Journal of Information Security and Cryptography (Enigma)

Metamorphism have been successfully used in original malicious code to the creation and proliferation of new malware instances, making them harder to detect. This work presents an approach that identifies metamorphic malware through data dependency graphs comparison. Features are extracted on data dependency graphs to build an index that is used to determine which malware family a suspicious code belongs to. Experimental results on 3045 samples of metamorphic malware showed that our proposed approach obtained accuracy rate higher than most commercial anti-malware tools.

malware; metamorfismo; grafos de dependência; engenharia reversa; aprendizagem de máquina

L. M. Rojas, E. Souto, and G. Breves, “Deteccao de malware metamorfico baseada na indexacao de grafos de dependencia de dados,” in XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas

Computacionais: SBSEG 2017: Anais, pp. 264–277, SBC, 2017.

AV-Test, “AV-Test 2015 Security Report,” 2015.

Symantec, “Symantec 2017 internet security threat report,” 2017.

G. B. Martins, P. Santos, V. Danrley, E. Souto, and R. D. Freitas, “Identificação de Códigos Maliciosos Metamórficos pela Medição do Nı́vel de Similaridade de Grafos de Dependência,” in Anais do XVI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pp. 296–309, 2016.

D. Lin and M. Stamp, “Hunting for undetectable metamorphic viruses,” Journal in Computer Virology, vol. 7, pp. 201–214, dec 2010.

T. Singh, F. Di Troia, V. A. Corrado, T. H. Austin, and M. Stamp, “Support vector machines and malware detection,” Journal of Computer Virology and Hacking Techniques, 2015.

J. Kuriakose and P. Vinod, “Ranked linear discriminant analysis features for metamorphic malware detection,” in 2014 IEEE International Advance Computing Conference (IACC), pp. 112–117, IEEE, 2 2014.

B. B. Rad, M. Masrom, and S. Ibrahim, “Opcodes histogram for classifying metamorphic portable executables malware,” in 2012 International Conference on E-Learning and E-Technologies in Education, ICEEE 2012, pp. 209–213, IEEE, sep 2012.

J. Kuriakose and P. Vinod, “Unknown metamorphic malware detection: Modelling with fewer relevant features and robust feature selection techniques,” IAENG International Journal of Computer Science, vol. 42, no. 2, pp. 139–151, 2015.

X. Hu, T.-c. Chiueh, and K. G. Shin, “Large-scale malware indexing using function-call graphs,” in Proceedings of the 16th ACM conference on Computer and communications security, pp. 611–620, ACM, 2009.

S. Alam, I. Sogukpinar, I. Traore, and R. Nigel Horspool, “Sliding window and control flow weight for metamorphic malware detection,” 2015.

M. Ahmadi, A. Sami, H. Rahimi, and B. Yadegari, “Malware detection by behavioural sequential patterns,” Computer Fraud & Security, vol. 2013, pp. 11–19, 8 2013.

K. Kim and B.-R. Moon, “Malware detection based on dependency graph using hybrid genetic algorithm,” Proceedings of the 12th annual conference on Genetic and evolutionary computation - GECCO ’10, p. 1211, 2010.

C. Liu, C. Chen, J. Han, and P. Yu, “GPLAG: detection of software plagiarism by program dependence graph analysis,” Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 872–881, 2006.

M. R. Garey and D. S. Johnson, Computers and Intractability; A Guide to the Theory of NP-Completeness. New York, NY, USA: W. H. Freeman & Co., 1990.

G. Canfora, A. N. Iannaccone, and C. A. Visaggio, “Static analysis for the detection of metamorphic computer viruses using repeated instructions counting heuristics,” Journal of Computer Virology and Hacking Techniques, vol. 10, pp. 11–27, 9 2013.

S. Choudhary and M. D. Vidyarthi, “A Simple Method for Detection of Metamorphic Malware using Dynamic Analysis and Text Mining,” Procedia Computer Science, vol. 54, pp. 265–270, 2015.

R. Paredes and E. Chávez, “Using the k-nearest neighbor graph for proximity searching in metric spaces,” in International Symposium on String Processing and Information Retrieval, pp. 127–138, Springer, 2005.

J. W. Raymond and P. Willett, “Maximum common subgraph isomorphism algorithms for the matching of chemical structures,” Journal of computer-aided molecular design, vol. 16, no. 7, pp. 521–533, 2002.

M. Eskandari and S. Hashemi, “A graph mining approach for detecting unknown malwares,” Journal of Visual Languages & Computing, vol. 23, no. 3, pp. 154–162, 2012.

S. Alam, I. Traore, and I. Sogukpinar, “Annotated Control Flow Graph for Metamorphic Malware Detection,” The Computer Journal, vol. 58, pp. 2608–2621, 10 2015.

J. Ferrante, K. J. Ottenstein, and J. D. Warren, “The program dependence graph and its use in optimization,” ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 9, no. 3, pp. 319–349, 1987.

Radare2, “Radare2 github repository.” https://github.com/radare/radare2, 2017.

K. D. Cooper, T. J. Harvey, and K. Kennedy, “Iterative data-flow analysis, revisited,” tech. rep., 2004.

K. Lejska, “X86 opcode and instruction reference,” 2017.

C. Lattner and V. Adve, “LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation,” in Proceedings of the 2004 International Symposium on Code Generation and Optimization (CGO’04), (Palo Alto, California), Mar 2004.

C. Nguyen Anh Quynh, “Capstone: next generation disassembly framework.”http://www.capstone-engine.org/BHUSA2014-capstone.pdf,

Capstone-Disassembler, “Capstone disassembler github repository.” https://github.com/aquynh/capstone, 2017.

M. A. Munson and R. Caruana, “On Feature Selection, Bias-Variance, and Bagging,” 2009.

S. B. Kotsiantis, I. Zaharakis, and P. Pintelas, “Supervised machine learning: A review of classification techniques,” 2007.

Malshare, “Public repository of malware of the malshare project.” http:

//malshare.com/about.php, 2017.

VXHeaven, “Computer virus collection,” URL: http://vxheaven. org/vl.

php, 2017.

“Z0MBiE’s HomePage.”

V. Total, “Virustotal-free online virus, malware and url scanner,” Online: https://www.virustotal.com/en, 2017.