MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection

Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experimental evaluation of MARD achieves a detection rate of 99.6% and a false positive rate of 4%.

[1]  Vladimir A. Zakharov,et al.  On the Concept of Software Obfuscation in Computer Security , 2007, ISC.

[2]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[3]  Thomas P. Jakobsen,et al.  A Fast Method for the Cryptanalysis of Substitution Ciphers , 1995 .

[4]  Mark Stamp,et al.  Simple substitution distance and metamorphic detection , 2013, Journal of Computer Virology and Hacking Techniques.

[5]  Sattar Hashemi,et al.  ECFGM: enriched control flow graph miner for unknown vicious infected code detection , 2012, Journal in Computer Virology.

[6]  M. Ghiasi,et al.  Dynamic malware detection using registers values set analysis , 2012, 2012 9th International ISC Conference on Information Security and Cryptology.

[7]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[8]  Heejo Lee,et al.  Detecting metamorphic malwares using code graphs , 2010, SAC '10.

[9]  Tayssir Touili,et al.  Efficient Malware Detection Using Model-Checking , 2012, FM.

[10]  Vijay Laxmi,et al.  Static CFG analyzer for metamorphic Malware code , 2009, SIN '09.

[11]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[12]  M. Masrom,et al.  Opcodes histogram for classifying metamorphic portable executables malware , 2012, 2012 International Conference on E-Learning and E-Technologies in Education (ICEEE).

[13]  Mark Stamp,et al.  Exploring Hidden Markov Models for Virus Analysis: A Semantic Approach , 2013, 2013 46th Hawaii International Conference on System Sciences.

[14]  Tayssir Touili,et al.  Pushdown model checking for malware detection , 2013, International Journal on Software Tools for Technology Transfer.

[15]  Mark Stamp,et al.  Metamorphic worm that carries its own morphing engine , 2013, Journal of Computer Virology and Hacking Techniques.

[16]  P. Harmya,et al.  Malware detection using assembly code and control flow graph optimization , 2010, A2CWiC '10.

[17]  Ludovic Mé,et al.  Code obfuscation techniques for metamorphic viruses , 2008, Journal in Computer Virology.

[18]  Gerardo Canfora,et al.  Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics , 2013, Journal of Computer Virology and Hacking Techniques.

[19]  N Turner,et al.  Chi-squared test. , 2000, Journal of clinical nursing.

[20]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[21]  Yang Xiang,et al.  Malware Variant Detection Using Similarity Search over Sets of Control Flow Graphs , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[22]  J. Kruskal Multidimensional scaling by optimizing goodness of fit to a nonmetric hypothesis , 1964 .

[23]  Vijay Laxmi,et al.  Mining control flow graph as API call-grams to detect portable executable malware , 2012, SIN '12.

[24]  Kieran McLaughlin,et al.  Obfuscation: The Hidden Malware , 2011, IEEE Security & Privacy.

[25]  R. Nigel Horspool,et al.  MAIL: Malware Analysis Intermediate Language: a step towards automating and optimizing malware detection , 2013, SIN.

[26]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[27]  Yuval Elovici,et al.  Detecting unknown malicious code by applying classification techniques on OpCode patterns , 2012, Security Informatics.

[28]  Saurabh Dighe,et al.  The 48-core SCC Processor: the Programmer's View , 2010, 2010 ACM/IEEE International Conference for High Performance Computing, Networking, Storage and Analysis.

[29]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[30]  Igor Santos,et al.  Opcode sequences as representation of executables for data-mining-based unknown malware detection , 2013, Inf. Sci..

[31]  Mark Stamp,et al.  Eigenvalue analysis for metamorphic detection , 2014, Journal of Computer Virology and Hacking Techniques.

[32]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[33]  Halvar Flake,et al.  Structural Comparison of Executable Objects , 2004, DIMVA.

[34]  Eric Filiol,et al.  A statistical model for undecidable viral detection , 2007, Journal in Computer Virology.

[35]  Sattar Hashemi,et al.  A graph mining approach for detecting unknown malwares , 2012, J. Vis. Lang. Comput..

[36]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[37]  P. Vinod,et al.  MOMENTUM: MetamOrphic malware exploration techniques using MSA signatures , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[38]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[39]  Diomidis Spinellis,et al.  Reliable identification of bounded-length viruses is NP-complete , 2003, IEEE Trans. Inf. Theory.

[40]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[41]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[42]  Haoran Guo,et al.  HERO: A novel malware detection framework based on binary translation , 2010, 2010 IEEE International Conference on Intelligent Computing and Intelligent Systems.

[43]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[44]  R. Nigel Horspool,et al.  A framework for metamorphic malware analysis and real-time detection , 2015, Comput. Secur..

[45]  Mark Stamp,et al.  Structural entropy and metamorphic malware , 2013, Journal of Computer Virology and Hacking Techniques.

[46]  Gary McGraw,et al.  Attacking Malicious Code: A Report to the Infosec Research Council , 2000, IEEE Software.

[47]  Mark Stamp,et al.  Chi-squared distance and metamorphic virus detection , 2013, Journal of Computer Virology and Hacking Techniques.

[48]  Steve R. White,et al.  An Undetectable Computer Virus , 2000 .

[49]  Heng Yin,et al.  Privacy-breaching Behavior Analysis , 2013 .

[50]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[51]  Mark Stamp,et al.  Hunting for undetectable metamorphic viruses , 2011, Journal in Computer Virology.