Advertisement

Eigenvalue analysis for metamorphic detection

Original Paper

Abstract

Metamorphic malware changes its internal structure on each infection while maintaining its function. Although many detection techniques have been proposed, practical and effective metamorphic detection remains a difficult challenge. In this paper, we analyze a previously proposed eigenvector-based method for metamorphic detection. The approach considered here was inspired by a well-known facial recognition technique. We compute eigenvectors using raw byte data extracted from executables belonging to a metamorphic family. These eigenvectors are then used to compute a score for a collection of executable files that includes family viruses and representative examples of benign code. We perform extensive testing to determine the effectiveness of this classification method. Among other results, we show that this eigenvalue-based approach is effective when applied to a family of highly metamorphic code that successfully evades statistical-based detection. We also experiment computing eigenvectors on extracted opcode sequences, as opposed to raw byte sequences. Our experimental evidence indicates that the use of opcode sequences does not improve the results.

Keywords

Receiver Operating Characteristic Curve Executable File Structural Entropy Metamorphic Virus Benign File 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Ando, R., Nguyen, A.Q., Takefuji, Y.: Resolution based metamorphic computer virus detection using redundancy control strategy. In: WSEAS Conference (2005)Google Scholar
  2. 2.
    Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2011)CrossRefGoogle Scholar
  3. 3.
    Aycock, J.: Comput. Viruses Malware. Springer, Berlin (2006)Google Scholar
  4. 4.
    Babak, R., et al.: Morphing engines classification by code histogram. In: Symposium on Information & Computer Sciences (2011)Google Scholar
  5. 5.
    Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. (2013, to appear). doi: 10.1007/s11416-013-0185-4
  6. 6.
    Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 30–40 (2008)CrossRefGoogle Scholar
  7. 7.
    Brünner, A.: Calculator for eigenvalues and eigenvectors. http://www.arndt-bruenner.de/mathe/scripts/engl_eigenwert.htm
  8. 8.
    Daoud, E., Jebril, I.: Computer virus strategies and detection methods. Int. J. Open Probl. Comput. Sci. Math. 1(2), 29–36 (2006)Google Scholar
  9. 9.
    Al Daoud, E., Al-Shbail, A., Al-Smadi, A.: Detecting metamorphic viruses by using arbitrary length of control flow graphs and nodes alignment. Ubiquitous Commun. Comput. J. 4(3), 628–633 (2009)Google Scholar
  10. 10.
    Deshpande, S.: Eigenvalue analysis for metamorphic detection. Master’s report. Department of Computer Science, San Jose State University (2012)Google Scholar
  11. 11.
    Gavrilut, D., Cimpoesu, M., Anton, D., Ciortuz, L.: Malware detection using perceptrons and support vector machines. In: Computation World 2009, November 2009 (2009)Google Scholar
  12. 12.
    Konstantinou, M., Evgenios, S.: Metamorphic Virus: Analysis and Detection. Information Security Group at Royal Holloway, Holloway, February (2008)Google Scholar
  13. 13.
    Lenstra, A.K., Lenstra Jr, H.W., Lovàsz, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)CrossRefMATHMathSciNetGoogle Scholar
  14. 14.
    Levenshtein, The Levenshtein Algorithm. http://www.levenshtein.net/
  15. 15.
    MathWorks. MATLAB: The Language of Technical Computing. http://www.mathworks.com/products/matlab/
  16. 16.
  17. 17.
  18. 18.
    Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  19. 19.
    Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)CrossRefGoogle Scholar
  20. 20.
    Saleh, M., Mohamed, A., Nabi, A.: Eigenviruses for metamorphic virus recognition. IET Inf. Secur. 5(4), 191–198 (2011)CrossRefGoogle Scholar
  21. 21.
    Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J Comput Virol Hack Tech 9(3), 159–170Google Scholar
  22. 22.
    Singular value decomposition (SVD) tutorial. http://web.mit.edu/be.400/www/SVD/Singular_Value_Decomposition.htm
  23. 23.
    Smith, L.I.: A tutorial on principal components, analysis. http://www.cs.otago.ac.nz/cosc453/student_tutorials/principal_compontents.pdf (2002)
  24. 24.
    Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)CrossRefMathSciNetGoogle Scholar
  25. 25.
    Spinellis, D.: Reliable identification of bounded-length viruses is NP-complete. IEEE Trans. Inf. Theory 49(1), 280–284 (2003)CrossRefMATHMathSciNetGoogle Scholar
  26. 26.
    Sridhara, S., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)CrossRefGoogle Scholar
  27. 27.
    Stamp, M.: A revealing introduction to hidden Markov models. http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf (2012)
  28. 28.
    Strang, G.: Eigenvalues and eigenvectors. http://math.mit.edu/linearalgebra/ila0601.pdf
  29. 29.
    Szor, P., Ferrie, P.: Hunting for metamorphic. In: Virus Bulletin Conference, pp. 123–144 (2001)Google Scholar
  30. 30.
    The area under an ROC curve. http://gim.unmc.edu/dxtests/roc3.htm
  31. 31.
    Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)CrossRefGoogle Scholar
  32. 32.
    Turk, M., Pentland, A.: Eigenfaces for recognition. J. Cogn. Neurosci. 3, 71–86 (1991)Google Scholar
  33. 33.
    Wolfram Mathworld, Eigenvector. http://mathworld.wolfram.com/Eigenvector.html
  34. 34.
    Wolfram Mathworld, Vector Space Projection. http://mathworld.wolfram.com/VectorSpaceProjection.html
  35. 35.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–219 (2006) Google Scholar
  36. 36.
    Zhao, M., Ge, F., Zhang, T., Yuan, Z.: AntiMalDroid: an efficient SVM-based malware detection framework for Android. Commun. Comput. Inf. Sci. 243, 158–166 (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France 2013

Authors and Affiliations

  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUSA
  2. 2.Department of Computer EngineeringSan Jose State UniversitySan JoseUSA

Personalised recommendations