Skip to main content
SpringerLink
Log in

Simple substitution distance and metamorphic detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

To evade signature-based detection, metamorphic viruses transform their code before each new infection. Software similarity measures are a potentially useful means of detecting such malware. We can compare a given file to a known sample of metamorphic malware and compute their similarity—if they are sufficiently similar, we classify the file as malware of the same family. In this paper, we analyze an opcode-based software similarity measure inspired by simple substitution cipher cryptanalysis. We show that the technique provides a useful means of classifying metamorphic malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. For Jackobsen’s simple substitution attack, it is not necessary to normalize the matrices, since the scores are only used internally for a hill climb and the desired result is the key \(K\). However, when scoring metamorphic malware, the desired result is the score, and we want to compare scores for different viruses. Consequently, it is necessary that these scores be independent of the input length.

References

  1. Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)

    Article  Google Scholar 

  2. Aycock, J.: Computer Viruses and Malware. Springer, Berlin (2006)

    Google Scholar 

  3. Austin, T.H. et al.: Exploring hidden Markov models for virus analysis: A semantic approach, Proceedings of 46th Hawaii International Conference on System Sciences (HICSS 46), January 7–10 (2013)

  4. Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware, submitted

  5. Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (2007)

    Article  Google Scholar 

  6. Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 30–40 (2008)

    Article  Google Scholar 

  7. Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit. 30, 1145–1159 (1997)

    Article  Google Scholar 

  8. Cygwin, Cygwin Utility Files, http://www.cygwin.com/

  9. Desai, P.: Towards an undetectable computer virus, Master’s report, Department of Computer Science, San Jose State University (2008). http://scholarworks.sjsu.edu/etd_projects/90/

  10. Deshpande, S.: Eigenvalue Analysis for Metamorphic Detection, Master’s report, Department of Computer Science, San Jose State University (2012). http://scholarworks.sjsu.edu/etd_projects/279/

  11. Dhavare, A., Low, R.M., Stamp, M.: Efficient cryptanalysis of homophonic substitution ciphers. to appear in Cryptologia

  12. Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)

    Google Scholar 

  13. Idika, N., Mathur, A.: A Survey of Malware Detection Techniques, Technical report, Department of Computer Science, Purdue University (2007). http://www.serc.net/system/files/SERC-TR-286.pdf

  14. Islita, M.: Levenshtein Edit Distance (2006). http://www.miislita.com/searchito/levenshtein-edit-distance.html

  15. Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)

    Article  MATH  Google Scholar 

  16. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)

    Article  Google Scholar 

  17. Mathai, J.: History of Computer Cryptography and Secrecy System. http://www.dsm.fordham.edu/mathai/crypto.html

  18. Patel, M.: Similarity Tests for Metamorphic Virus Detection, Master’s report, Department of Computer Science, San Jose State University, (2011). http://scholarworks.sjsu.edu/etd_projects/175/

  19. Rad, B.B., Masrom, M., Ibrahim, S.: Evolution of computer virus concealment and anti-virus techniques: a short survey. IJCSI Int. J. Comput. Sci. Issues 8(1) (2011). http://arxiv.org/pdf/1104.1070.pdf

  20. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)

    Article  Google Scholar 

  21. Shanmugam, G.: Simple Substitution Distance and Metamorphic Detection, Master’s report, Department of Computer Science, San Jose State University (2012). http://scholarworks.sjsu.edu/etd_projects/270/

  22. Snakebyte. Next Generation Virus Construction Kit (NGVCK) (2000). http://vx.netlux.org/vx.php?id=tn02

  23. Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)

    Article  MathSciNet  Google Scholar 

  24. Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. to appear in J. Comput. Virol.

  25. Stamp, M.: Information Security: Principles and Practice, 2nd edn. Wiley, Hoboken (2011)

    Book  Google Scholar 

  26. Stamp, M., Low, R.M.: Applied Cryptanalysis: Breaking Ciphers in the Real World. Wiley-IEEE Press, Chichester (2007)

    Book  Google Scholar 

  27. Szor, P., Ferrie, P.: Hunting for Metamorphic, Symantec Security Response. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf

  28. Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. to appear in J. Comput. Virol.

  29. Venkatachalam, S., Stamp, M.: Detecting undetectable computer viruses. Proceedings of 2011 International Conference on Security & Management (SAM ’11), pp. 340–345

  30. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  31. Zbitskiy, P.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, San Jose State University, San Jose, USA

    Gayathri Shanmugam

  2. Department of Mathematics, San Jose State University, San Jose, USA

    Richard M. Low

  3. Department of Computer Science, San Jose State University, San Jose, USA

    Mark Stamp

Authors
  1. Gayathri Shanmugam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Richard M. Low
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Shanmugam, G., Low, R.M. & Stamp, M. Simple substitution distance and metamorphic detection. J Comput Virol Hack Tech 9, 159–170 (2013). https://doi.org/10.1007/s11416-013-0184-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-013-0184-5

Keywords

Search

Navigation