Advertisement

Journal in Computer Virology

, Volume 8, Issue 1–2, pp 37–52 | Cite as

Opcode graph similarity and metamorphic detection

  • Neha Runwal
  • Richard M. Low
  • Mark Stamp
Original Paper

Abstract

In this paper, we consider a method for computing the similarity of executable files, based on opcode graphs. We apply this technique to the challenging problem of metamorphic malware detection and compare the results to previous work based on hidden Markov models. In addition, we analyze the effect of various morphing techniques on the success of our proposed opcode graph-based detection scheme.

Keywords

Hide Markov Model Dead Code Metamorphic Virus Opcode Sequence Virus Writer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Anderson B. et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)CrossRefGoogle Scholar
  2. 2.
    Attaluri S., McGhee S., Stamp M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRefGoogle Scholar
  3. 3.
    Aycock J.: Computer Viruses and Malware. Springer, Berlin (2006)Google Scholar
  4. 4.
    Al daoud, E., et al.: Detecting metamorphic viruses by using arbitrary length of control flow graphs and nodes alignment. In: ICIT 2009 Conference—Bioinformatics and Image. http://www.ubicc.org/files/pdf/2_363.pdf
  5. 5.
    Cesare, S.: Faster, more effective flowgraph-based malware classification. http://www.ruxcon.org.au/2011-talks/faster-more-effective-flowgraph-based-malware-classification/
  6. 6.
    Cygwin: Cygwin utility files. http://www.cygwin.com/
  7. 7.
    Desai P., Stamp M.: A highly metamorphic virus generator. Int. J. Multimedia Intell. Secur. 1(4), 402–427 (2010)CrossRefGoogle Scholar
  8. 8.
    Eskandari, M., Hashemi, S.: Metamorphic malware detection using control flow graph mining. Int. J. Comput. Sci. Network Secur. 11(12), 1–6 (2011). http://paper.ijcsns.org/07_book/201112/20111201.pdf Google Scholar
  9. 9.
    Gartner T. et al.: On Graph Kernels: Hardness Results and Efficient Alternatives, pp. 129–143. Springer, Berlin (2003)Google Scholar
  10. 10.
    Halfpap, B.: Artificial immune system virus detector (2010). http://resheth.wordpress.com/tag/virus-detection/
  11. 11.
    Hii, A.: Chi-squared distance and metamorphic detection. Master’s report, Department of Computer Science, San Jose State University (2011)Google Scholar
  12. 12.
    Hlaoui, A., Wang, S.: A New Algorithm for Inexact Graph Matching. http://www.dmi.usherb.ca/~hlaoui/icpr2002.pdf
  13. 13.
    Huang L., Stamp M.: Masquerade detection using profile hidden Markov models. Comput. Secur. 30(8), 732–747 (2011)CrossRefGoogle Scholar
  14. 14.
    Karnik, A., Goswami, S., Guha, R.: Detecting obfuscated viruses using cosine similarity analysis. In: First Asia International Conference on Modelling & Simulation, pp. 165–170 (2007)Google Scholar
  15. 15.
    Konstantinou, E.: Metamorphic Virus: Analysis and Detection. http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-02.pdf (2008)
  16. 16.
    Lee, J., Jeong, K., Lee, H.: Detecting metamorphic malwares using code graphs. In: Proceedings of SAC10 (2010)Google Scholar
  17. 17.
    Lin D., Stamp M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)CrossRefGoogle Scholar
  18. 18.
    Nachenberg, C.: Understanding and managing Polymorphic viruses. In: Symantec Enterprise Papers, vol. XXX. http://www.symantec.com/avcenter/reference/striker.pdf
  19. 19.
    OECD, Malicious software (malware): A security threat to the Internet economy. http://www.oecd.org/dataoecd/53/34/40724457.pdf
  20. 20.
    Ogata, H., et al.: A heuristic graph comparison algorithm and its application to detect functionally related enzyme clusters. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC110779
  21. 21.
    Patel, M.: Similarity tests for metamorphic virus detection. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/patel_mahim.pdf (2011)
  22. 22.
    Priyadarshi, S.: Metamorphic detection via emulation. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/priyadarshi_sushant.pdf (2011)
  23. 23.
    Rabiner L.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  24. 24.
    Radev, D.: Lecture 13—Eigenvectors, Eigenvalues, Stochastic Matrices. http://www1.cs.columbia.edu/~coms6998/Notes/lecture13.pdf (2008)
  25. 25.
    Runwal, N.: Graph technique for metamorphic virus detection. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/runwal_neha.pdf (2011)
  26. 26.
    Schonlau M. et al.: Computer intrusion: detecting masquerades. Stat. Sci. 15(1), 1–17 (2001)MathSciNetGoogle Scholar
  27. 27.
    Shah, A.: Approximate disassembly using dynamic programming. Master’s report, Department of Computer Science, San Jose State University. http://www.cs.sjsu.edu/faculty/stamp/students/shah_abhishek.pdf (2010)
  28. 28.
    SnakeByte: Next generation virus construction kit (NGVCK) (2002). http://vx.netlux.org/vx.php?id=tn02
  29. 29.
    Stamp M.: Information Security: Principles and Practice, 2nd edn. Wiley, New York (2011)CrossRefGoogle Scholar
  30. 30.
    Stamp, M.: A revealing introduction to hidden Markov models. http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf (2011)
  31. 31.
    Szor, P., Ferrie, P.: Hunting for metamorphic, Symantec, 2001. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
  32. 32.
    Heavens, V.X.: http://vx.netlux.org/
  33. 33.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006). http://www.cs.sjsu.edu/faculty/stamp/students/Report.pdf Google Scholar

Copyright information

© Springer-Verlag France 2012

Authors and Affiliations

  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUSA
  2. 2.Department of MathematicsSan Jose State UniversitySan JoseUSA

Personalised recommendations