Abstract
In this paper, we consider a method for computing the similarity of executable files, based on opcode graphs. We apply this technique to the challenging problem of metamorphic malware detection and compare the results to previous work based on hidden Markov models. In addition, we analyze the effect of various morphing techniques on the success of our proposed opcode graph-based detection scheme.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Anderson B. et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)
Attaluri S., McGhee S., Stamp M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)
Aycock J.: Computer Viruses and Malware. Springer, Berlin (2006)
Al daoud, E., et al.: Detecting metamorphic viruses by using arbitrary length of control flow graphs and nodes alignment. In: ICIT 2009 Conference—Bioinformatics and Image. http://www.ubicc.org/files/pdf/2_363.pdf
Cesare, S.: Faster, more effective flowgraph-based malware classification. http://www.ruxcon.org.au/2011-talks/faster-more-effective-flowgraph-based-malware-classification/
Cygwin: Cygwin utility files. http://www.cygwin.com/
Desai P., Stamp M.: A highly metamorphic virus generator. Int. J. Multimedia Intell. Secur. 1(4), 402–427 (2010)
Eskandari, M., Hashemi, S.: Metamorphic malware detection using control flow graph mining. Int. J. Comput. Sci. Network Secur. 11(12), 1–6 (2011). http://paper.ijcsns.org/07_book/201112/20111201.pdf
Gartner T. et al.: On Graph Kernels: Hardness Results and Efficient Alternatives, pp. 129–143. Springer, Berlin (2003)
Halfpap, B.: Artificial immune system virus detector (2010). http://resheth.wordpress.com/tag/virus-detection/
Hii, A.: Chi-squared distance and metamorphic detection. Master’s report, Department of Computer Science, San Jose State University (2011)
Hlaoui, A., Wang, S.: A New Algorithm for Inexact Graph Matching. http://www.dmi.usherb.ca/~hlaoui/icpr2002.pdf
Huang L., Stamp M.: Masquerade detection using profile hidden Markov models. Comput. Secur. 30(8), 732–747 (2011)
Karnik, A., Goswami, S., Guha, R.: Detecting obfuscated viruses using cosine similarity analysis. In: First Asia International Conference on Modelling & Simulation, pp. 165–170 (2007)
Konstantinou, E.: Metamorphic Virus: Analysis and Detection. http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-02.pdf (2008)
Lee, J., Jeong, K., Lee, H.: Detecting metamorphic malwares using code graphs. In: Proceedings of SAC10 (2010)
Lin D., Stamp M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)
Nachenberg, C.: Understanding and managing Polymorphic viruses. In: Symantec Enterprise Papers, vol. XXX. http://www.symantec.com/avcenter/reference/striker.pdf
OECD, Malicious software (malware): A security threat to the Internet economy. http://www.oecd.org/dataoecd/53/34/40724457.pdf
Ogata, H., et al.: A heuristic graph comparison algorithm and its application to detect functionally related enzyme clusters. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC110779
Patel, M.: Similarity tests for metamorphic virus detection. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/patel_mahim.pdf (2011)
Priyadarshi, S.: Metamorphic detection via emulation. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/priyadarshi_sushant.pdf (2011)
Rabiner L.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)
Radev, D.: Lecture 13—Eigenvectors, Eigenvalues, Stochastic Matrices. http://www1.cs.columbia.edu/~coms6998/Notes/lecture13.pdf (2008)
Runwal, N.: Graph technique for metamorphic virus detection. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/runwal_neha.pdf (2011)
Schonlau M. et al.: Computer intrusion: detecting masquerades. Stat. Sci. 15(1), 1–17 (2001)
Shah, A.: Approximate disassembly using dynamic programming. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/shah_abhishek.pdf (2010)
SnakeByte: Next generation virus construction kit (NGVCK) (2002). http://vx.netlux.org/vx.php?id=tn02
Stamp M.: Information Security: Principles and Practice, 2nd edn. Wiley, New York (2011)
Stamp, M.: A revealing introduction to hidden Markov models. http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf (2011)
Szor, P., Ferrie, P.: Hunting for metamorphic, Symantec, 2001. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
Heavens, V.X.: http://vx.netlux.org/
Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006). http://www.cs.sjsu.edu/faculty/stamp/students/Report.pdf
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Runwal, N., Low, R.M. & Stamp, M. Opcode graph similarity and metamorphic detection. J Comput Virol 8, 37–52 (2012). https://doi.org/10.1007/s11416-012-0160-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-012-0160-5