SlideShare a Scribd company logo

Metamorphic Malware Analysis and Detection

Grijesh Chauhan
Grijesh Chauhan

ABSTRACT : -------------------- Modern malware that are metamorphic or polymorphic in nature mutate their code by employing code obfuscation and encryption methods to thwart detection. Thus, conventional signature based scanners fail to detect these malware. In order to address the problems of detecting known variants of metamorphic malware, we propose a method using bioinformatics techniques effectively used for Protein and DNA matching. Instead of using exact signature matching methods, more sophisticated signature(s) are extracted using multiple sequence alignment (MSA). The results show that the proposed method is capable of identifying malware variants with minimum false alarms and misses. Also, the detection rate achieved with our proposed method is better compared to commercial antivirus products used in the study. Status: ---------- This work has been accepted by 8th IEEE International Conference on Innovations in Information Technology (Innovations'12). Link: ------- http://ieeexplore.ieee.org/xpl/login.jsp?reload=true&tp=&arnumber=6207739&url=http://ieeexplore.ieee.org/iel5/6203543/6207707/06207739.pdf?arnumber=6207739 e-mail: grijesh.mnit@gmail.com

EducationTechnologyBusiness
1 of 32
Download to read offline
Bioinformatics Techniques for Metamorphic Malware Analysis and Detection Malaviya National Institute of Technology, Jaipur and Detection Supervisors: Dr. M. S. Gaur Dr. V. Laxmi By: Grijesh Chauhan (2009PCP116)
Outline Malware & Metamorphic malware Motivation Objective Bioinformatics TechniquesBioinformatics Techniques MOMENTUM Dataset Result & Analysis References Malaviya National Institute of Technology, Jaipur
Malware Malware are software with intentions to infect and replicate. Threats Loss of data Malaviya National Institute of Technology, Jaipur Loss of data Degrades computer system performance Identity threat Two broad categories Metamorphic: Virus body changes on each replication Polymorphic: Encrypts malicious payload to avoid detection
Metamorphic Malware[1/2] Metamorphic malware have similar functionality, different structure and signature. Malaviya National Institute of Technology, Jaipur Similar to genetic diversity in Biology. Variant -1 Variant -2 Variant -3 Metamorphic Engine Diagram depicts metamorphic malware variants with reordered code
Metamorphic Malware[1/2] Metamorphic Malware automatically re-codes itself each time it propagates or is distributed. Conventional signature based scanners are ineffective for detecting variants of same malware. Malaviya National Institute of Technology, Jaipur Sophisticated signature(s) are required to detect metamorphic variants of malware.
Motivation Variants of metamorphic malware are generated using a small embedded metamorphic engine to defeat detection [2]. Limited number of instructions are used to generate Malaviya National Institute of Technology, Jaipur variants so as to preserve functionality. Metamorphic malware like DNA/ protein sequences mutate from generation to generation, they inherit functionality and some structural similarity with ancestral malware.
Objective To devise a method for detection of metamorphic malware and its variants. To extract the abstract signature(s) using Bioinformatics sequence alignment Malaviya National Institute of Technology, Jaipur base code is preserved in different generations, obfuscated using junk code or equivalent instructions etc. To identify unseen malware samples using best representative signatures (group/single) of a family.
Sequence Alignment [1/2] Sequence alignment is a way of arranging DNA/Protein sequences to identify regions of similarity to infer functional, structural or evolutionary relationship. Malaviya National Institute of Technology, Jaipur Alignment Methods Global Alignment - align sequences end to end. Local Alignment - align substring of one sequence with substring of other. Multiple Sequence Alignment (MSA) - align more than two sequences.
Sequence Alignment [2/2] Global alignment L G P S S K Q T G K G S - S R I D N L N - I T K S A G K G A I M R L D A Local alignment Malaviya National Institute of Technology, Jaipur Local alignment - - - - - - T G - G - - - - - - - - - - - - - A G K G - - - - - - - Alignment Parameter Match Mismatch Gap Point of Mutation
Multiple Sequence Alignment MSA is extension of pairwise alignment for more than two sequences. It is used to identify conserved regions across a group of sequences. Malaviya National Institute of Technology, Jaipur M1 M2 M3 M4 M5 add add add - add - push push push push Mov mov mov mov mov - call jmp jz jmp jmp jmp mov mov mov • Mi – ith Malware instance
