Advertisement

Journal in Computer Virology

, Volume 5, Issue 2, pp 151–169 | Cite as

Profile hidden Markov models and metamorphic virus detection

  • Srilatha Attaluri
  • Scott McGhee
  • Mark Stamp
Original Paper

Abstract

Metamorphic computer viruses “mutate” by changing their internal structure and, consequently, different instances of the same virus may not exhibit a common signature. With the advent of construction kits, it is easy to generate metamorphic strains of a given virus. In contrast to standard hidden Markov models (HMMs), profile hidden Markov models (PHMMs) explicitly account for positional information. In principle, this positional information could yield stronger models for virus detection. However, there are many practical difficulties that arise when using PHMMs, as compared to standard HMMs. PHMMs are widely used in bioinformatics. For example, PHMMs are the most effective tool yet developed for finding family related DNA sequences. In this paper, we consider the utility of PHMMs for detecting metamorphic virus variants generated from virus construction kits. PHMMs are generated for each construction kit under consideration and the resulting models are used to score virus and non-virus files. Our results are encouraging, but several problems must be resolved for the technique to be truly practical.

Keywords

Hide Markov Model Multiple Sequence Alignment Pairwise Alignment Metamorphic Virus Code Obfuscation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Attaluri, S.: Profile hidden Markov models for metamorphic virus analysis, M.S. report, Department of Computer Science, San Jose State University, 2007. http://www.cs.sjsu.edu/faculty/stamp/students/Srilatha_cs298Report.pdf
  2. 2.
    “Benny/29A”, Theme: metamorphism. http://www.vx.netlux.org/lib/static/vdat/epmetam2.htm
  3. 3.
    Bilar, D.: Statistical structures: fingerprinting malware for classification and analysis. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf
  4. 4.
    Borello, J.-M., Mé, L.: Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology (2008, to appear)Google Scholar
  5. 5.
    Bruschi, D., Martignoni, L., Monga, M.: Using code normalization for fighting self-mutating malware, Proceedings of the International Symposium of Secure Software Engineering, ISSSE, Arlington, Virginia, USA, March 2006Google Scholar
  6. 6.
    Chiueh, T.-C.: A look at current malware problems and their solutions. http://www.cs.sjsu.edu/~stamp/IACBP/IACBP08/Tzicker%20Chiueh/2008.ppt
  7. 7.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. http://www.cs.arizona.edu/~collberg/Research/Publications/CollbergThomborsonLow97a/index.html
  8. 8.
    Durbin R., Eddy S., Krogh A., Mitchison G. (1988) Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids. Cambridge University Press, CambridgeGoogle Scholar
  9. 9.
    Eddy S.R. (1998) Profile hidden Markov models. Bioinformatics 14(9): 755–763CrossRefGoogle Scholar
  10. 10.
    Feng D.-F., Doolittle R.F. (1987) Progressive sequence alignment as a prerequisite to correct phylogenetic trees. J. Mol. Biol. Evol. 13: 93–104Google Scholar
  11. 11.
    Ferrie, P.: Look at that escargot, Virus Buletin, December 2004, pp. 4–5. http://pferrie.tripod.com/papers/gastropod.pdf
  12. 12.
    Ferrie, P.: Hidan and dangerous, Virus Bulletin, March 2007, pp. 14–19Google Scholar
  13. 13.
    Filiol E. (2007) Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2(1): 70–75Google Scholar
  14. 14.
    Fiñones, R.G., Fernandez, R.: Solving the metamorphic puzzle, Virus Bulletin, March 2006, pp. 14–19Google Scholar
  15. 15.
    Forrest, S.: Computer immune systems. http://www.cs.unm.edu/~immsec/papers.htm
  16. 16.
    Jordan, M.: Anti-virus research—dealing with metamorphism, Virus Bulletin, October 2002. http://ca.com/us/securityadvisor/documents/collateral.aspx?cid=48051
  17. 17.
    Khuri, S.: Hidden Markov models, lecture notes. http://www.cs.sjsu.edu/faculty/khuri/Bio_CS123B/Markov.pdf
  18. 18.
    Krogh, A.: An introduction to hidden Markov models for biological sequences, Center for Biological Sequence Analysis, Technical University of Denmark, 1988Google Scholar
  19. 19.
    Marinescu, A.: An analysis of Simile, SecurityFocus.com, March 2003. http://www.securityfocus.com/infocus/1671
  20. 20.
    McAfee J., Haynes C. (1989) Computer Viruses, Worms, Data Diddlers, Killer Programs and Other Threats to Your System. St. Martin’s Press, New YorkGoogle Scholar
  21. 21.
    McGhee, S.: Pairwise alignment of metamorphic computer viruses, M.S. report, Department of Computer Science, San Jose State University, 2007. http://www.cs.sjsu.edu/faculty/stamp/students/mcghee_scott.pdf
  22. 22.
    Mount D.W. (2004) Bioinformatics: sequence and genome analysis. Cold Spring Harbor Laboratory, New YorkGoogle Scholar
  23. 23.
    Munro, J.: Antivirus research and detection techniques, Extreme Tech, July 2002. http://findarticles.com/p/articles/mi_zdext/is_200207/ai_ziff28916
  24. 24.
  25. 25.
    OpenRCE.org, The molecular virology of lexotan32: metamorphism illustrated, August 2007. http://www.openrce.org/articles/full_view/29
  26. 26.
    Orr, The viral Darwinism of W32.Evol: An in-depth analysis of a metamorphic engine, 2006. http://www.antilife.org/files/Evol.pdf
  27. 27.
    Orr, The molecular virology of Lexotan32: Metamorphism illustrated, 2007. http://www.antilife.org/files/Lexo32.pdf
  28. 28.
    Polk, W.T., Bassham, L.E., Wack, J.P., Carnahan, L.J.: Anti-virus Tools and Techniques for Computer Systems, Noyes Data Corporation (1995)Google Scholar
  29. 29.
  30. 30.
    Rabiner L.R. (1989) A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2): 257–286CrossRefGoogle Scholar
  31. 31.
    Stamp, M.: A revealing introduction to hidden Markov models, January 2004. http://www.cs.sjsu.edu/faculty/stamp/RUA/HMM.pdf
  32. 32.
    Stamp M. (2005) Information Security: Principles and Practice. Wiley-Interscience, New YorkGoogle Scholar
  33. 33.
  34. 34.
    Szor P. (2005) The Art of Computer Virus Defense and Research. Symantec Press, CupertinoGoogle Scholar
  35. 35.
    Szor, P., Ferrie, P.: Hunting for metamorphic, Symantec Security Response. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
  36. 36.
  37. 37.
    Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: Normalizing metamorphic malware using term rewriting, Proceedings of the International Workshop on Source Code Analysis and Manipulation (SCAM), IEEE CS Press, September 2006, pp. 75–84Google Scholar
  38. 38.
  39. 39.
    Wong W., Stamp M. (2006) Hunting for metamorphic engines. J. Comput. Virol. 2(3): 211–219CrossRefGoogle Scholar
  40. 40.
    ZDNet, Ex-virus writer questioned over Slammer. http://news.zdnet.co.uk/security/0,1000000189,39175383,00.htm

Copyright information

© Springer-Verlag France 2008

Authors and Affiliations

  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUSA

Personalised recommendations