Abstract
Metamorphic malware is a kind of malware which evades signature-based anti-viruses by changing its internal structure in each infection. This paper, firstly, introduces a new measure of distance between two computer programs called program dissimilarity measure based on entropy (PDME). Then, it suggests a measure for the degree of metamorphism, based on the suggested distance measure. The distance measure is defined based on the Entropy of the two malware programs. Moreover, the paper shows that the distance measure can be used for classifying metamorphic malware via K-Nearest Neighbors (KNN) method. The method is evaluated by four metamorphic malware families. The results demonstrate that the measure can indicate the degree of metamorphism efficiently, and the KNN classification method using PDME can classify the metamorphic malware with a high precision.
Similar content being viewed by others
References
Baysa D, Low RM, Stamp M (2013) Structural entropy and metamorphic malware. J Comput Virology Hacking Techniques 9(4):179–192
Bruschi D, Martignoni L, Monga M (2006) Using code normalization for fighting self-mutating malware. In: Proceedings of the international symposium on secure software engineering, pp 37–44
Canfora G, Iannaccone AN, Visaggio CA (2014) Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics. J Comput Virology and Hacking Techniques 10(1):11–27
Chouchane MR, Walenstein A, Lakhotia A (2007) Statistical signatures for fast filtering of instruction-substituting metamorphic malware. In: Proceedings of the 2007 ACM workshop on recurring malcode. ACM, pp 31–37
Guo B, Gunn SR, Damper RI, Nelson JD (2006) Band selection for hyperspectral image classification using mutual information. IEEE Geosci Remote Sens Lett 3(4):522–526
Jakobsen T (1995) A fast method for cryptanalysis of substitution ciphers. Cryptologia 19(3):265–274
Lee J, Jeong K, Lee H (2010) Detecting metamorphic malwares using code graphs. In: Proceedings of the 2010 ACM symposium on applied computing. ACM, pp 1970–1977
Maes F, Loeckx D, Vandermeulen D, Suetens P (2015) Image registration using mutual information. In: Handbook of biomedical imaging. Springer, pp 295–308
Nair VP, Jain H, Golecha YK, Gaur MS, Laxmi V (2010) Medusa: Metamorphic malware dynamic analysis usingsignature from api. In: Proceedings of the 3rd international conference on security of information and networks. ACM, pp 263– 269
Rad BB, Masrom M (2011) Metamorphic virus variants classification using opcode frequency histogram. arXiv:1104.3228
Rad BB, Masrom M, Ibrahim S, Ibrahim S (2011) Morphed virus family classification based on opcodes statistical feature using decision tree. In: Informatics engineering and information science. Springer, pp 123–131
Rogelj P, Kovaċiċ S (2003) Point similarity measure based on mutual information. In: International workshop on biomedical image registration. Springer, pp 112–121
Runwal N, Low RM, Stamp M (2012) Opcode graph similarity and metamorphic detection. J Comput Virol 8(1-2):37– 52
Russakoff DB, Tomasi C, Rohlfing T, CR Maurer Jr (2004) Image similarity using mutual information of regions. In: Computer vision-ECCV 2004. Springer, pp 596–607
Saleh ME, Mohamed AB, Nabi AA (2011) Eigenviruses for metamorphic virus recognition. IET Inf Secur 5(4):191–198
Shanmugam G, Low RM, Stamp M (2013) Simple substitution distance and metamorphic detection. J Comput Virology Hacking Techniques 9(3):159–170
Snakebyte (2000) Next Generation Virus Construction Kit (NGVCK). http://vx.netlux.org/vx.php?id=tn02
Sridhara SM, Stamp M (2013) Metamorphic worm that carries its own morphing engine. J Comput Virology Hacking Techniques 9(2):49–58
Ször P, Ferrie P (2001) Hunting for metamorphic. In: Virus bulletin conference
Toderici AH, Stamp M (2013) Chi-squared distance and metamorphic virus detection. J Comput Virology Hacking Techniques 9(1):1–14
Treadwell S, Zhou M (2009) A heuristic approach for detection of obfuscated malware. In: IEEE international conference on intelligence and security informatics, 2009. ISI'09. IEEE, pp 291– 299
Vinod P, Laxmi V, Gaur M, Chauhan G (2012) Momentum: metamorphic malware exploration techniques using msa signatures. In: 2012 international conference on innovations in information technology (IIT). IEEE, pp 232–237
Viola P, Wells WM (1995) Alignment by maximization of mutual information. In: Proceedings of the fifth international conference on computer vision, 1995. IEEE, pp 16–23
Walenstein A, Mathur R, Chouchane MR, Lakhotia A (2006) Normalizing metamorphic malware using term rewriting. In: Sixth IEEE international workshop on source code analysis and manipulation, 2006. SCAM'06. IEEE, pp 75–84
Wong W (2006) Analysis and detection of metamorphic computer viruses. PhD thesis, San Jose State University
Wong W, Stamp M (2006) Hunting for metamorphic engines. J Comput Virol 2(3):211–229
Xu M, Wu L, Qi S, Xu J, Zhang H, Ren Y, Zheng N (2013) A similarity metric method of obfuscated malware using function-call graph. J Comput Virology Hacking Techniques 9(1):35–47
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Radkani, E., Hashemi, S., Keshavarz-Haddad, A. et al. An entropy-based distance measure for analyzing and detecting metamorphic malware. Appl Intell 48, 1536–1546 (2018). https://doi.org/10.1007/s10489-017-1045-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-017-1045-6