Skip to main content
Log in

Chi-squared distance and metamorphic virus detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Metamorphic malware changes its internal structure with each generation, while maintaining its original behavior. Current commercial antivirus software generally scan for known malware signatures; therefore, they are not able to detect metamorphic malware that sufficiently morphs its internal structure. Machine learning methods such as hidden Markov models (HMM) have shown promise for detecting hacker-produced metamorphic malware. However, previous research has shown that it is possible to evade HMM-based detection by carefully morphing with content from benign files. In this paper, we combine HMM detection with a statistical technique based on the chi-squared test to build an improved detection method. We discuss our technique in detail and provide experimental evidence to support our claim of improved detection.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. The \(\Gamma \) function can be viewed as a generalization of the factorial function; for positive integers \(n\), we have \(\Gamma (n) = (n-1)!\).

References

  1. Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18, 333–340 (1975)

    Article  MATH  MathSciNet  Google Scholar 

  2. Ataman, K., Street, W.N., Zhang, Y.: Learning to rank by maximizing auc with linear programming. IEEE Technical Report (2006)

  3. Austin, T.H., Filiol, E., Josse, S., Stamp, M.: Exploring hidden Markov models for virus analysis: a semantic approach (2012) (submitted)

  4. Aycock, J.: Computer Viruses and Malware. Springer, Berlin (2006)

    Google Scholar 

  5. Chess, D., White, S.: An undetectable computer virus. Virus Bulletin Conference (2000)

  6. Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)

    Article  Google Scholar 

  7. Coulter, F., Eichorn, K.: A good decade for cybercrime. McAfee, Inc., Technical Report (2011)

  8. Cygwin September 2011, [online]. Available at http://www.cygwin.com (2011)

  9. Desai, P., Stamp, M.: A highly metamorphic virus generator. Int. J. Multimed. Intell. Security 1(4), 402–427 (2010)

    Article  Google Scholar 

  10. Egan, J.: Signal Detection Theory and ROC Analysis. Academic Press, New York (1975)

    Google Scholar 

  11. Filiol, E., Josse, S.: A statistical model for undecidable viral detection. J. Comput. Virol. 3(1), 65–74 (2007)

    Article  Google Scholar 

  12. Geisser, S.: Predictive Inference: An Introduction. Chapman and Hall, London (1993)

    Book  MATH  Google Scholar 

  13. IDAPro, Interactive dissassembler, 2011, [online]. Available at http://www.hex-rays.com/products/ida/index.shtml

  14. Intel, Intel®Architecture Software Developer’s Manual, vol. 2. Instruction Set Reference Manual, October (2011)

  15. Kolter, J., Maloof, M.: Learning to detect malicious executables in the wild. Proceedings of KDD ’04 (2004)

  16. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)

    Article  Google Scholar 

  17. Mitchell, T.: Machine Learning. McGraw Hill, New York (1997)

    MATH  Google Scholar 

  18. Schultz, M., Eskin, E., Zadok, E.: Data mining methods for data mining methods for detection of new malicious executables. Proceedings of IEEE International Conference on Data Mining (2001)

  19. Madenur Sridhara, S.: Metamorphic worm that carries its own morphing engine, Master’s Projects, Paper 240, (2012). http://scholarworks.sjsu.edu/etd_projects/240

  20. Madenur Sridhara, S., Stamp, M.: Metamorphic worm that carries its own morphing engine (2012) (submitted)

  21. Stamp, M.: Information Security: Principles and Practice. Wiley, New York (2011)

    Book  Google Scholar 

  22. Stamp, M.: A revealing introduction to hidden Markov models, [online]. Available at http://www.cs.sjsu.edu/faculty/RUA/HMM.pdf

  23. Ször, P.: The Art of Computer Virus Research and Defense. Addition Wesley Professional, Boston (2005)

  24. Ször P., Ferrie P.: Hunting for metamorphic. Virus Bull. 123–144 (2001)

  25. Thrun, S., Saul, L.K., Scholkopf, B. (eds.): AUC Optimization vs Error Rate Minimization. MIT Press, Cambridge (2004)

    Google Scholar 

  26. Toderici, A.H.: Chi-squared distance and metamorphic virus detection. Department of Computer Science, San Jose State University, May, Master’s Thesis (2012)

  27. Vx heavens, [online]. Available at http://www.vx.netlux.org/

  28. Wang, R.: Flash in the pan? Virus Bull. (1998)

  29. Wong, W.: Analysis and detection of metamorphic computer viruses. Department of Computer Science, San Jose State University, May, Master’s Thesis (2006)

  30. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mark Stamp .

Rights and permissions

Reprints and permissions

About this article

Cite this article

Toderici, A.H., Stamp , M. Chi-squared distance and metamorphic virus detection. J Comput Virol Hack Tech 9, 1–14 (2013). https://doi.org/10.1007/s11416-012-0171-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-012-0171-2

Keywords

Navigation