nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

01.11.2013 | Original Paper

Structural entropy and metamorphic malware

verfasst von: Donabelle Baysa, Richard M. Low, Mark Stamp

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 4/2013

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Metamorphic malware is capable of changing its internal structure without altering its functionality. A common signature is nonexistent in highly metamorphic malware and, consequently, such malware can remain undetected under standard signature scanning. In this paper, we apply previous work on structural entropy to the metamorphic detection problem. This technique relies on an analysis of variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the segmentation stage, we use entropy measurements and wavelet analysis to segment files. The second stage measures the similarity of file pairs by computing an edit distance between the sequences of segments obtained in the first stage. We apply this similarity measure to the metamorphic detection problem and show that we obtain strong results in certain challenging cases.

Vorheriger Artikel A study on common malware families evolution in 2012

Nächster Artikel Abstracting minimal security-relevant behaviors for malware analysis

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

To be successful, it is also necessary that the malware, as a group, must be sufficiently similar to non-viral code [26, 35].

Addison, P.: The Illustrated Wavelet Transform Handbook: Introductory Theory and Applications in Science. Engineering, Medicine and Finance. Taylor and Francis Group, New York (2002)

Apostolico, A., Galil, Z.: Pattern Matching Algorithms. Oxford University Press, Oxford (1997)CrossRefMATH

Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRef

Aycock, J.: Computer Viruses and Malware. Springer, New York (2006)

Baysa, D.: Structural entropy and metamorphic malware. Master’s report, Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/283/ (2012)

Borda, M.: Fundamentals in Information Theory and Coding. Springer, New York (2011)CrossRefMATH

Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 30–40 (2008)CrossRef

Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. Pattern Recognit. 30, 1145–1159 (1997)CrossRef

Burford, S.: Reverse engineering Linux ELF binaries on the x86 platform. http://www.linuxsa.org.au/meetings/reveng-0.2.pdf (2002)

10.

Cilibrasi, R., Vitányi, P.M.B.: Clustering by compression. IEEE Trans. Inform. Theory 51(4), 1523–1545 (2005)CrossRefMathSciNet

11.

Collberg, C., Thomborson, C., Low, C.: A taxonomy of obfuscating transformations. Technical Report #118. The University of Auckland (1997)

12.

Cygwin, Cygwin utility files. http://www.cygwin.com/. Accessed Dec 2012

13.

Islita, M.: Levenshtein edit distance. http://www.miislita.com/searchito/levenshtein-edit-distance.html (2006)

14.

Karmeshu.: Entropy Measures, Maximum Entropy Principle and Emerging Applications. Springer, New York (2003)

15.

The Mental Driller, Metamorphism in practice or “How I made MetaPHOR and what I’ve learnt”. http://biblio.l0t3k.net/magazine/en/29a/ (2002)

16.

Patel, M.: Similarity tests for metamorphic virus detection, Master’s report. Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/175/ (2011)

17.

Pietrek, M.: Peering inside the PE: a tour of the Win32 portable executable file format. MSDN Magazine. http://msdn.microsoft.com/en-us/magazine/ms809762.aspx (1994)

18.

Radhakrishnan, D.: Approximate disassembly, Master’s report. Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/155/ (2010)

19.

Robinson, S.: Expert. NET 1.1 Programming. Apress, New York (2004)

20.

Runwal, N., Low, R., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput Virol. 8(1–2), 37–52 (2012)CrossRef

21.

SearchSecurity, Metamorphic and polymorphic malw- are. http://searchsecurity.techtarget.com/definition/metamorphic-and-polymorphic-malware (2010)

22.

Shah, A.: Approximate disassembly using dynamic programming, Master’s report. Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/8/ (2010)

23.

Shanmugam, G., Low, R., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. (to appear)

24.

Snakebyte, Next Generation Virus Construction Kit (NGVCK). Open Malware http://www.offensivecomputing.net/ (2000)

25.

Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)CrossRefMathSciNet

26.

Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. (2012) (online \(\text{ first }^{\rm TM}\))

27.

Stamp, M.: A revealing introduction to hidden Markov models. http://cs.sjsu.edu/~stamp/RUA/HMM.pdf (2012)

28.

Struzik, Z., Siebes, A.: The Haar wavelet transform in the time series similarity paradigm. In: Proceedings of the Third European Conference on Principles of Data Mining and Knowledge Discovery (PKDD ’99). Springer, London. http://dl.acm.org/citation.cfm?id=669368 (1999)

29.

Symantec, Viruses, worms, and trojans. http://service1.symantec.com/support/nav.nsf/docid/1999041209131106 (2011)

30.

Van Fleet, P.: The discrete haar wavelet transformation. Joint Mathematical Meetings, Center for Applied Mathematics, University of St. Thomas. http://cam.mathlab.stthomas.edu/wavelets/pdffiles/NewOrleans07/HaarTransform.pdf (2007)

31.

Verschuuren, G.: Excel 2007 for Scientists and Engineers. Holy Macro! Books (2008)

32.

Virus files, Department of Computer Science, San Jose State University. http://cs.sjsu.edu/~stamp/viruses/ (2012)

33.

Vuorenmaa, T.: The discrete wavelet transform with financial time series applications. Seminar on Learning Systems, University of Helsinki. http://www.rni.helsinki.fi/teaching/sols/TV_RNI.pdf (2003)

34.

Wagner, R.A., Fischer, M.J.: The string-to-string correction problem. J. ACM (JACM) 21(1), 168–173 (1974)CrossRefMATHMathSciNet

35.

Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRef

36.

You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing. Communication and Applications (BWCCA), pp. 297–300 (2010)

Titel: Structural entropy and metamorphic malware
verfasst von: Donabelle Baysa
Richard M. Low
Mark Stamp
Publikationsdatum: 01.11.2013
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 4/2013
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-013-0185-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"