nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

01.08.2013 | Original Paper

Simple substitution distance and metamorphic detection

verfasst von: Gayathri Shanmugam, Richard M. Low, Mark Stamp

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 3/2013

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

To evade signature-based detection, metamorphic viruses transform their code before each new infection. Software similarity measures are a potentially useful means of detecting such malware. We can compare a given file to a known sample of metamorphic malware and compute their similarity—if they are sufficiently similar, we classify the file as malware of the same family. In this paper, we analyze an opcode-based software similarity measure inspired by simple substitution cipher cryptanalysis. We show that the technique provides a useful means of classifying metamorphic malware.

Vorheriger Artikel Detecting machine-morphed malware variants via engine attribution

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

For Jackobsen’s simple substitution attack, it is not necessary to normalize the matrices, since the scores are only used internally for a hill climb and the desired result is the key \(K\). However, when scoring metamorphic malware, the desired result is the score, and we want to compare scores for different viruses. Consequently, it is necessary that these scores be independent of the input length.

Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRef

Aycock, J.: Computer Viruses and Malware. Springer, Berlin (2006)

Austin, T.H. et al.: Exploring hidden Markov models for virus analysis: A semantic approach, Proceedings of 46th Hawaii International Conference on System Sciences (HICSS 46), January 7–10 (2013)

Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware, submitted

Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (2007)CrossRef

Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 30–40 (2008)CrossRef

Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit. 30, 1145–1159 (1997)CrossRef

Cygwin, Cygwin Utility Files, http://www.cygwin.com/

Desai, P.: Towards an undetectable computer virus, Master’s report, Department of Computer Science, San Jose State University (2008). http://scholarworks.sjsu.edu/etd_projects/90/

10.

Deshpande, S.: Eigenvalue Analysis for Metamorphic Detection, Master’s report, Department of Computer Science, San Jose State University (2012). http://scholarworks.sjsu.edu/etd_projects/279/

11.

Dhavare, A., Low, R.M., Stamp, M.: Efficient cryptanalysis of homophonic substitution ciphers. to appear in Cryptologia

12.

Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)

13.

Idika, N., Mathur, A.: A Survey of Malware Detection Techniques, Technical report, Department of Computer Science, Purdue University (2007). http://www.serc.net/system/files/SERC-TR-286.pdf

14.

Islita, M.: Levenshtein Edit Distance (2006). http://www.miislita.com/searchito/levenshtein-edit-distance.html

15.

Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)CrossRefMATH

16.

Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)CrossRef

17.

Mathai, J.: History of Computer Cryptography and Secrecy System. http://www.dsm.fordham.edu/mathai/crypto.html

18.

Patel, M.: Similarity Tests for Metamorphic Virus Detection, Master’s report, Department of Computer Science, San Jose State University, (2011). http://scholarworks.sjsu.edu/etd_projects/175/

19.

Rad, B.B., Masrom, M., Ibrahim, S.: Evolution of computer virus concealment and anti-virus techniques: a short survey. IJCSI Int. J. Comput. Sci. Issues 8(1) (2011). http://arxiv.org/pdf/1104.1070.pdf

20.

Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)CrossRef

21.

Shanmugam, G.: Simple Substitution Distance and Metamorphic Detection, Master’s report, Department of Computer Science, San Jose State University (2012). http://scholarworks.sjsu.edu/etd_projects/270/

22.

Snakebyte. Next Generation Virus Construction Kit (NGVCK) (2000). http://vx.netlux.org/vx.php?id=tn02

23.

Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)CrossRefMathSciNet

24.

Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. to appear in J. Comput. Virol.

25.

Stamp, M.: Information Security: Principles and Practice, 2nd edn. Wiley, Hoboken (2011)CrossRef

26.

Stamp, M., Low, R.M.: Applied Cryptanalysis: Breaking Ciphers in the Real World. Wiley-IEEE Press, Chichester (2007)CrossRef

27.

Szor, P., Ferrie, P.: Hunting for Metamorphic, Symantec Security Response. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf

28.

Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. to appear in J. Comput. Virol.

29.

Venkatachalam, S., Stamp, M.: Detecting undetectable computer viruses. Proceedings of 2011 International Conference on Security & Management (SAM ’11), pp. 340–345

30.

Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRef

31.

Zbitskiy, P.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)CrossRef

Titel: Simple substitution distance and metamorphic detection
verfasst von: Gayathri Shanmugam
Richard M. Low
Mark Stamp
Publikationsdatum: 01.08.2013
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 3/2013
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-013-0184-5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"