Simple substitution distance and metamorphic detection

Shanmugam, Gayathri; Low, Richard M.; Stamp, Mark

doi:10.1007/s11416-013-0184-5

Cited by 55 publications

(27 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Section: Introductionmentioning

confidence: 99%

“…However, these techniques require separate environment to analyze malware in order to be able to be detected. At the same time, the requirement of binary code disassembly in opcode-based methods [3][4][5] is not suitable for timely metamorphic detection on host-level intrusion detection systems.We propose metamorphic malware detection based on static analysis of metamorphic malware binaries without disassembly. Features are extracted from binary, which can be in the form of packets payload in network detection system or files in host based detection system using n-gram feature extraction and machine learning SVM classification.…”

mentioning

confidence: 99%

“…However, the inability to detect metamorphic malware or previously unseen malware without known signatures is the main limitation of signature-matching methods [5,8]. Metamorphic malware is a type of advanced mutating malwares that change their structure in each mutation.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

et al. 2016

View full text Add to dashboard Cite

Achieving accurate and efficient metamorphic malware detection remains a challenge. Metamorphic malware is able to mutate and alter its code structure in each infection that can circumvent signature matching detection. However, some vital functionalities and code segments remain unchanged between mutations. We exploit these unchanged features by the mean of classification using Support Vector Machine (SVM). N-gram features are extracted directly from malware binaries to avoid disassembly, which these features are then masked with the extracted known malware signature n-grams. These masked features reduce the number of selected n-gram features considerably. Our method is capable to accurately detect metamorphic malware with~99% accuracy and low false positive rate. The proposed method is also superior to commercially available anti-viruses for detecting metamorphic malware. Keyword: SVM classification, Metamorphic, n-gram, SnortCopyright © 2016 Universitas Ahmad Dahlan. All rights reserved. IntroductionMalware is one of security attacks to Internet users as it breaches computer security and data confidentiality, which are categorized into general (non-mutable) and mutable types. Antivirus softwares rely on signature-based detection as the primary detection mechanism. Mutatable malware such as packing, polymorphic, and metamorphic make the detection based on signature matching difficult. Metamorphic malwares mutate and change their codes structure and signatures in each infection that is difficult to detect [1]. Lately, several host-based dynamical analysis techniques were proposed for metamorphic malware detection [2]. However, these techniques require separate environment to analyze malware in order to be able to be detected. At the same time, the requirement of binary code disassembly in opcode-based methods [3][4][5] is not suitable for timely metamorphic detection on host-level intrusion detection systems.We propose metamorphic malware detection based on static analysis of metamorphic malware binaries without disassembly. Features are extracted from binary, which can be in the form of packets payload in network detection system or files in host based detection system using n-gram feature extraction and machine learning SVM classification. Besides, extracted ngram features are masked with known malware signature n-grams to represent only informative malware features. This technique can reduce the n-gram search space. This paper is organized as follows. Section 2 provides a critical review on relevant literatures. The methodology for metamorphic malware detection in network and host-based IDS are described in Section 3. Section 4 highlights the experimental setup, datasets, and evaluation criteria. The data analysis and comparison with commercial anti-virus software are presented in Section 5. Section 6 concludes the research findings, and contributions of the paper.

show abstract

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

et al. 2016

View full text Add to dashboard Cite

show abstract

“…In Jakobsen's algorithm, the score gives the degree to which the putative plaintext matches the plaintext language statistics. The score given by Simple Substitution Distance method can be viewed as a measure of the distance between the opcode sequence of a given file and the opcode statistics of a metamorphic family [23].…”

Section: Simple Substitution Distancementioning

confidence: 99%

Hunting for metamorphic JavaScript malware

Musale

Austin

Stamp

2014

J Comput Virol Hack Tech

Self Cite

View full text Add to dashboard Cite

Hunting For Metamorphic JavaScript Malware by Mangesh MusaleInternet plays a major role in the propagation of malware. A recent trend is the infection of machines through web pages, often due to malicious code inserted in JavaScript. From the malware writer's perspective, one potential advantage of JavaScript is that powerful code obfuscation techniques can be applied to evade detection. In this research, we analyze metamorphic JavaScript malware. We compare the effectiveness of several static detection strategies and we quantify the degree of morphing required to defeat each of these techniques. ACKNOWLEDGMENTS

show abstract

“…The techniques we analyze in this paper were inspired by previous research on metamorphic virus detection [13,16,26,27,44]. Metamorphic malware changes its internal structure at each infection, while maintaining its essential function.…”

mentioning

confidence: 99%

Hunting for Pirated Software Using Metamorphic Analysis

Rana

Stamp

2014

Information Security Journal: A Global Perspective

Self Cite

View full text Add to dashboard Cite

Hunting for Pirated Software Using Metamorphic Analysis by Hardikkumar RanaIn this paper, we consider the problem of detecting software that has been pirated and modified. We analyze a variety of detection techniques that have been previously studied in the context of malware detection. For each technique, we empirically determine the detection rate as a function of the degree of modification of the original code. We show that the code must be greatly modified before we fail to reliably distinguish it, and we show that our results offer a significant improvement over previous related work. Our approach can be applied retroactively to any existing software and hence, it is both practical and effective.

show abstract

Simple substitution distance and metamorphic detection

Cited by 55 publications

References 16 publications

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

Hunting for metamorphic JavaScript malware

Hunting for Pirated Software Using Metamorphic Analysis

Contact Info

Product

Resources

About