Skip to main content
SpringerLink
Log in

Singular value decomposition and metamorphic detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Metamorphic malware changes its internal structure with each infection, while maintaining its original functionality. Such malware can be difficult to detect, particularly using static analysis, since there may be no common signature across infections. In this paper, we apply a score based on Singular Value Decomposition (SVD) to the challenging problem of metamorphic detection. SVD, which can be viewed as a specific implementation of Principal Component Analysis, is a linear algebraic technique that is applicable to the wide range of problems where eigenvector analysis is useful. Previous research has shown that an eigenvector-based score derived from the facial recognition problem yields good results when applied to metamorphic malware detection. In this paper, we reconsider these previous results in the context of SVD, and we outline a strategy to defeat such a detection scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. It is sometimes claimed that SVD is the more general case while PCA is the more specific case. This view derives from the perspective of change of basis, since SVD is a very general change of basis technique [23]. However, from the perspective of the presentation in this paper, it is entirely appropriate to consider PCA as the general approach, with SVD being one specific implementation, and the eigenvalue technique in [11], for example, being another specific implementation.

  2. For our malware experiments in Sect. 4, using only the one most significant singular value generally yields the best results. In this case, the reduction in dimensionality could not be greater.

  3. In practice, it is not necessary to subtract the mean vector during the scoring phase—failure to do so will result in each weight \(w_i\) being shifted by a constant. We subtract the mean here to simplify the discussion in step 3.

References

  1. Arfken, G.: Diagonalization of matrices. In: Mathematical Methods for Physicists, 3rd edn, pp. 217–229. Academic Press, New York (1985)

  2. Wikipedia: Singular value decomposition. http://en.wikipedia.org/wiki/Singular_value_decomposition (2014). Accessed 19 July 2014

  3. Austin, D.: We recommend a singular value decomposition. http://www.ams.org/samplings/feature-column/fcarc-svd. Accessed 19 Jul 2014

  4. Austin, T., Filiol, E., Josse, S., Stamp, M.: Exploring hidden Markov models for virus analysis: a semantic approach. In: 46th Hawaii International Conference on System Sciences (HICSS 46), pp. 5039–5048 (2012)

  5. Aycock, J.: Computer Viruses and Malware. Springer, Berlin (2006)

    Google Scholar 

  6. Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. 9(4), 179–192 (2013)

    Google Scholar 

  7. Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)

    Article  Google Scholar 

  8. Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. Pattern Recogn. 30, 1145–1159 (1997)

    Article  Google Scholar 

  9. Chess, D.M., White, S.R.: An undetectable computer virus. In: Virus Bulletin Conference September (2000)

  10. Deng, W., et al.: A malware detection framework based on Kolmogorov complexity. J. Computat. Inf. Syst. 7(8):2687–2694 (2011). http://www.jofcis.com/publishedpapers/2011_7_8_2687_2694.pdf

  11. Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking. Tech. 10(1), 53–65 (2014)

    Article  Google Scholar 

  12. Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)

    Google Scholar 

  13. Hsu, C., Chen, C.: SVD-based projection for face recognition. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=4374514. Accessed 19 July 2014

  14. JAMA. Java matrix package http://math.nist.gov/javanumerics/jama/. Accessed 19 July 2014

  15. Jidigam, R.K.: Metamorphic detection using singular value decomposition. Department of Computer Science, San Jose State University, Master’s report (2013)

  16. Lee, J.: Compression-based analysis of metamorphic malware. Department of Computer Science, San Jose State University, Master’s report (2013)

  17. Mean vector and covariance matrix, NIST. http://www.itl.nist.gov/div898/handbook/pmc/section5/pmc541.htm. Accessed 19 July 2014

  18. The Mental Driller, Metamorphism in practice or “How I made MetaPHOR and what I’ve learnt” (2002). http://vxheavens.com/lib/vmd01.html

  19. Noble, W.S.: What is a support vector machine? Nat. Biotechnol. 24(12), 1565–1567 (2006). http://marriottschool.net/teacher/IS555/Other/SVM_Readings.pdf

  20. Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)

  21. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)

  22. Saleh, M., Mohamed, A., Nabi, A.: Eigenviruses for metamorphic virus recognition. IET Inf. Secur. 5(4), 191–198 (2011)

    Article  Google Scholar 

  23. Shlens, J.: A tutorial on principal component analysis. http://www.cs.cmu.edu/~elaw/papers/pca.pdf. Accessed 19 July 2014

  24. Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hack. Tech. 9(3), 159–170 (2013)

    Article  Google Scholar 

  25. Singular value decomposition, Wolfram MathWorld. http://mathworld.wolfram.com/SingularValueDecomposition.html. Accessed 19 July 2014

  26. Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)

    Article  MathSciNet  Google Scholar 

  27. Sridhara, S., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. 9(2), 49–58 (2013)

    Google Scholar 

  28. Stamp, M.: A revealing introduction to hidden Markov models (2012). http://www.cs.sjsu.edu/stamp/RUA/HMM.pdf

  29. Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hack. Tech. 9(1), 1–14 (2013)

    Article  Google Scholar 

  30. Turk, M.A., Pentland, A.P.: Eigenfaces for recognition. J. Cogn. Neurosci. 3(1), 71–86 (2007)

    Article  Google Scholar 

  31. Virus Profile: W32/NGVCK, McAfee Inc. http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1090050. Accessed 19 July 2014

  32. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  33. You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300 (2010)

  34. Zbitskiy, P.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)

    Article  Google Scholar 

  35. Zhou, Y., Inge, M.: Malware detection using adaptive data compression, AISec ’08. In: Proceedings of the 1st ACM workshop on Workshop on AISec, pp. 53–60 (2008)

  36. Zuo, Z., Zhou, M.: Some further theoretical results about computer viruses. Comput. J. 47(6), 627–633 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, San Jose State University, San Jose, USA

    Ranjith Kumar Jidigam, Thomas H. Austin & Mark Stamp

Authors
  1. Ranjith Kumar Jidigam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas H. Austin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jidigam, R.K., Austin, T.H. & Stamp, M. Singular value decomposition and metamorphic detection. J Comput Virol Hack Tech 11, 203–216 (2015). https://doi.org/10.1007/s11416-014-0220-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-014-0220-0

Keywords

Search

Navigation