Abstract
Polymorphic malware is currently difficult to identify. Such malware is able to mutate into functionally equivalent variants of themselves. Modern detection techniques are not adequate against this rapidly-mutating polymorphic malware. The age-old approach of signature-based detection is the only one that has the highest detection rate in real time and is used by almost all antivirus software products. The process of current signature extraction has so far been by manual evaluation. Even the most advanced malware detection process which employs heuristic-based approaches requires progressive evaluation and modification by humans to keep up with new malware variants. The aim of the research reported here is to investigate efficient and effective techniques of string matching algorithm for the automatic identification of some or all new polymorphic malware. We demonstrate how our proposed syntactic-based approach using the well-known string matching Smith-Waterman algorithm can successfully detect the known polymorphic variants of JS.Cassandra virus. Our string-matching approach may revolutionize our understanding of polymorphic variant generation and may lead to a new phase of syntactic-based anti-viral software.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Thompson, G.R., Flynn, L.A.: Polymorphic malware detection and identification via context-free grammar homomorphism. Bell Labs Tech. J. Inf. Technol./Netw. Secur. 12(3), 139–147 (2007)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Proceedings of 8th International Symposium on Recent Advances in Intrusion Detection, pp. 207–226. IEEE (2005)
VX Heaven. (2015) VX Heavens Library, 3 May 2015. http://vxheaven.org/
Kaspersky Anti-virus 6.0. Kaspersky Lab (2005). http://www.kaspersky.com/about
Advanced Virus Detection Scan Engine and DATs: Comprehensive Scanning Technology for Today’s Threats and Tomorrow’s. Network Associates Technology (2002). http://repo.hackerzvoice.net/
Understanding Heuristics Symantec’s Bloodhound Technology. Symantec (1997). https://www.symantec.com/
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 226–241. IEEE (2005)
Dullien, T., Rolles, R.: Graph-based comparison of executable objects. In: Proceedings of Symposium sur la Securite des Technologies de I’Information et des Communications, SSTIC (2005)
Flake, H.: Structural comparison of executable objects. In: Proceedings of IEEE Conference on Detection of Intrusions and Malware and Vulnerability Assessment, pp. 161–173. IEEE (2004)
Sabin, T.: Comparing Binaries with Graph Isomorphisms. SecuriTeam (2004). http://www.securiteam.com/
Cohen, F.B.: Computer viruses: theory and experiments. Comput. Secur. 6(1), 22–35 (1987)
Cohen, F.B.: Computational aspects of computer viruses. Comput. Secur. 8(4), 325–344 (1989)
Adleman, L.M.: An abstract theory of computer viruses. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 354–374. Springer, Heidelberg (1990)
Zuo, Z., Zhou, M.: Some further theoretical results about computer viruses. Comput. J. 47(6), 627–633 (2004)
Robiah, Y., Rahayu, S., Zaki, M., Shahrin, S., Faizal, M.A., Marliza, R.: A new generic taxonomy on hybrid malware detection technique. Int. J. Comput. Sci. Inf. Secur. 5(1), 56–60 (2009)
Fukushima, Y., Sakai, A., Hori, Y., Sakurai, K.: A behaviour based malware detection scheme for avoiding false positive. In: Proceedings of 6th IEEE Workshop on Secure Network Protocols (NPSec), pp. 79–84. IEEE (2010)
Elhadi, A.A.E., Maarof, M.A., Osman, A.H.: Malware detection based on hybrid signature behaviour application programming interface call graph. Am. J. Appl. Sci. 9(3), 283–288 (2012)
Idika, N., Mathur, A.P.: A survey of malware detection techniques. Technical report 286, Department of Computer Science, Purdue University, USA, 7 July 2014 (2007). http://www.serc.net/
Skoudis, E., Zeltser, L.: Malware: Fighting Malicious Code. Prentice Hall Professional, Upper Saddle River (2004)
Chaumette, S., Ly, O., Tabary, R.: Automated extraction of polymorphic virus signatures using abstract interpretation. In: Proceedings of the Network and System Security, pp. 41–48. NSS (2011)
Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)
Gold, E.: Language identification in the limit. Inf. Control 5, 447–474 (1967)
The Art of Stealthy Viruses (2006) Hackerz Voice, 27 April 2015. http://repo.hackerzvoice.net/depot_madchat/vxdevl/library/The%20Art%20of%20Stealthy%20Viruses.txt
Naidu, V., Narayanan, A.: Further experiments in biocomputational structural analysis of malware. In: 10th International Conference on Natural Computation. ICNC, pp. 605–610 (2014)
Oracle VM VirtualBox (2015) VirtualBox, 10 March 2014. https://www.virtualbox.org/
JS.Cassandra by Second Part To Hell (2015) rRlF#4 (Redemption), 9 March 2015. http://spth.virii.lu/rrlf4/rRlf.13.html
Tutorials– Win32 Polymorphism (2014) VX Heavens, 10 March 2015. http://vxheaven.org/lib/static/vdat/tuwin32p.htm
Viruses: Second Part To Hell’s Artworks – VIRUSES (2004), 10 March 2015. http://spth.virii.lu/Cassandra-testset.rar
JAligner (2010) JAligner: Java Implementation of the Smith-Waterman algorithm for biological sequence alignment – SourceForge. 1 May 2015. http://jaligner.sourceforge.net/
Charras, C., Lecroq, T.: Exact String Matching Algorithms. Univ. de Rouen (1997), 30 April 2015. http://www-igm.univ-mlv.fr/~lecroq/string/index.html
Smith, T.F., Waterman, M.S.: Identification of common molecular subsequences. J. Mol. Biol. 147, 195–197 (1981)
ClamAV Source Code Download (2014) ClamAV, 10 March 2014. http://www.clamav.net/download.html
Top 10 Best Antivirus Software for 2015 – Top Ten Reviews (2015) TopTenReviews, 10 September 2015. http://anti-virus-software-review.toptenreviews.com/v2/
Create Your Own Anti-Virus Signatures with ClamAV (2008) Adam Sweet’s Blog, 26 February 2015. http://blog.adamsweet.org/ and http://www.clamav.net/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Naidu, V., Narayanan, A. (2016). A Syntactic Approach for Detecting Viral Polymorphic Malware Variants. In: Chau, M., Wang, G., Chen, H. (eds) Intelligence and Security Informatics. PAISI 2016. Lecture Notes in Computer Science(), vol 9650. Springer, Cham. https://doi.org/10.1007/978-3-319-31863-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-31863-9_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31862-2
Online ISBN: 978-3-319-31863-9
eBook Packages: Computer ScienceComputer Science (R0)