Skip to main content
SpringerLink
Log in

An entropy-based distance measure for analyzing and detecting metamorphic malware

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Metamorphic malware is a kind of malware which evades signature-based anti-viruses by changing its internal structure in each infection. This paper, firstly, introduces a new measure of distance between two computer programs called program dissimilarity measure based on entropy (PDME). Then, it suggests a measure for the degree of metamorphism, based on the suggested distance measure. The distance measure is defined based on the Entropy of the two malware programs. Moreover, the paper shows that the distance measure can be used for classifying metamorphic malware via K-Nearest Neighbors (KNN) method. The method is evaluated by four metamorphic malware families. The results demonstrate that the measure can indicate the degree of metamorphism efficiently, and the KNN classification method using PDME can classify the metamorphic malware with a high precision.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Baysa D, Low RM, Stamp M (2013) Structural entropy and metamorphic malware. J Comput Virology Hacking Techniques 9(4):179–192

    Article  Google Scholar 

  2. Bruschi D, Martignoni L, Monga M (2006) Using code normalization for fighting self-mutating malware. In: Proceedings of the international symposium on secure software engineering, pp 37–44

  3. Canfora G, Iannaccone AN, Visaggio CA (2014) Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics. J Comput Virology and Hacking Techniques 10(1):11–27

    Article  Google Scholar 

  4. Chouchane MR, Walenstein A, Lakhotia A (2007) Statistical signatures for fast filtering of instruction-substituting metamorphic malware. In: Proceedings of the 2007 ACM workshop on recurring malcode. ACM, pp 31–37

  5. Guo B, Gunn SR, Damper RI, Nelson JD (2006) Band selection for hyperspectral image classification using mutual information. IEEE Geosci Remote Sens Lett 3(4):522–526

    Article  Google Scholar 

  6. Jakobsen T (1995) A fast method for cryptanalysis of substitution ciphers. Cryptologia 19(3):265–274

    Article  MATH  Google Scholar 

  7. Lee J, Jeong K, Lee H (2010) Detecting metamorphic malwares using code graphs. In: Proceedings of the 2010 ACM symposium on applied computing. ACM, pp 1970–1977

  8. Maes F, Loeckx D, Vandermeulen D, Suetens P (2015) Image registration using mutual information. In: Handbook of biomedical imaging. Springer, pp 295–308

  9. Nair VP, Jain H, Golecha YK, Gaur MS, Laxmi V (2010) Medusa: Metamorphic malware dynamic analysis usingsignature from api. In: Proceedings of the 3rd international conference on security of information and networks. ACM, pp 263– 269

  10. Rad BB, Masrom M (2011) Metamorphic virus variants classification using opcode frequency histogram. arXiv:1104.3228

  11. Rad BB, Masrom M, Ibrahim S, Ibrahim S (2011) Morphed virus family classification based on opcodes statistical feature using decision tree. In: Informatics engineering and information science. Springer, pp 123–131

  12. Rogelj P, Kovaċiċ S (2003) Point similarity measure based on mutual information. In: International workshop on biomedical image registration. Springer, pp 112–121

  13. Runwal N, Low RM, Stamp M (2012) Opcode graph similarity and metamorphic detection. J Comput Virol 8(1-2):37– 52

    Article  Google Scholar 

  14. Russakoff DB, Tomasi C, Rohlfing T, CR Maurer Jr (2004) Image similarity using mutual information of regions. In: Computer vision-ECCV 2004. Springer, pp 596–607

  15. Saleh ME, Mohamed AB, Nabi AA (2011) Eigenviruses for metamorphic virus recognition. IET Inf Secur 5(4):191–198

    Article  Google Scholar 

  16. Shanmugam G, Low RM, Stamp M (2013) Simple substitution distance and metamorphic detection. J Comput Virology Hacking Techniques 9(3):159–170

    Article  Google Scholar 

  17. Snakebyte (2000) Next Generation Virus Construction Kit (NGVCK). http://vx.netlux.org/vx.php?id=tn02

  18. Sridhara SM, Stamp M (2013) Metamorphic worm that carries its own morphing engine. J Comput Virology Hacking Techniques 9(2):49–58

    Article  Google Scholar 

  19. Ször P, Ferrie P (2001) Hunting for metamorphic. In: Virus bulletin conference

  20. Toderici AH, Stamp M (2013) Chi-squared distance and metamorphic virus detection. J Comput Virology Hacking Techniques 9(1):1–14

    Article  Google Scholar 

  21. Treadwell S, Zhou M (2009) A heuristic approach for detection of obfuscated malware. In: IEEE international conference on intelligence and security informatics, 2009. ISI'09. IEEE, pp 291– 299

  22. Vinod P, Laxmi V, Gaur M, Chauhan G (2012) Momentum: metamorphic malware exploration techniques using msa signatures. In: 2012 international conference on innovations in information technology (IIT). IEEE, pp 232–237

  23. Viola P, Wells WM (1995) Alignment by maximization of mutual information. In: Proceedings of the fifth international conference on computer vision, 1995. IEEE, pp 16–23

  24. Walenstein A, Mathur R, Chouchane MR, Lakhotia A (2006) Normalizing metamorphic malware using term rewriting. In: Sixth IEEE international workshop on source code analysis and manipulation, 2006. SCAM'06. IEEE, pp 75–84

  25. Wong W (2006) Analysis and detection of metamorphic computer viruses. PhD thesis, San Jose State University

  26. Wong W, Stamp M (2006) Hunting for metamorphic engines. J Comput Virol 2(3):211–229

    Article  Google Scholar 

  27. Xu M, Wu L, Qi S, Xu J, Zhang H, Ren Y, Zheng N (2013) A similarity metric method of obfuscated malware using function-call graph. J Comput Virology Hacking Techniques 9(1):35–47

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Shiraz University, Shiraz, Iran

    Esmaeel Radkani, Sattar Hashemi & Alireza Keshavarz-Haddad

  2. Department of Computer Engineering and Information Technology, Amirkabir University of Technology, Tehran, Iran

    Maryam Amir Haeri

Authors
  1. Esmaeel Radkani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sattar Hashemi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alireza Keshavarz-Haddad
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maryam Amir Haeri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Esmaeel Radkani.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Radkani, E., Hashemi, S., Keshavarz-Haddad, A. et al. An entropy-based distance measure for analyzing and detecting metamorphic malware. Appl Intell 48, 1536–1546 (2018). https://doi.org/10.1007/s10489-017-1045-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-017-1045-6

Keywords

Search

Navigation