Abstract
Metamorphic malware detection is one of the most challenging tasks of antivirus software because of the difference in signatures of new variants from preceding one [1]. This paper proposes the method for the metamorphic malware detection by Portable Executable (PE) Analysis with the Longest Common Sequence (LCS). The proposed method contains the following phase: The raw feature extraction obtains valuable features like the information of Windows PE files which are PE header information, dependencies imports and API call functions, the code segments inside each of Windows PE file. Next, these segments are used for generating the detectors, which are later used to determine affinities with code segments of executable files by the longest common sequence algorithm. Finally, header, imports, API call information and affinities are combine into vectors as input for classifiers are used for classification after a dimensionality reduction. The experimental results showed that the proposed method can achieve up to 87.1% precision, 63.3% recall for benign and 92.6% precision, 93.7% for average malware.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Symantec Corporation: Detecting Complex Viruses. https://www.symantec.com/connect/articles/detecting-complex-viruses. Accessed 10 June 2017
AV-TEST Institute: The AV-TEST Security Report, Magdeburg (2016)
Schultz, M.G., Eleazar, E., Erez, Z., Salvatore, S.J.: Data mining methods for detection of new malicious executables. In: IEEE Symposium Security and Privacy, S&P 2001, Proceedings, pp. 38–49 (2001)
Kolter, J.Z., Maloof, M.A.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7, 2721–2744 (2006)
Yuan, Z., Lu, Y., Xue, Y.: Droiddetector: android malware characterization and detection using deep learning. Tsinghua Sci. Technol. 21(1), 114–123 (2016)
Rui, C., Tan, Y.: A virus detection system based on artificial immune system. In: Computational Intelligence and Security – CIS 2009, vol. 1, pp. 6–10 (2009)
Microsoft Corporation: Microsoft Portable Executable and Common Object File Format Specification, Microsoft Corporation (2017)
Microsoft Corporation: DUMPBIN Reference. https://msdn.microsoft.com/en-us/library/c1h23y6c.aspx. Accessed 10 June 2017
Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: mining structural information to detect malicious executables in realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 121–141. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04342-0_7
Microsoft Corporation: Desktop App Technologies, Microsoft Corporation. https://msdn.microsoft.com/library/windows/desktop/bg126469.aspx. Accessed 10 June 2017
Total, Virus: VirusTotal-Free online virus, malware and URL scanner (2017)
Antonio, N., Zubair, R.M., Juan, C.: The MALICIA dataset: identification and analysis of drive-by download operations. Int. J. Inf. Secur. 14(1), 15–33 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Vu, T.N., Nguyen, T.T., Phan Trung, H., Do Duy, T., Van, K.H., Le, T.D. (2017). Metamorphic Malware Detection by PE Analysis with the Longest Common Sequence. In: Dang, T., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E. (eds) Future Data and Security Engineering. FDSE 2017. Lecture Notes in Computer Science(), vol 10646. Springer, Cham. https://doi.org/10.1007/978-3-319-70004-5_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-70004-5_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70003-8
Online ISBN: 978-3-319-70004-5
eBook Packages: Computer ScienceComputer Science (R0)