Implementation of MSA MSA is implemented using Progressive technique (ClustalW[9]) Progressive MSA follows three steps: Determine similarity between each pair by pairwise Malaviya National Institute of Technology, Jaipur Determine similarity between each pair by pairwise alignment. Construct a guided tree (Phylogenetic tree) to represent evolutionary relationship. MSA is build by aligning closely related groups to most distant group according to guided tree.
Phylogenetic Tree Phylogenetic Tree depict evolutionary relationship among the sequences. To form groups of similar viruses Malaviya National Institute of Technology, Jaipur viruses Guides MSA progressively to align closer groups first A B D F E ( (E,(A,B)), (D,F) )
Similarity Measurement Alignment Score : Is the sum of score specified for each aligned pair of mnemonics. Higher the score more similar the sequences. Distance (d) : Calculated using following formulas Malaviya National Institute of Technology, Jaipur formulas Higher the distance more dissimilar the sequences )#(# # matchmismatch mismatch Nd + = )##(# gapmatchmismatchLd ++= • Nd is Normalized distance, Ld is Levenshtein distance
Identification of Base Malware Base malware in a family is most similar to rest all with highest sum of score using pairwise alignment (SoP[3]). M1 M2 M3 M4 SoPM2 Malaviya National Institute of Technology, Jaipur M1 - 7 -2 1 6 M2 7 - -3 0 4 M3 -2 -3 - 1 -4 M4 1 0 1 - 2 is Base Malware Score Matrix M1 M3 M4 M2 M1 • Mi – ith Malware instance
Implementation Method MetamOrphic Malware ExploratioN Technique Using MSA (MOMENTUM) demonstrate the applicability of Bioinformatics Techniques for metamorphic malware analysis and detection. Malaviya National Institute of Technology, Jaipur Two phase of MOMENTUN are: Analysis of Metamorphism in Tools/Real Malware Signature Modelling and Testing
MOMENTUM [1/2] Metamorphic Families (Virus Tools and Real Malware) Intra-Family pair-wise Alignment Malaviya National Institute of Technology, Jaipur Distance Matrix Base file Alignments of two files Metamorphic? Inter-Family pair-wise Alignment Families Overlap ? Obfuscation ? • Flow diagram for metamorphism analysis
MOMENTUM [2/2] Training Set Testing Set Divide data set in two parts Malaviya National Institute of Technology, Jaipur Extract Group Signature Testing with single and group signatures Single Signature Scan Logs Threshold Threshold • Diagram depicts Signature Modelling and Testing
MSA Signature MSA signature (single signature) is a sequence of preserved mnemonics in alignment. M1 M2 M3 M4 M5 MSA Sign push push - - push push Mt push Malaviya National Institute of Technology, Jaipur Mnemonic that appears more than 50% in a row is included in MSA signature. - - jump jump jump jump mov mov - lea xor call call call call call call push mov mov - mov mov • Mi – ith Malware instance and Mt – Test Sample jump lea call push
Group Signature Group signature is extracted from single signature for each subgroup. Sub groups are formed using evolutionary relationship. Single signature is extracted for each subgroup and combined in the form of wildcard. Malaviya National Institute of Technology, Jaipur combined in the form of wildcard. DiagramSign1 Sign2 Sign3 Sign4 Sign5 Group Sign push push - - push push jz jz jump jump jump jump|jz mov mov - lea xor mov|lea|xor call call call call call call - mov mov - push mov|push • Signi – Signature for ith sub-group in a family Mt push jz lea call push
Threshold Sign 0 B B M M Score . . . . . . Benign Malware Malaviya National Institute of Technology, Jaipur Threshold 0 Bmin Bmax Mmin Mmax Score Where: Bmin Benign with minimum score Bmax Benign with maximum score Mmin Malware with minimum score Mmax Malware with maximum score Threshold (Bmax + Mmin) /2 , ( Threshold > Bmax )
Dataset [1/2] Dataset Description: Type Source #Family #instances Synthetic NGVCK, PSMPC, G2, MPCGEN 46 1051 User Agencies Malaviya National Institute of Technology, Jaipur * consists of unknown viruses (in test set). Dataset is equally divided into training and testing set. Real User Agencies 52 + 1* 1209 VxHeavens Benign System32,Cygwin etc. 1 150 1*
Dataset [2/2] All samples are in Portable Executables (PE) format. Samples are unpacked using Dynamic unpacker (EtherUnpack [7] ) Malaviya National Institute of Technology, Jaipur Dynamic unpacker (EtherUnpack [7] ) Signature based unpacker (GUNPacker [10]) Malware families are created from combined scanned results of 14 antiviruses. Benign samples are also scanned.
