Abstract
The latest stealth techniques, such as metamorphism, allow malware to evade detection by today’s signature-based anti-malware programs. Current techniques for detecting malware are compute intensive and unsuitable for real-time detection. Techniques based on opcode patterns have the potential to be used for real-time malware detection, but have the following issues: (1) The frequencies of opcodes can change by using different compilers, compiler optimizations and operating systems. (2) Obfuscations introduced by polymorphic and metamorphic malware can change the opcode distributions. (3) Selecting too many features (patterns) results in a high detection rate but also increases the runtime and vice versa. In this paper we present a novel technique named SWOD-CFWeight (Sliding Window of Difference and Control Flow Weight) that helps mitigate these effects and provides a solution to these problems. The SWOD size can be changed; this property gives anti-malware tool developers the ability to select appropriate parameters to further optimize malware detection. The CFWeight feature captures control flow information to an extent that helps detect metamorphic malware in real-time. Experimental evaluation of the proposed scheme using an existing dataset yields a malware detection rate of 99.08 % and a false positive rate of 0.93 %.
Similar content being viewed by others
References
Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools, 2nd edn. Addison-Wesley Longman Publishing Co. Inc, Boston (2006)
Alam, S., Nigel Horspool, R., Traore, I.: MAIL: malware analysis intermediate language—a step towards automating and optimizing malware detection. In: Security of Information and Networks, SIN ’13, New York, NY, USA, November 2013. ACM SIGSAC (2013)
Alam, S., Nigel Horspool, R.,Traore, I.: MARD: A framework for metamorphic malware analysis and real-time detection. In: Advanced Information Networking and Applications, Research Track—Security and Privacy, AINA ’14, Washington, DC, USA, May 2014. IEEE Computer Society, New York (2014)
Austin, T.H., Filiol, E., Josse, S., Stamp, M.: Exploring hidden Markov models for virus analysis: a semantic approach. In: 46th Hawaii International Conference on System Sciences (HICSS), 2013, pp. 5039–5048 (2013)
Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)
Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (January 2007)
Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: DIMVA, 2006, pp. 129–143. Springer, Berlin (2006)
Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. The MIT Press, Cambridge (2009)
Daubechies, I.: Ten lectures on wavelets. SIAM 61, 1–357 (1992)
Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking Tech. 10(1), 53–65 (2014)
Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2008)
Faruki, P., Laxmi, V., Gaur, M.S., Vinod, P.: Mining control flow graph as API call-grams to detect portable executable malware. In Security of Information and Networks, SIN ’12, New York, NY, USA, 2012. ACM SIGSAC (2012)
Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2(1), 70–75 (2007)
Flake, H.: Structural comparison of executable objects. In: Flegel, U., Meier, M. (eds.) DIMVA. LNI, vol. 46, pp. 161–173. GI (2004)
G2.: Second Generation Virus Generator. http://vxheaven.org/vx.php?id=tg00. Accessed 28 July 2014
Ghiasi, M., Sami, A., Salehi, Z.: Dynamic malware detection using registers values set analysis. In: Information Security and Cryptology, pp. 54–59 (2012)
Guo, H., Pang, J., Zhang, Y., Yue, F., Zhao, R.: Hero: a novel malware detection framework based on binary translation. In: ICIS, 2010, vol. 1, pp. 411–415 (2010)
Jakobsen, T.: A fast method for cryptanalysis of substitution ciphers. Cryptologia 19(3), 265–274 (1995)
Sparck Jones, K.: A statistical interpretation of term specificity and its application in retrieval. J. Documentation 28, 11–21 (1972)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer R.A.: Behavior-based spyware detection. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15, USENIX-SS’06, Berkeley, CA, USA, 2006. USENIX Association (2006)
Kruskal, J.B.: Multidimensional scaling by optimizing goodness of fit to a nonmetric hypothesis. Psychometrika 29, 1–27 (1964)
Kuzurin, N., Shokurov, A., Varnovsky, N., Zakharov, V.: On the Concept of software obfuscation in computer security. In: Proceedings of the 10th International Conference on Information Security, ISC’07, pp. 281–298. Springer, Berlin (2007)
Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: ACM CCS, pp. 290–299. ACM, New York (2003)
Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)
NGVCK: Next Generation Virus Construction Kit. http://vxheaven.org/vx.php?id=tn02. Accessed 28 July 2014
OKane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Privacy 9(5), 41–47 (September 2011)
Rad, B.B., Masrom, M., Ibrahim, S.: Opcodes histogram for classifying metamorphic portable executables malware. In: ICEEE, pp. 209–213 (2012)
Robertson, S.: Understanding inverse document frequency: on theoretical arguments for idf. J. Documentation 60 (2004)
Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (May 2012)
Santos, I., Brezo, F., Ugarte-Pedrero, X., Bringas, P.G.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 231, 64–82 (2013). Data Mining for Information Security
Shabtai, A., Moskovitch, R., Feher, C., Dolev, S., Elovici, Y.: Detecting unknown malicious code by applying classification techniques on opcode patterns. Secur Inform 1(1), 1–22 (2012)
Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)
Song, F., Touili, T.: Efficient malware detection using model-checking. In: Giannakopoulou, D., Mery, D. (eds.) FM: Formal Methods. Lecture Notes in Computer Science, vol. 7436, pp. 418–433. Springer, Berlin (2012)
Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)
Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. 9, 1–14 (2013)
Vinod, P., Laxmi, V., Gaur, M.S., Chauhan G.: MOMENTUM: metamorphic malware exploration techniques using MSA signatures. In: IIT, pp. 232–237 (2012)
Weisstein, E.W.: Chi-squared test. In: MathWorld—A Wolfram Web Resource. Wolfram Research Inc. http://mathworld.wolfram.com/Chi-SquaredTest.html. Accessed 28 July 2014
Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2, 211–229 (2006)
Yin, H., Song, D.: Privacy-breaching behavior analysis. In: Automatic Malware Analysis, Springer Briefs in Computer Science, pp. 27–42. Springer, New York (2013)
Zuo, Z., Zhu, Q., Zhou, M.: On the time complexity of computer viruses. IEEE Trans. Inf. Theor. 51(8), 2962–2966 (2005)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Alam, S., Sogukpinar, I., Traore, I. et al. Sliding window and control flow weight for metamorphic malware detection. J Comput Virol Hack Tech 11, 75–88 (2015). https://doi.org/10.1007/s11416-014-0222-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0222-y