INFORMATION CHANGE THE WORLD

International Journal of Intelligent Systems and Applications(IJISA)

ISSN: 2074-904X (Print), ISSN: 2074-9058 (Online)

Published By: MECS Press

IJISA Vol.8, No.4, Apr. 2016

Detection of Metamorphic Malware based on HMM: A Hierarchical Approach

Full Text (PDF, 566KB), PP.18-25


Views:18   Downloads:0

Author(s)

Mina Gharacheh, Vali Derhami, Sattar Hashemi, Seyed Mehdi Hazrati Fard

Index Terms

Malware detection;metamorphic malware;hidden Markov model

Abstract

Recent research have depicted that hidden Markov model (HMM) is a persuasive option for malware detection. However, some advanced metamorphic malware are able to overcome the traditional methods based on HMMs. This proposed approach provides a two-layer technique to overcome these challenges. Malware contain various sequences of opcodes some of which are more important and help detect the malware and the rest cause interference. The important sequences of opcodes are extracted by eliminating partial sequences due to the fact that partial sequences of opcodes have more similarities to benign files. In this method, the sliding window technique is used to extract the sequences. In this paper, HMMs are trained using the important sequences of opcodes that will lead to better results. In comparison to previous methods, the results demonstrate that the proposed method is more accurate in metamorphic malware detection and shows higher speed at classification.

Cite This Paper

Mina Gharacheh, Vali Derhami, Sattar Hashemi, Seyed Mehdi Hazrati Fard,"Detection of Metamorphic Malware based on HMM: A Hierarchical Approach", International Journal of Intelligent Systems and Applications(IJISA), Vol.8, No.4, pp.18-25, 2016. DOI: 10.5815/ijisa.2016.04.02

Reference

[1]A. Kalbhor, T. H. Austin, E. Filiol and M. Stamp, "Dueling hidden Markov models for virus analysis," Journal in Computer Virology Hack Tech:Springer, 2014. 

[2]C. Annachhatre, T. H. Austin and M. Stamp, "Hidden Markov models for malware classification," Journal in Computer Virology Hack Tech:Springer, 2014.

[3]D. Baysa, "Structural Entropy and Metamorphic Malware," M.S. dissertation, Dept. Comp. Sc., Univ. San Jose State, 2013.

[4]J. Aycock, "Computer Viruses and Malware," Advances In Information Security:Springer, 2006.

[5]J. Kuriakose and P. Vinod, "Ranked Linear Discriminant Analysis Features for Metamorphic Malware Detection," IEEE International Advanced Computing Conference, pp. 112-117, 2014.

[6]K. Mathur and S. Hiranwal, "A Survey on Techniques in Detection and Analyzing Malware Executables," International Journal of Advanced Research in Computer Science and Software Engineering, pp. 422-428, 2013.

[7]L. Rabiner, "A tutorial on hidden Markov models and selected applications in speech recognition," Proceedings of the IEEE, pp. 257-286, 1989.

[8]M. Gales, and S. Young, "The Application of Hidden Markov Models in Speech Recognition," Now Publishers Inc, pp. 195-304, 2008. 

[9]M. Stamp, "A revealing introduction to hidden Markov models," Dept. Comp. Sc., Univ. San Jose State, 2012.

[10]S. Alam, I. Sogukpinar, I. Traore and R. Horspool, "Sliding window and control flow weight for metamorphic malware detection," Journal in Computer Virology Hack Tech: Springer, pp. 75-88, 2015. 

[11]T. H. Austin, E. Filiol, S. Josse and M. Stamp, "Exploring hidden Markov models for virus analysis: A semantic approach," Hawaii International Conference on System Sciences, pp. 5039-5048, 2013.

[12]W. Wong, "Analysis and Detection of Metamorphic Computer Viruses," M.S. dissertation, Dept. Comp. Sc., Univ. San Jose State, 2006.

[13]NGVCK. VX Heavens, Retrieved from http://vxheaven.org/vx.php?id=tn02

[14]G2. VX Heavens. Retrieved from http://download.adamas.ai/dlbase/Stuff/VX%20Heavens 20Library/tatic/vdat/creatrs1.htm

[15]MPCGEN . VX Heavens, http://vxheaven.org/vx.php?id=tm02

[16]MetaPHOR. Retrieved from http://spth.virii.lu/29a6/29A-6.602.txt

[17]Sridhara, S. M., & Stamp, M. (2013). Metamorphic worm that carries its own morphing engine. Journal of Computer Virology and Hacking Techniques, 9(2), 49-58.

[18]Clang. Retrieved from http://clang.llvm.org/

[19]Cygwin. Retrieved from http://www.cygwin.com/

[20]GCC. Retrieved from http://gcc.gnu.org/

[21]MinGW. Retrieved from http://www.mingw.org/

[22]TASM. Retrieved from http://trimtab.ca/2010/tech/tasm-5-intel-8086-turbo-assemblerdownload

[23]Turbo C, Retrieved from http://edn.embarcadero.com/article/20841