International Journal of Intelligent Systems and Applications(IJISA)
ISSN: 2074-904X (Print), ISSN: 2074-9058 (Online)
Published By: MECS Press
IJISA Vol.8, No.4, Apr. 2016
Detection of Metamorphic Malware based on HMM: A Hierarchical Approach
Full Text (PDF, 566KB), PP.18-25
Recent research have depicted that hidden Markov model (HMM) is a persuasive option for malware detection. However, some advanced metamorphic malware are able to overcome the traditional methods based on HMMs. This proposed approach provides a two-layer technique to overcome these challenges. Malware contain various sequences of opcodes some of which are more important and help detect the malware and the rest cause interference. The important sequences of opcodes are extracted by eliminating partial sequences due to the fact that partial sequences of opcodes have more similarities to benign files. In this method, the sliding window technique is used to extract the sequences. In this paper, HMMs are trained using the important sequences of opcodes that will lead to better results. In comparison to previous methods, the results demonstrate that the proposed method is more accurate in metamorphic malware detection and shows higher speed at classification.
Cite This Paper
Mina Gharacheh, Vali Derhami, Sattar Hashemi, Seyed Mehdi Hazrati Fard,"Detection of Metamorphic Malware based on HMM: A Hierarchical Approach", International Journal of Intelligent Systems and Applications(IJISA), Vol.8, No.4, pp.18-25, 2016. DOI: 10.5815/ijisa.2016.04.02
A. Kalbhor, T. H. Austin, E. Filiol and M. Stamp, "Dueling hidden Markov models for virus analysis," Journal in Computer Virology Hack Tech:Springer, 2014.
C. Annachhatre, T. H. Austin and M. Stamp, "Hidden Markov models for malware classification," Journal in Computer Virology Hack Tech:Springer, 2014.
D. Baysa, "Structural Entropy and Metamorphic Malware," M.S. dissertation, Dept. Comp. Sc., Univ. San Jose State, 2013.
J. Aycock, "Computer Viruses and Malware," Advances In Information Security:Springer, 2006.
J. Kuriakose and P. Vinod, "Ranked Linear Discriminant Analysis Features for Metamorphic Malware Detection," IEEE International Advanced Computing Conference, pp. 112-117, 2014.
K. Mathur and S. Hiranwal, "A Survey on Techniques in Detection and Analyzing Malware Executables," International Journal of Advanced Research in Computer Science and Software Engineering, pp. 422-428, 2013.
L. Rabiner, "A tutorial on hidden Markov models and selected applications in speech recognition," Proceedings of the IEEE, pp. 257-286, 1989.
M. Gales, and S. Young, "The Application of Hidden Markov Models in Speech Recognition," Now Publishers Inc, pp. 195-304, 2008.
M. Stamp, "A revealing introduction to hidden Markov models," Dept. Comp. Sc., Univ. San Jose State, 2012.
S. Alam, I. Sogukpinar, I. Traore and R. Horspool, "Sliding window and control flow weight for metamorphic malware detection," Journal in Computer Virology Hack Tech: Springer, pp. 75-88, 2015.
T. H. Austin, E. Filiol, S. Josse and M. Stamp, "Exploring hidden Markov models for virus analysis: A semantic approach," Hawaii International Conference on System Sciences, pp. 5039-5048, 2013.
W. Wong, "Analysis and Detection of Metamorphic Computer Viruses," M.S. dissertation, Dept. Comp. Sc., Univ. San Jose State, 2006.
NGVCK. VX Heavens, Retrieved from http://vxheaven.org/vx.php?id=tn02
G2. VX Heavens. Retrieved from http://download.adamas.ai/dlbase/Stuff/VX%20Heavens 20Library/tatic/vdat/creatrs1.htm
MPCGEN . VX Heavens, http://vxheaven.org/vx.php?id=tm02
MetaPHOR. Retrieved from http://spth.virii.lu/29a6/29A-6.602.txt
Sridhara, S. M., & Stamp, M. (2013). Metamorphic worm that carries its own morphing engine. Journal of Computer Virology and Hacking Techniques, 9(2), 49-58.
Clang. Retrieved from http://clang.llvm.org/
Cygwin. Retrieved from http://www.cygwin.com/
GCC. Retrieved from http://gcc.gnu.org/
MinGW. Retrieved from http://www.mingw.org/
TASM. Retrieved from http://trimtab.ca/2010/tech/tasm-5-intel-8086-turbo-assemblerdownload
Turbo C, Retrieved from http://edn.embarcadero.com/article/20841