Result for Intra Family 0.05 0.1 0.15 0.2 0.25 0.3 AverageDistance Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Non zero values indicates presence of metamorphism in synthetic data. Levenshtein distance is high due to junk code insertion. Inspite of high values of global distance, local distances are low in most of the samples. This indicates presence of similar regions in code. 0 NGVCK PSMPC G2 MPCGEN • Average distance is between 0 to 1
Result for Inter Family 0.1 0.2 0.3 0.4 0.5 0.6 0.7 AverageDistnce Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Distance is less than intra family distance. This indicates most of malware share some base code. Levenshtein distance is higher because of change in functionality. 0 0.1 NGVCK PSMPC G2 MPCGEN VX HEAVENS • Average distance is between 0 to 1
Comparative Analysis VIRUS TYPE Replacements/ Alignment Avg. SoD OBFUSCATION NGVCK 47 1.03 Average Simple G2 3 1.45 Low Simple MPCGEN 31 0.61 Average Simple Malaviya National Institute of Technology, Jaipur MPCGEN 31 0.61 Average Simple PSMPC 1 1.35 Low Weak Vx-Heavens 122 8.3 Large Complex Viruses generated using tools belong to same family. Families of real malware are distinct. In PSMPC loop and jump instructions contribute for obfuscation this increases the distance between samples. NGVCK viruses overlaps with real malware (Savior). • SoD – Sum of distances of a family with rest other family
Detection Results 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 EvaluationMetrics MSA Single Group Signature Malaviya National Institute of Technology, Jaipur 95.5% of malware is detected with MSA signature, detection with Group signature is 72.4% . 53% of benign is falsely detected as malware with MSA signature due to loss mnemonics used for mutation in malware. Group signature preserves point of mutation that is absent in benign samples. 0 0.1 TPR FPR
MOMENTUM with Antiviruses 20 30 40 50 60 70 80 90 DetectionRate Malaviya National Institute of Technology, Jaipur MOMENTUM (group signature) is found to be comparable to best ant-viruses. Out of 35 undetected malware with antiviruses, MOMENTUM could detect 20 malware. 0 10 20
Scope for Improvement Instead of same mismatch score, compute weighted score for each pair of mnemonics using frequency of mismatches. In the alignment, operand part can be considered to verify actual changes (replacement/gap). Malaviya National Institute of Technology, Jaipur to verify actual changes (replacement/gap). This can fetch the way morpher preserves functionality.
List of Publications [1] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Detecting Malicious Files using Non-Signature based Methods, (To appear) Oxford Computer Journal. [2] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Malware Detection using Non-Signature based Method, In Malaviya National Institute of Technology, Jaipur Malware Detection using Non-Signature based Method, In Proceeding of IEEE International Conference on Network Communication and Computer-ICNCC 2011, pp-427-43, DOI: 978-1-4244-9551-1/11.
References [1] E.Karim, A.Walenstein, A.Lakhotia, “Malware Phylogeny using Permutation of code”, In Proceedings of EICAR 2005, pp 167-174 [2] M.R. Chouchane and A. Lakhotia , “Using engine signature to detect metamorphic malware”, In Proceedings of the 4th ACM workshop on Recurring malcode, WORM '06, 2006,73-78. Malaviya National Institute of Technology, Jaipur [3] Mona Singh, " Multiple Sequence Alignment ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [4] Mona Singh, " Phylogenetics ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [5] T. Smith and M. Waterman, “Identification of Common Molecular Subsequences”, Journal of Molecular Biology, pp 195-197, 1987 [6] Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Journal in Computer Virology, 2(3):211-229
References [7] Ether for Malware Unpacking: http://ether.gtisc.gatech.edu/malware.html (Last viewed on 14-6-2011) [8] Jian Li, Jun Xu, Ming Xu, HengiLi Zhao, Ning Zheng, “Malware Obfuscation Measuring via Evolutionary Similarity”, In Proceedings of IEEE Int. Conference on Future Information Network 2009. Malaviya National Institute of Technology, Jaipur [9] Larkin MA et al, " Clustal W and Clustal X version 2.0 ". Bioinformatics, 23, 2947-2948, 2007. [10] GUnPacker : http://www.woodmann.com/collaborative/tools/index.php/GUnPacker (Last viewed on 14-6-2011)
Thanks! Malaviya National Institute of Technology, Jaipur

