Metamorphic Malware Detection by PE Analysis with the Longest Common Sequence

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10646)


Metamorphic malware detection is one of the most challenging tasks of antivirus software because of the difference in signatures of new variants from preceding one [1]. This paper proposes the method for the metamorphic malware detection by Portable Executable (PE) Analysis with the Longest Common Sequence (LCS). The proposed method contains the following phase: The raw feature extraction obtains valuable features like the information of Windows PE files which are PE header information, dependencies imports and API call functions, the code segments inside each of Windows PE file. Next, these segments are used for generating the detectors, which are later used to determine affinities with code segments of executable files by the longest common sequence algorithm. Finally, header, imports, API call information and affinities are combine into vectors as input for classifiers are used for classification after a dimensionality reduction. The experimental results showed that the proposed method can achieve up to 87.1% precision, 63.3% recall for benign and 92.6% precision, 93.7% for average malware.


Malware detection Data mining Longest common sequence Neural network 


  1. 1.
    Symantec Corporation: Detecting Complex Viruses. Accessed 10 June 2017
  2. 2.
    AV-TEST Institute: The AV-TEST Security Report, Magdeburg (2016)Google Scholar
  3. 3.
    Schultz, M.G., Eleazar, E., Erez, Z., Salvatore, S.J.: Data mining methods for detection of new malicious executables. In: IEEE Symposium Security and Privacy, S&P 2001, Proceedings, pp. 38–49 (2001)Google Scholar
  4. 4.
    Kolter, J.Z., Maloof, M.A.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7, 2721–2744 (2006)zbMATHMathSciNetGoogle Scholar
  5. 5.
    Yuan, Z., Lu, Y., Xue, Y.: Droiddetector: android malware characterization and detection using deep learning. Tsinghua Sci. Technol. 21(1), 114–123 (2016)CrossRefGoogle Scholar
  6. 6.
    Rui, C., Tan, Y.: A virus detection system based on artificial immune system. In: Computational Intelligence and Security – CIS 2009, vol. 1, pp. 6–10 (2009)Google Scholar
  7. 7.
    Microsoft Corporation: Microsoft Portable Executable and Common Object File Format Specification, Microsoft Corporation (2017)Google Scholar
  8. 8.
    Microsoft Corporation: DUMPBIN Reference. Accessed 10 June 2017
  9. 9.
    Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: mining structural information to detect malicious executables in realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 121–141. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04342-0_7 CrossRefGoogle Scholar
  10. 10.
    Microsoft Corporation: Desktop App Technologies, Microsoft Corporation. Accessed 10 June 2017
  11. 11.
    Total, Virus: VirusTotal-Free online virus, malware and URL scanner (2017)Google Scholar
  12. 12.
    Antonio, N., Zubair, R.M., Juan, C.: The MALICIA dataset: identification and analysis of drive-by download operations. Int. J. Inf. Secur. 14(1), 15–33 (2015)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.University of Information Technology, Vietnam National University, HCM CityHo Chi Minh CityVietnam
  2. 2.Long An University of Economics and IndustryTan AnVietnam

Personalised recommendations