Advertisement

Singular value decomposition and metamorphic detection

  • Ranjith Kumar Jidigam
  • Thomas H. Austin
  • Mark Stamp
Original Paper

Abstract

Metamorphic malware changes its internal structure with each infection, while maintaining its original functionality. Such malware can be difficult to detect, particularly using static analysis, since there may be no common signature across infections. In this paper, we apply a score based on Singular Value Decomposition (SVD) to the challenging problem of metamorphic detection. SVD, which can be viewed as a specific implementation of Principal Component Analysis, is a linear algebraic technique that is applicable to the wide range of problems where eigenvector analysis is useful. Previous research has shown that an eigenvector-based score derived from the facial recognition problem yields good results when applied to metamorphic malware detection. In this paper, we reconsider these previous results in the context of SVD, and we outline a strategy to defeat such a detection scheme.

Keywords

Singular Value Decomposition Singular Vector Face Space Dead Code Singular Value Decomposition Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Arfken, G.: Diagonalization of matrices. In: Mathematical Methods for Physicists, 3rd edn, pp. 217–229. Academic Press, New York (1985)Google Scholar
  2. 2.
    Wikipedia: Singular value decomposition. http://en.wikipedia.org/wiki/Singular_value_decomposition (2014). Accessed 19 July 2014
  3. 3.
    Austin, D.: We recommend a singular value decomposition. http://www.ams.org/samplings/feature-column/fcarc-svd. Accessed 19 Jul 2014
  4. 4.
    Austin, T., Filiol, E., Josse, S., Stamp, M.: Exploring hidden Markov models for virus analysis: a semantic approach. In: 46th Hawaii International Conference on System Sciences (HICSS 46), pp. 5039–5048 (2012)Google Scholar
  5. 5.
    Aycock, J.: Computer Viruses and Malware. Springer, Berlin (2006)Google Scholar
  6. 6.
    Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. 9(4), 179–192 (2013)Google Scholar
  7. 7.
    Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)CrossRefGoogle Scholar
  8. 8.
    Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. Pattern Recogn. 30, 1145–1159 (1997)CrossRefGoogle Scholar
  9. 9.
    Chess, D.M., White, S.R.: An undetectable computer virus. In: Virus Bulletin Conference September (2000)Google Scholar
  10. 10.
    Deng, W., et al.: A malware detection framework based on Kolmogorov complexity. J. Computat. Inf. Syst. 7(8):2687–2694 (2011). http://www.jofcis.com/publishedpapers/2011_7_8_2687_2694.pdf
  11. 11.
    Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking. Tech. 10(1), 53–65 (2014)CrossRefGoogle Scholar
  12. 12.
    Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)Google Scholar
  13. 13.
    Hsu, C., Chen, C.: SVD-based projection for face recognition. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=4374514. Accessed 19 July 2014
  14. 14.
    JAMA. Java matrix package http://math.nist.gov/javanumerics/jama/. Accessed 19 July 2014
  15. 15.
    Jidigam, R.K.: Metamorphic detection using singular value decomposition. Department of Computer Science, San Jose State University, Master’s report (2013)Google Scholar
  16. 16.
    Lee, J.: Compression-based analysis of metamorphic malware. Department of Computer Science, San Jose State University, Master’s report (2013)Google Scholar
  17. 17.
    Mean vector and covariance matrix, NIST. http://www.itl.nist.gov/div898/handbook/pmc/section5/pmc541.htm. Accessed 19 July 2014
  18. 18.
    The Mental Driller, Metamorphism in practice or “How I made MetaPHOR and what I’ve learnt” (2002). http://vxheavens.com/lib/vmd01.html
  19. 19.
    Noble, W.S.: What is a support vector machine? Nat. Biotechnol. 24(12), 1565–1567 (2006). http://marriottschool.net/teacher/IS555/Other/SVM_Readings.pdf
  20. 20.
    Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)Google Scholar
  21. 21.
    Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)Google Scholar
  22. 22.
    Saleh, M., Mohamed, A., Nabi, A.: Eigenviruses for metamorphic virus recognition. IET Inf. Secur. 5(4), 191–198 (2011)CrossRefGoogle Scholar
  23. 23.
    Shlens, J.: A tutorial on principal component analysis. http://www.cs.cmu.edu/~elaw/papers/pca.pdf. Accessed 19 July 2014
  24. 24.
    Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hack. Tech. 9(3), 159–170 (2013)CrossRefGoogle Scholar
  25. 25.
    Singular value decomposition, Wolfram MathWorld. http://mathworld.wolfram.com/SingularValueDecomposition.html. Accessed 19 July 2014
  26. 26.
    Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Sridhara, S., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. 9(2), 49–58 (2013)Google Scholar
  28. 28.
    Stamp, M.: A revealing introduction to hidden Markov models (2012). http://www.cs.sjsu.edu/stamp/RUA/HMM.pdf
  29. 29.
    Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hack. Tech. 9(1), 1–14 (2013)CrossRefGoogle Scholar
  30. 30.
    Turk, M.A., Pentland, A.P.: Eigenfaces for recognition. J. Cogn. Neurosci. 3(1), 71–86 (2007)CrossRefGoogle Scholar
  31. 31.
    Virus Profile: W32/NGVCK, McAfee Inc. http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1090050. Accessed 19 July 2014
  32. 32.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRefGoogle Scholar
  33. 33.
    You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300 (2010)Google Scholar
  34. 34.
    Zbitskiy, P.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)CrossRefGoogle Scholar
  35. 35.
    Zhou, Y., Inge, M.: Malware detection using adaptive data compression, AISec ’08. In: Proceedings of the 1st ACM workshop on Workshop on AISec, pp. 53–60 (2008)Google Scholar
  36. 36.
    Zuo, Z., Zhou, M.: Some further theoretical results about computer viruses. Comput. J. 47(6), 627–633 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France 2014

Authors and Affiliations

  • Ranjith Kumar Jidigam
    • 1
  • Thomas H. Austin
    • 1
  • Mark Stamp
    • 1
  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUSA

Personalised recommendations