论文信息 - Statistical signatures for fast filtering of instruction-substituting metamorphic malware

Statistical signatures for fast filtering of instruction-substituting metamorphic malware

Introducing program variations via metamorphic transformations is one of the methods used by malware authors in order to help their programs slip past defenses. A method is presented for rapidly deciding whether or not an input program is likely to be a variant of a given metamorphic program. The method is defined for the prominent class of metamorphic engines that work by probabilistically selecting instruction-substituting program transformations. A model of the probabilistic engine is used to predictthe expected distribution of instruction forms for different generations ofvariants. These predicted distributions form a type of "statistical signature" for the output of the metamorphic engines. A classifier is defined based on distance between the observed and the predicted instruction form distributions. A case study using the W32.Evol virus shows the classifier can distinguish between malicious samples from multiple generations. The classification method may be useful for practical malware detection by serving as an inexpensive filter to avoid more in-depth analyses where they are unnecessary

Andrew Walenstein | Arun Lakhotia | Mohamed R. Chouchane | Andrew Walenstein | Arun Lakhotia

[1] Eugene H. Spafford,et al. Authorship analysis: identifying the author of a program , 1997, Comput. Secur..

[2] S. Katzenbeisser,et al. Malware Normalization , 2005 .

[3] Arun Lakhotia,et al. ARE METAMORPHIC VIRUSES REALLY INVINCIBLE ? PART 1 , 2004 .

[4] Christopher Krügel,et al. Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[5] Somesh Jha,et al. Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[6] Arun Lakhotia,et al. Using engine signature to detect metamorphic malware , 2006, WORM '06.

[7] Mattia Monga,et al. Using Code Normalization for Fighting Self-Mutating Malware , 2006, ISSSE.

[8] Arun Lakhotia,et al. Imposing order on program statements to assist anti-virus scanners , 2004, 11th Working Conference on Reverse Engineering.

[9] Peter Szor,et al. The Art of Computer Virus Research and Defense , 2005 .

[10] Salvatore J. Stolfo,et al. Towards Stealthy Malware Detection , 2007, Malware Detection.

[11] Arun Lakhotia,et al. CHALLENGES IN GETTING ‘FORMAL’ WITH VIRUSES , 2003 .

[12] Andrew Walenstein,et al. Normalizing Metamorphic Malware Using Term Rewriting , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[13] Tom Fawcett,et al. ROC Graphs: Notes and Practical Considerations for Researchers , 2007 .

[14] Mohamed R. Chouchane,et al. The Design Space of Metamorphic Malware , 2007 .