Metamorphic malware detection using Linear Discriminant Analysis and Graph Similarity

Mirzazadeh, Reza; Moattar, Mohammad Hossein; Jahan, Majid Vafaei

doi:10.1109/iccke.2015.7365862

Cited by 13 publications

(13 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The Opcode data set is created by extracting Opcode density histogram during program execution. Mirzazadeh et al (2015) demonstrated how to detect metamorphic malware particularly NGVCK and MWOR using a Linear Discriminant Analysis method. The research framework was based on Opcode Graph Similarity (OGS) of Runwall et al 2015which trimmed lifeless ciphers from the graph.…”

Section: Conclusion and Further Discussionmentioning

confidence: 99%

Effective methods to detect metamorphic malware: a systematic review

Irshad¹,

Al-Khateeb²,

Mansour³

et al. 2018

IJESDF

View full text Add to dashboard Cite

The succeeding code for metamorphic Malware is routinely rewritten to remain stealthy and undetected within infected environments. This characteristic is maintained by means of encryption and decryption methods, obfuscation through garbage code insertion, code transformation and registry modification which makes detection very challenging. The main objective of this study is to contribute an evidence-based narrative demonstrating the effectiveness of recent proposals. Sixteen primary studies were included in this analysis based on a pre-defined protocol. The majority of the reviewed detection methods used Opcode, Control Flow Graph (CFG) and API Call Graph. Key challenges facing the detection of metamorphic malware include code obfuscation, lack of dynamic capabilities to analyse code and application difficulty. Methods were further analysed on the basis of their approach, limitation, empirical evidence and key parameters such as dataset, Detection Rate (DR) and False Positive Rate (FPR).

show abstract

Section: Conclusion and Further Discussionmentioning

confidence: 99%

Effective methods to detect metamorphic malware: a systematic review

Irshad¹,

Al-Khateeb²,

Mansour³

et al. 2018

IJESDF

View full text Add to dashboard Cite

show abstract

“…Next, we adopt a commonly used softmax function 29 to calculate the conditional probability  p o e ( ) in Equation (2). Denoting o and e as the ids of the output and input instructions, our model aims to learn the "center" vector v and the "outside" vector u for each instruction over the training corpus.…”

Section: Instruction Embedding Extractionmentioning

confidence: 99%

Focus : Function clone identification on cross‐platform

Liu

et al. 2021

Int J of Intelligent Sys

View full text Add to dashboard Cite

Automatic identification of function clones on crossplatform aims at determining whether two functions are identical or not without access to the source code, which is a fundamental challenge in vulnerability search, code plagiarism detection, and malware classification. With the rapid development of deep neural network in pro-K E Y W O R D S attention mechanism, binary similarity, graph neural network, program analysis | INTRODUCTIONBinary code similarity detection is a key foundation in maintaining software security, which can be generally applied in searching critical vulnerability 1 and detecting malware, 2 and so forth. Today, with the booming development of billions of Internet of Things (IoT) devices, the similarity analysis of binary code has become even more important than ever, because (1) code reuse is quite common in IoT which spreads a single vulnerability at source code level across thousands or more embedded devices that have diverse hardware architectures and software platforms 3 and (2) a known vulnerability that has been exploited in the past can also cause unprecedented damage and significant revenue losses to our daily life. 4 Worryingly, accurate and efficient analysis of stripped binary code is difficult because debug information such as symbol names, types, and location of commercial off-the-shelf (COTS) binary is unavailable. Besides, compared to binary code similarity detection on single-platform, function identification on cross-platform needs to deal with the binary code differences caused by various architectures, optimization levels, and compilers, which is even more challenging.Traditional binary code similarity detection approaches 5 adopt symbolic execution, constraint solving, or theorem prover to directly check binary code equivalence. However, these methods are inefficient especially when the number of function pairs is large, making them difficult to be utilized in large-scale applications. Graph matching-based methods use program flow diagrams to represent functions and detect similar functions. [6][7][8][9][10][11] These methods are usually inaccurate or their detection performance is limited by the efficiency of graph matching algorithms. 1,12 For instance, Genius 10 takes more than 1 week to construct their proposed codebook for only three software packages and the time complexity is quadratic in the number of training samples and linear in the cost of the bipartite graph matching algorithm.Recently, with the rapid development of deep learning and graph neural network (GNN), 13,14 graph matching and classification problems such as social network graph analytics 15 and chemical formula matching 13 can be solved well by transforming a representative graph to an embedding.

show abstract

“…Graph based techniques are popular when dealing with the metamorphic malware characterization as they reflect the intricate resemblance between the malware family members. To capitalize this idea, an op-code based similarity between the graphs of metamorphic malware variants has been proposed by Reza et al [143]. The uniqueness of the proposed technique is attributed towards the use of Linear Discriminant Analysis (LDA) to determine discriminatory malware indicators which in this case are distinct edges that can linearly separate two classes while the rest of the redundant edges are removed.…”

Section: Recent Research Status In Mutating Malware Characterizationmentioning

confidence: 99%

A Cognitive and Concurrent Cyber Kill Chain Model

Khan

Siddiqui

Ferens

2017

Computer and Network Security Essentials

View full text Add to dashboard Cite

The challenges of cyber security have outpaced the advantages of cyber tools and technologies. In 2018, World Economic Forum has already placed cyber security in the top five risks faced by the world. Cyber threats are evolving and can cripple economies and nations. The major tools of cyber threats are anonymity, deception and uncertainty. Current state of the art research is also evolving into addressing these challenges by applying new and proactive threat hunting approaches instead of doing reactive cyber defense, which is proving futile. Malware is an indispensable tool of cyber threat actors to accomplish malicious activities i.e. exfiltration, espionage and disruption. Using advanced obfuscation and mutation methods, malware adversaries are able to remain ahead of cyber defenders. Most malware detection technologies are based on finding a-priori known signatures of malware payload or known patterns of malware behavior. This dissertation addresses the challenge of hunting unknown behaviorally mutated malware inside a host computer by proposing a proof of concept framework named Malvidence for characterizing malware behavior within a host operating system process tree using cognitive machine intelligence. Using Malvidence framework, tools and techniques can be derived for variety of cyber security methods for threat detection. Cognitive Computing is a promising domain of machine intelligence which explores and develops new tools to incorporate human cognitive characteristics so that the performance of existing domain of artificial intelligence and machine learning can be improved. Therefore, cognitive complexity based fractal analysis is demonstrated and a methodology of extracting inherent but hidden patterns of malware dynamics using a temporal graph theoretical approach is proposed. Further, a set of graph theoretical features is analyzed and proposed for an effective characterization of malware behavior which can be subsequently used for malware hunting and detection. In addition, the proposed features are tested for their mathematical validity. Finally, using proposed cognitive complexity analysis, characterization performance of an unsupervised clustering algorithm is provided to demonstrate the validity of Malvidence framework.

show abstract

Metamorphic malware detection using Linear Discriminant Analysis and Graph Similarity

Cited by 13 publications

References 19 publications

Effective methods to detect metamorphic malware: a systematic review

Effective methods to detect metamorphic malware: a systematic review

Focus : Function clone identification on cross‐platform

A Cognitive and Concurrent Cyber Kill Chain Model

Contact Info

Product

Resources

About