An entropy-based distance measure for analyzing and detecting metamorphic malware

Metamorphic malware is a kind of malware which evades signature-based anti-viruses by changing its internal structure in each infection. This paper, firstly, introduces a new measure of distance between two computer programs called program dissimilarity measure based on entropy (PDME). Then, it suggests a measure for the degree of metamorphism, based on the suggested distance measure. The distance measure is defined based on the Entropy of the two malware programs. Moreover, the paper shows that the distance measure can be used for classifying metamorphic malware via K-Nearest Neighbors (KNN) method. The method is evaluated by four metamorphic malware families. The results demonstrate that the measure can indicate the degree of metamorphism efficiently, and the KNN classification method using PDME can classify the metamorphic malware with a high precision.

[1]  Babak Bashari Rad,et al.  Metamorphic Virus Variants Classification Using Opcode Frequency Histogram , 2011, ArXiv.

[2]  Mark Stamp,et al.  Structural entropy and metamorphic malware , 2013, Journal of Computer Virology and Hacking Techniques.

[3]  P. Vinod,et al.  MOMENTUM: MetamOrphic malware exploration techniques using MSA signatures , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[4]  Mark Stamp,et al.  Metamorphic worm that carries its own morphing engine , 2013, Journal of Computer Virology and Hacking Techniques.

[5]  Vijay Laxmi,et al.  MEDUSA: MEtamorphic malware dynamic analysis usingsignature from API , 2010, SIN.

[6]  Umesh C. Pati,et al.  Image registration using mutual information with correlation for medical image , 2015, 2015 Global Conference on Communication Technologies (GCCT).

[7]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[8]  Mark Stamp,et al.  Chi-squared distance and metamorphic virus detection , 2013, Journal of Computer Virology and Hacking Techniques.

[9]  Paul A. Viola,et al.  Alignment by Maximization of Mutual Information , 1997, International Journal of Computer Vision.

[10]  Sami Khuri,et al.  ANALYSIS AND DETECTION OF METAMORPHIC COMPUTER VIRUSES , 2006 .

[11]  Mattia Monga,et al.  Using Code Normalization for Fighting Self-Mutating Malware , 2006, ISSSE.

[12]  Robert I. Damper,et al.  Band Selection for Hyperspectral Image Classification Using Mutual Information , 2006, IEEE Geoscience and Remote Sensing Letters.

[13]  Gerardo Canfora,et al.  Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics , 2013, Journal of Computer Virology and Hacking Techniques.

[14]  Stanislav Kovacic,et al.  Point Similarity Measure Based on Mutual Information , 2003, WBIR.

[15]  Mian Zhou,et al.  A heuristic approach for detection of obfuscated malware , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[16]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[17]  Jian Xu,et al.  A similarity metric method of obfuscated malware using function-call graph , 2012, Journal of Computer Virology and Hacking Techniques.

[18]  Carlo Tomasi,et al.  Image Similarity Using Mutual Information of Regions , 2004, ECCV.

[19]  Thomas P. Jakobsen,et al.  A Fast Method for the Cryptanalysis of Substitution Ciphers , 1995 .

[20]  Paul Suetens,et al.  Image registration using mutual information , 2015 .

[21]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[22]  A. Baith Mohamed,et al.  Eigenviruses for metamorphic virus recognition , 2011, IET Inf. Secur..

[23]  Subariah Ibrahim,et al.  Morphed Virus Family Classification Based on Opcodes Statistical Feature Using Decision Tree , 2011 .

[24]  Heejo Lee,et al.  Detecting metamorphic malwares using code graphs , 2010, SAC '10.

[25]  Andrew Walenstein,et al.  Statistical signatures for fast filtering of instruction-substituting metamorphic malware , 2007, WORM '07.

[26]  Andrew Walenstein,et al.  Normalizing Metamorphic Malware Using Term Rewriting , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[27]  Mark Stamp,et al.  Simple substitution distance and metamorphic detection , 2013, Journal of Computer Virology and Hacking Techniques.