Skip to main content
SpringerLink
Log in

Sliding window and control flow weight for metamorphic malware detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

The latest stealth techniques, such as metamorphism, allow malware to evade detection by today’s signature-based anti-malware programs. Current techniques for detecting malware are compute intensive and unsuitable for real-time detection. Techniques based on opcode patterns have the potential to be used for real-time malware detection, but have the following issues: (1) The frequencies of opcodes can change by using different compilers, compiler optimizations and operating systems. (2) Obfuscations introduced by polymorphic and metamorphic malware can change the opcode distributions. (3) Selecting too many features (patterns) results in a high detection rate but also increases the runtime and vice versa. In this paper we present a novel technique named SWOD-CFWeight (Sliding Window of Difference and Control Flow Weight) that helps mitigate these effects and provides a solution to these problems. The SWOD size can be changed; this property gives anti-malware tool developers the ability to select appropriate parameters to further optimize malware detection. The CFWeight feature captures control flow information to an extent that helps detect metamorphic malware in real-time. Experimental evaluation of the proposed scheme using an existing dataset yields a malware detection rate of 99.08 % and a false positive rate of 0.93 %.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools, 2nd edn. Addison-Wesley Longman Publishing Co. Inc, Boston (2006)

    MATH  Google Scholar 

  2. Alam, S., Nigel Horspool, R., Traore, I.: MAIL: malware analysis intermediate language—a step towards automating and optimizing malware detection. In: Security of Information and Networks, SIN ’13, New York, NY, USA, November 2013. ACM SIGSAC (2013)

  3. Alam, S., Nigel Horspool, R.,Traore, I.: MARD: A framework for metamorphic malware analysis and real-time detection. In: Advanced Information Networking and Applications, Research Track—Security and Privacy, AINA ’14, Washington, DC, USA, May 2014. IEEE Computer Society, New York (2014)

  4. Austin, T.H., Filiol, E., Josse, S., Stamp, M.: Exploring hidden Markov models for virus analysis: a semantic approach. In: 46th Hawaii International Conference on System Sciences (HICSS), 2013, pp. 5039–5048 (2013)

  5. Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)

    Article  Google Scholar 

  6. Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (January 2007)

  7. Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: DIMVA, 2006, pp. 129–143. Springer, Berlin (2006)

  8. Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. The MIT Press, Cambridge (2009)

    MATH  Google Scholar 

  9. Daubechies, I.: Ten lectures on wavelets. SIAM 61, 1–357 (1992)

  10. Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking Tech. 10(1), 53–65 (2014)

    Article  Google Scholar 

  11. Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2008)

    Google Scholar 

  12. Faruki, P., Laxmi, V., Gaur, M.S., Vinod, P.: Mining control flow graph as API call-grams to detect portable executable malware. In Security of Information and Networks, SIN ’12, New York, NY, USA, 2012. ACM SIGSAC (2012)

  13. Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2(1), 70–75 (2007)

    Google Scholar 

  14. Flake, H.: Structural comparison of executable objects. In: Flegel, U., Meier, M. (eds.) DIMVA. LNI, vol. 46, pp. 161–173. GI (2004)

  15. G2.: Second Generation Virus Generator. http://vxheaven.org/vx.php?id=tg00. Accessed 28 July 2014

  16. Ghiasi, M., Sami, A., Salehi, Z.: Dynamic malware detection using registers values set analysis. In: Information Security and Cryptology, pp. 54–59 (2012)

  17. Guo, H., Pang, J., Zhang, Y., Yue, F., Zhao, R.: Hero: a novel malware detection framework based on binary translation. In: ICIS, 2010, vol. 1, pp. 411–415 (2010)

  18. Jakobsen, T.: A fast method for cryptanalysis of substitution ciphers. Cryptologia 19(3), 265–274 (1995)

    Article  MATH  Google Scholar 

  19. Sparck Jones, K.: A statistical interpretation of term specificity and its application in retrieval. J. Documentation 28, 11–21 (1972)