Recommended

Regex cheatsheet
Regex cheatsheetRegex cheatsheet
Regex cheatsheetNont Banditwong
 
Python Flow Control
Python Flow ControlPython Flow Control
Python Flow ControlMohammed Sikander
 
Functions and modules in python
Functions and modules in pythonFunctions and modules in python
Functions and modules in pythonKarin Lagesen
 
Python programming : Inheritance and polymorphism
Python programming : Inheritance and polymorphismPython programming : Inheritance and polymorphism
Python programming : Inheritance and polymorphismEmertxe Information Technologies Pvt Ltd
 
Chapter 07 inheritance
Chapter 07 inheritanceChapter 07 inheritance
Chapter 07 inheritancePraveen M Jigajinni
 
Python - object oriented
Python - object orientedPython - object oriented
Python - object orientedLearnbay Datascience
 
Naive bayes
Naive bayesNaive bayes
Naive bayesAshraf Uddin
 
Haystack 2019 - Making the case for human judgement relevance testing - Tara ...
Haystack 2019 - Making the case for human judgement relevance testing - Tara ...Haystack 2019 - Making the case for human judgement relevance testing - Tara ...
Haystack 2019 - Making the case for human judgement relevance testing - Tara ...OpenSource Connections
 

Recommended

Regex cheatsheet
Regex cheatsheetRegex cheatsheet
Regex cheatsheetNont Banditwong
 
Python Flow Control
Python Flow ControlPython Flow Control
Python Flow ControlMohammed Sikander
 
Functions and modules in python
Functions and modules in pythonFunctions and modules in python
Functions and modules in pythonKarin Lagesen
 
Python programming : Inheritance and polymorphism
Python programming : Inheritance and polymorphismPython programming : Inheritance and polymorphism
Python programming : Inheritance and polymorphismEmertxe Information Technologies Pvt Ltd
 
Chapter 07 inheritance
Chapter 07 inheritanceChapter 07 inheritance
Chapter 07 inheritancePraveen M Jigajinni
 
Python - object oriented
Python - object orientedPython - object oriented
Python - object orientedLearnbay Datascience
 
Naive bayes
Naive bayesNaive bayes
Naive bayesAshraf Uddin
 
Haystack 2019 - Making the case for human judgement relevance testing - Tara ...
Haystack 2019 - Making the case for human judgement relevance testing - Tara ...Haystack 2019 - Making the case for human judgement relevance testing - Tara ...
Haystack 2019 - Making the case for human judgement relevance testing - Tara ...OpenSource Connections
 
Python tuple
Python tuplePython tuple
Python tupleMohammed Sikander
 
Data file handling in python introduction,opening & closing files
Data file handling in python introduction,opening & closing filesData file handling in python introduction,opening & closing files
Data file handling in python introduction,opening & closing fileskeeeerty
 
Java constructors
Java constructorsJava constructors
Java constructorsQUONTRASOLUTIONS
 
Strings in python
Strings in pythonStrings in python
Strings in pythonPrabhakaran V M
 
Object oriented programming with python
Object oriented programming with pythonObject oriented programming with python
Object oriented programming with pythonArslan Arshad
 
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017MLconf
 
Insider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBAInsider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBALucas Ko
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Looping Statements and Control Statements in Python
Looping Statements and Control Statements in PythonLooping Statements and Control Statements in Python
Looping Statements and Control Statements in PythonPriyankaC44
 
NumPy/SciPy Statistics
NumPy/SciPy StatisticsNumPy/SciPy Statistics
NumPy/SciPy StatisticsEnthought, Inc.
 
Python strings presentation
Python strings presentationPython strings presentation
Python strings presentationVedaGayathri1
 
Python Data-Types
Python Data-TypesPython Data-Types
Python Data-TypesAkhil Kaushik
 
Classification Based Machine Learning Algorithms
Classification Based Machine Learning AlgorithmsClassification Based Machine Learning Algorithms
Classification Based Machine Learning AlgorithmsMd. Main Uddin Rony
 
K means Clustering Algorithm
K means Clustering AlgorithmK means Clustering Algorithm
K means Clustering AlgorithmKasun Ranga Wijeweera
 
Data Visualization using matplotlib
Data Visualization using matplotlibData Visualization using matplotlib
Data Visualization using matplotlibBruno Gonçalves
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Kishor Datta Gupta
 
Challenges in Large Scale Machine Learning
Challenges in Large Scale Machine LearningChallenges in Large Scale Machine Learning
Challenges in Large Scale Machine LearningSudarsun Santhiappan
 
