribution has weakness against obfuscation techniques (Mahawer and Nagaraju, 2013;Alam et al, 2014a), and it cannot be used to detect unknown malware (Rezaei et al, 2014a). Vinod et al (2012) used Opcode sequences to calculate the similarity among malware executable files.…”

Section: A Operational Code (Opcode)mentioning

confidence: 99%

Effective methods to detect metamorphic malware: a systematic review

Irshad¹,

Al-Khateeb²,

Mansour³

et al. 2018

IJESDF

View full text Add to dashboard Cite

The succeeding code for metamorphic Malware is routinely rewritten to remain stealthy and undetected within infected environments. This characteristic is maintained by means of encryption and decryption methods, obfuscation through garbage code insertion, code transformation and registry modification which makes detection very challenging. The main objective of this study is to contribute an evidence-based narrative demonstrating the effectiveness of recent proposals. Sixteen primary studies were included in this analysis based on a pre-defined protocol. The majority of the reviewed detection methods used Opcode, Control Flow Graph (CFG) and API Call Graph. Key challenges facing the detection of metamorphic malware include code obfuscation, lack of dynamic capabilities to analyse code and application difficulty. Methods were further analysed on the basis of their approach, limitation, empirical evidence and key parameters such as dataset, Detection Rate (DR) and False Positive Rate (FPR).

show abstract