  20. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer R.A.: Behavior-based spyware detection. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15, USENIX-SS’06, Berkeley, CA, USA, 2006. USENIX Association (2006)

  21. Kruskal, J.B.: Multidimensional scaling by optimizing goodness of fit to a nonmetric hypothesis. Psychometrika 29, 1–27 (1964)

  22. Kuzurin, N., Shokurov, A., Varnovsky, N., Zakharov, V.: On the Concept of software obfuscation in computer security. In: Proceedings of the 10th International Conference on Information Security, ISC’07, pp. 281–298. Springer, Berlin (2007)

  23. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)

    Article  Google Scholar 

  24. Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: ACM CCS, pp. 290–299. ACM, New York (2003)

  25. Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)

  26. NGVCK: Next Generation Virus Construction Kit. http://vxheaven.org/vx.php?id=tn02. Accessed 28 July 2014

  27. OKane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Privacy 9(5), 41–47 (September 2011)

  28. Rad, B.B., Masrom, M., Ibrahim, S.: Opcodes histogram for classifying metamorphic portable executables malware. In: ICEEE, pp. 209–213 (2012)

  29. Robertson, S.: Understanding inverse document frequency: on theoretical arguments for idf. J. Documentation 60 (2004)

  30. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (May 2012)

  31. Santos, I., Brezo, F., Ugarte-Pedrero, X., Bringas, P.G.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 231, 64–82 (2013). Data Mining for Information Security

    Article  MathSciNet  Google Scholar 

  32. Shabtai, A., Moskovitch, R., Feher, C., Dolev, S., Elovici, Y.: Detecting unknown malicious code by applying classification techniques on opcode patterns. Secur Inform 1(1), 1–22 (2012)

    Article  Google Scholar 

  33. Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)

  34. Song, F., Touili, T.: Efficient malware detection using model-checking. In: Giannakopoulou, D., Mery, D. (eds.) FM: Formal Methods. Lecture Notes in Computer Science, vol. 7436, pp. 418–433. Springer, Berlin (2012)

  35. Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)

    Article  MathSciNet  Google Scholar 

  36. Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. 9, 1–14 (2013)

  37. Vinod, P., Laxmi, V., Gaur, M.S., Chauhan G.: MOMENTUM: metamorphic malware exploration techniques using MSA signatures. In: IIT, pp. 232–237 (2012)

  38. Weisstein, E.W.: Chi-squared test. In: MathWorld—A Wolfram Web Resource. Wolfram Research Inc. http://mathworld.wolfram.com/Chi-SquaredTest.html. Accessed 28 July 2014

  39. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2, 211–229 (2006)

    Article  Google Scholar 

  40. Yin, H., Song, D.: Privacy-breaching behavior analysis. In: Automatic Malware Analysis, Springer Briefs in Computer Science, pp. 27–42. Springer, New York (2013)

  41. Zuo, Z., Zhu, Q., Zhou, M.: On the time complexity of computer viruses. IEEE Trans. Inf. Theor. 51(8), 2962–2966 (2005)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Victoria, Victoria, BC, V8P5C2, Canada

    Shahid Alam & R. Nigel Horspool

  2. Department of Computer Engineering, Gebze Institute of Technology, Gebze, Kocaeli, 41400, Turkey

    Ibrahim Sogukpinar

  3. Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, V8P5C2, Canada

    Issa Traore

Authors
  1. Shahid Alam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ibrahim Sogukpinar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Issa Traore
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. R. Nigel Horspool
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shahid Alam.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alam, S., Sogukpinar, I., Traore, I. et al. Sliding window and control flow weight for metamorphic malware detection. J Comput Virol Hack Tech 11, 75–88 (2015). https://doi.org/10.1007/s11416-014-0222-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-014-0222-y

Keywords

Search

Navigation