Skip to main content
SpringerLink
Log in

Profile hidden Markov models and metamorphic virus detection

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Metamorphic computer viruses “mutate” by changing their internal structure and, consequently, different instances of the same virus may not exhibit a common signature. With the advent of construction kits, it is easy to generate metamorphic strains of a given virus. In contrast to standard hidden Markov models (HMMs), profile hidden Markov models (PHMMs) explicitly account for positional information. In principle, this positional information could yield stronger models for virus detection. However, there are many practical difficulties that arise when using PHMMs, as compared to standard HMMs. PHMMs are widely used in bioinformatics. For example, PHMMs are the most effective tool yet developed for finding family related DNA sequences. In this paper, we consider the utility of PHMMs for detecting metamorphic virus variants generated from virus construction kits. PHMMs are generated for each construction kit under consideration and the resulting models are used to score virus and non-virus files. Our results are encouraging, but several problems must be resolved for the technique to be truly practical.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Attaluri, S.: Profile hidden Markov models for metamorphic virus analysis, M.S. report, Department of Computer Science, San Jose State University, 2007. http://www.cs.sjsu.edu/faculty/stamp/students/Srilatha_cs298Report.pdf

  2. “Benny/29A”, Theme: metamorphism. http://www.vx.netlux.org/lib/static/vdat/epmetam2.htm

  3. Bilar, D.: Statistical structures: fingerprinting malware for classification and analysis. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf

  4. Borello, J.-M., Mé, L.: Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology (2008, to appear)

  5. Bruschi, D., Martignoni, L., Monga, M.: Using code normalization for fighting self-mutating malware, Proceedings of the International Symposium of Secure Software Engineering, ISSSE, Arlington, Virginia, USA, March 2006

  6. Chiueh, T.-C.: A look at current malware problems and their solutions. http://www.cs.sjsu.edu/~stamp/IACBP/IACBP08/Tzicker%20Chiueh/2008.ppt

  7. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. http://www.cs.arizona.edu/~collberg/Research/Publications/CollbergThomborsonLow97a/index.html

  8. Durbin R., Eddy S., Krogh A., Mitchison G. (1988) Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids. Cambridge University Press, Cambridge

    Google Scholar 

  9. Eddy S.R. (1998) Profile hidden Markov models. Bioinformatics 14(9): 755–763

    Article  Google Scholar 

  10. Feng D.-F., Doolittle R.F. (1987) Progressive sequence alignment as a prerequisite to correct phylogenetic trees. J. Mol. Biol. Evol. 13: 93–104

    Google Scholar 

  11. Ferrie, P.: Look at that escargot, Virus Buletin, December 2004, pp. 4–5. http://pferrie.tripod.com/papers/gastropod.pdf

  12. Ferrie, P.: Hidan and dangerous, Virus Bulletin, March 2007, pp. 14–19

  13. Filiol E. (2007) Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2(1): 70–75

    Google Scholar 

  14. Fiñones, R.G., Fernandez, R.: Solving the metamorphic puzzle, Virus Bulletin, March 2006, pp. 14–19

  15. Forrest, S.: Computer immune systems. http://www.cs.unm.edu/~immsec/papers.htm

  16. Jordan, M.: Anti-virus research—dealing with metamorphism, Virus Bulletin, October 2002. http://ca.com/us/securityadvisor/documents/collateral.aspx?cid=48051

  17. Khuri, S.: Hidden Markov models, lecture notes. http://www.cs.sjsu.edu/faculty/khuri/Bio_CS123B/Markov.pdf

  18. Krogh, A.: An introduction to hidden Markov models for biological sequences, Center for Biological Sequence Analysis, Technical University of Denmark, 1988

  19. Marinescu, A.: An analysis of Simile, SecurityFocus.com, March 2003. http://www.securityfocus.com/infocus/1671

  20. McAfee J., Haynes C. (1989) Computer Viruses, Worms, Data Diddlers, Killer Programs and Other Threats to Your System. St. Martin’s Press, New York

    Google Scholar 

  21. McGhee, S.: Pairwise alignment of metamorphic computer viruses, M.S. report, Department of Computer Science, San Jose State University, 2007. http://www.cs.sjsu.edu/faculty/stamp/students/mcghee_scott.pdf

  22. Mount D.W. (2004) Bioinformatics: sequence and genome analysis. Cold Spring Harbor Laboratory, New York

    Google Scholar 

  23. Munro, J.: Antivirus research and detection techniques, Extreme Tech, July 2002. http://findarticles.com/p/articles/mi_zdext/is_200207/ai_ziff28916

  24. Netlux, http://vx.netlux.org/vx.php?id=tp00

  25. OpenRCE.org, The molecular virology of lexotan32: metamorphism illustrated, August 2007. http://www.openrce.org/articles/full_view/29

  26. Orr, The viral Darwinism of W32.Evol: An in-depth analysis of a metamorphic engine, 2006. http://www.antilife.org/files/Evol.pdf

  27. Orr, The molecular virology of Lexotan32: Metamorphism illustrated, 2007. http://www.antilife.org/files/Lexo32.pdf

  28. Polk, W.T., Bassham, L.E., Wack, J.P., Carnahan, L.J.: Anti-virus Tools and Techniques for Computer Systems, Noyes Data Corporation (1995)

  29. Prim’s Algorithm, http://en.wikipedia.org/wiki/Prim%27s_algorithm

  30. Rabiner L.R. (1989) A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2): 257–286

    Article  Google Scholar 

  31. Stamp, M.: A revealing introduction to hidden Markov models, January 2004. http://www.cs.sjsu.edu/faculty/stamp/RUA/HMM.pdf

  32. Stamp M. (2005) Information Security: Principles and Practice. Wiley-Interscience, New York

    Google Scholar 

  33. Symantec, http://www.symantec.com/security_response/writeup.jsp?docid=2000-122010-0045-99&tabid=2

  34. Szor P. (2005) The Art of Computer Virus Defense and Research. Symantec Press, Cupertino

    Google Scholar 

  35. Szor, P., Ferrie, P.: Hunting for metamorphic, Symantec Security Response. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf

  36. VXHeavens, http://vx.netlux.org/

  37. Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: Normalizing metamorphic malware using term rewriting, Proceedings of the International Workshop on Source Code Analysis and Manipulation (SCAM), IEEE CS Press, September 2006, pp. 75–84

  38. Wikipedia, http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms

  39. Wong W., Stamp M. (2006) Hunting for metamorphic engines. J. Comput. Virol. 2(3): 211–219

    Article  Google Scholar 

  40. ZDNet, Ex-virus writer questioned over Slammer. http://news.zdnet.co.uk/security/0,1000000189,39175383,00.htm

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, San Jose State University, San Jose, CA, USA

    Srilatha Attaluri, Scott McGhee & Mark Stamp

Authors
  1. Srilatha Attaluri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Scott McGhee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Attaluri, S., McGhee, S. & Stamp, M. Profile hidden Markov models and metamorphic virus detection. J Comput Virol 5, 151–169 (2009). https://doi.org/10.1007/s11416-008-0105-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0105-1

Keywords

Search

Navigation