Skip to main content
Log in

Structural entropy and metamorphic malware

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Metamorphic malware is capable of changing its internal structure without altering its functionality. A common signature is nonexistent in highly metamorphic malware and, consequently, such malware can remain undetected under standard signature scanning. In this paper, we apply previous work on structural entropy to the metamorphic detection problem. This technique relies on an analysis of variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the segmentation stage, we use entropy measurements and wavelet analysis to segment files. The second stage measures the similarity of file pairs by computing an edit distance between the sequences of segments obtained in the first stage. We apply this similarity measure to the metamorphic detection problem and show that we obtain strong results in certain challenging cases.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18

Similar content being viewed by others

Notes

  1. To be successful, it is also necessary that the malware, as a group, must be sufficiently similar to non-viral code [26, 35].

References

  1. Addison, P.: The Illustrated Wavelet Transform Handbook: Introductory Theory and Applications in Science. Engineering, Medicine and Finance. Taylor and Francis Group, New York (2002)

  2. Apostolico, A., Galil, Z.: Pattern Matching Algorithms. Oxford University Press, Oxford (1997)

    Book  MATH  Google Scholar 

  3. Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)

    Article  Google Scholar 

  4. Aycock, J.: Computer Viruses and Malware. Springer, New York (2006)

    Google Scholar 

  5. Baysa, D.: Structural entropy and metamorphic malware. Master’s report, Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/283/ (2012)

  6. Borda, M.: Fundamentals in Information Theory and Coding. Springer, New York (2011)

    Book  MATH  Google Scholar 

  7. Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 30–40 (2008)

    Article  Google Scholar 

  8. Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. Pattern Recognit. 30, 1145–1159 (1997)

    Article  Google Scholar 

  9. Burford, S.: Reverse engineering Linux ELF binaries on the x86 platform. http://www.linuxsa.org.au/meetings/reveng-0.2.pdf (2002)

  10. Cilibrasi, R., Vitányi, P.M.B.: Clustering by compression. IEEE Trans. Inform. Theory 51(4), 1523–1545 (2005)

    Article  MathSciNet  Google Scholar 

  11. Collberg, C., Thomborson, C., Low, C.: A taxonomy of obfuscating transformations. Technical Report #118. The University of Auckland (1997)

  12. Cygwin, Cygwin utility files. http://www.cygwin.com/. Accessed Dec 2012

  13. Islita, M.: Levenshtein edit distance. http://www.miislita.com/searchito/levenshtein-edit-distance.html (2006)

  14. Karmeshu.: Entropy Measures, Maximum Entropy Principle and Emerging Applications. Springer, New York (2003)

  15. The Mental Driller, Metamorphism in practice or “How I made MetaPHOR and what I’ve learnt”. http://biblio.l0t3k.net/magazine/en/29a/ (2002)

  16. Patel, M.: Similarity tests for metamorphic virus detection, Master’s report. Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/175/ (2011)

  17. Pietrek, M.: Peering inside the PE: a tour of the Win32 portable executable file format. MSDN Magazine. http://msdn.microsoft.com/en-us/magazine/ms809762.aspx (1994)

  18. Radhakrishnan, D.: Approximate disassembly, Master’s report. Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/155/ (2010)

  19. Robinson, S.: Expert. NET 1.1 Programming. Apress, New York (2004)

  20. Runwal, N., Low, R., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput Virol. 8(1–2), 37–52 (2012)

    Article  Google Scholar 

  21. SearchSecurity, Metamorphic and polymorphic malw- are. http://searchsecurity.techtarget.com/definition/metamorphic-and-polymorphic-malware (2010)

  22. Shah, A.: Approximate disassembly using dynamic programming, Master’s report. Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/8/ (2010)

  23. Shanmugam, G., Low, R., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. (to appear)

  24. Snakebyte, Next Generation Virus Construction Kit (NGVCK). Open Malware http://www.offensivecomputing.net/ (2000)

  25. Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)

    Article  MathSciNet  Google Scholar 

  26. Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. (2012) (online \(\text{ first }^{\rm TM}\))

  27. Stamp, M.: A revealing introduction to hidden Markov models. http://cs.sjsu.edu/~stamp/RUA/HMM.pdf (2012)

  28. Struzik, Z., Siebes, A.: The Haar wavelet transform in the time series similarity paradigm. In: Proceedings of the Third European Conference on Principles of Data Mining and Knowledge Discovery (PKDD ’99). Springer, London. http://dl.acm.org/citation.cfm?id=669368 (1999)

  29. Symantec, Viruses, worms, and trojans. http://service1.symantec.com/support/nav.nsf/docid/1999041209131106 (2011)

  30. Van Fleet, P.: The discrete haar wavelet transformation. Joint Mathematical Meetings, Center for Applied Mathematics, University of St. Thomas. http://cam.mathlab.stthomas.edu/wavelets/pdffiles/NewOrleans07/HaarTransform.pdf (2007)

  31. Verschuuren, G.: Excel 2007 for Scientists and Engineers. Holy Macro! Books (2008)

  32. Virus files, Department of Computer Science, San Jose State University. http://cs.sjsu.edu/~stamp/viruses/ (2012)

  33. Vuorenmaa, T.: The discrete wavelet transform with financial time series applications. Seminar on Learning Systems, University of Helsinki. http://www.rni.helsinki.fi/teaching/sols/TV_RNI.pdf (2003)

  34. Wagner, R.A., Fischer, M.J.: The string-to-string correction problem. J. ACM (JACM) 21(1), 168–173 (1974)

    Article  MATH  MathSciNet  Google Scholar 

  35. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  36. You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing. Communication and Applications (BWCCA), pp. 297–300 (2010)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Baysa, D., Low, R.M. & Stamp, M. Structural entropy and metamorphic malware. J Comput Virol Hack Tech 9, 179–192 (2013). https://doi.org/10.1007/s11416-013-0185-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-013-0185-4

Keywords

Navigation