论文信息 - Polymorphic Malware Detection Using Hierarchical Hidden Markov Model

Polymorphic Malware Detection Using Hierarchical Hidden Markov Model

Binary signatures have been widely used to detect malicious software on the current Internet. However, this approach is unable to achieve the accurate identification of polymorphic malware variants, which can be easily generated by the malware authors using code generation engines. Code generation engines randomly produce varying code sequences but perform the same desired malicious functions. Previous research used flow graph and signature tree to identify polymorphic malware families. The key difficulty of previous research is the generation of precisely defined state machine models from polymorphic variants. This paper proposes a novel approach, using Hierarchical Hidden Markov Model (HHMM), to provide accurate inductive inference of the malware family. This model can capture the features of self-similar and hierarchical structure of polymorphic malware family signature sequences. To demonstrate the effectiveness and efficiency of this approach, we evaluate it with real malware samples. Using more than 15,000 real malware, we find our approach can achieve high true positives, low false positives, and low computational cost.

Fahad Bin Muhaya | Muhammad Khurram Khan | Yang Xiang

[1] James Newsome,et al. Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[2] Andrew Walenstein,et al. Malware phylogeny generation using permutations of code , 2005, Journal in Computer Virology.

[3] Ming-Yang Kao,et al. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4] Christopher Krügel,et al. Detecting System Emulators , 2007, ISC.

[5] Heng Yin,et al. Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[6] Yong Tang,et al. Signature Tree Generation for Polymorphic Worms , 2011, IEEE Transactions on Computers.

[7] Marius Gheorghescu. AN AUTOMATED VIRUS CLASSIFICATION SYSTEM , 2006 .

[8] Yoram Singer,et al. The Hierarchical Hidden Markov Model: Analysis and Applications , 1998, Machine Learning.

[9] Yang Xiang,et al. A Fast Flowgraph Based Classification System for Packed and Polymorphic Malware on the Endhost , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[10] Andrew J. Viterbi,et al. Error bounds for convolutional codes and an asymptotically optimum decoding algorithm , 1967, IEEE Trans. Inf. Theory.

[11] L. Baum,et al. Statistical Inference for Probabilistic Functions of Finite State Markov Chains , 1966 .