F strings
F stringsF strings
F stringsMariatta Wijaya
 
Python programming : Classes objects
Python programming : Classes objectsPython programming : Classes objects
Python programming : Classes objectsEmertxe Information Technologies Pvt Ltd
 
Data pre processing
Data pre processingData pre processing
Data pre processingjunnubabu
 
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET Journal
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET Journal
 

More Related Content

What's hot

Data file handling in python introduction,opening & closing files
Data file handling in python introduction,opening & closing filesData file handling in python introduction,opening & closing files
Data file handling in python introduction,opening & closing fileskeeeerty
 
Object oriented programming with python
Object oriented programming with pythonObject oriented programming with python
Object oriented programming with pythonArslan Arshad
 
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017MLconf
 
Insider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBAInsider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBALucas Ko
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Looping Statements and Control Statements in Python
Looping Statements and Control Statements in PythonLooping Statements and Control Statements in Python
Looping Statements and Control Statements in PythonPriyankaC44
 
Python strings presentation
Python strings presentationPython strings presentation
Python strings presentationVedaGayathri1
 
Classification Based Machine Learning Algorithms
Classification Based Machine Learning AlgorithmsClassification Based Machine Learning Algorithms
Classification Based Machine Learning AlgorithmsMd. Main Uddin Rony
 
Data Visualization using matplotlib
Data Visualization using matplotlibData Visualization using matplotlib
Data Visualization using matplotlibBruno Gonçalves
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Kishor Datta Gupta
 
Challenges in Large Scale Machine Learning
Challenges in Large Scale Machine LearningChallenges in Large Scale Machine Learning
Challenges in Large Scale Machine LearningSudarsun Santhiappan
 
Data pre processing
Data pre processingData pre processing
Data pre processingjunnubabu
 

What's hot (20)

Python tuple
Python tuplePython tuple
Python tuple
 
Data file handling in python introduction,opening & closing files
Data file handling in python introduction,opening & closing filesData file handling in python introduction,opening & closing files
Data file handling in python introduction,opening & closing files
 
Java constructors
Java constructorsJava constructors
Java constructors
 
Strings in python
Strings in pythonStrings in python
Strings in python
 
Object oriented programming with python
Object oriented programming with pythonObject oriented programming with python
Object oriented programming with python
 
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017
Dr. Steve Liu, Chief Scientist, Tinder at MLconf SF 2017
 
Insider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBAInsider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBA
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
Looping Statements and Control Statements in Python
Looping Statements and Control Statements in PythonLooping Statements and Control Statements in Python
Looping Statements and Control Statements in Python
 
NumPy/SciPy Statistics
NumPy/SciPy StatisticsNumPy/SciPy Statistics
NumPy/SciPy Statistics
 
Python strings presentation
Python strings presentationPython strings presentation
Python strings presentation
 
Python Data-Types
Python Data-TypesPython Data-Types
Python Data-Types
 
Classification Based Machine Learning Algorithms
Classification Based Machine Learning AlgorithmsClassification Based Machine Learning Algorithms
Classification Based Machine Learning Algorithms
 
K means Clustering Algorithm
K means Clustering AlgorithmK means Clustering Algorithm
K means Clustering Algorithm
 
Data Visualization using matplotlib
Data Visualization using matplotlibData Visualization using matplotlib
Data Visualization using matplotlib
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
 
Challenges in Large Scale Machine Learning
Challenges in Large Scale Machine LearningChallenges in Large Scale Machine Learning
Challenges in Large Scale Machine Learning
 
F strings
F stringsF strings
F strings
 
Python programming : Classes objects
Python programming : Classes objectsPython programming : Classes objects
Python programming : Classes objects
 
Data pre processing
Data pre processingData pre processing
Data pre processing
 

Similar to Metamorphic Malware Analysis and Detection

IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET Journal
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET Journal
 
Exploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection MethodsExploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection MethodsIJSRED
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionIOSR Journals
 
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...Silvio Cesare
 
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine LearningIRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine LearningIRJET Journal
 
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...IRJET Journal
 
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWBOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWIRJET Journal
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...IEEEGLOBALSOFTSTUDENTSPROJECTS
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer securityKishor Datta Gupta
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEINTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEIRJET Journal
 
a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...swathi78
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Akash Karwande
 
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...IRJET Journal
 
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a BookIRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a BookIRJET Journal
 
Software defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithmsSoftware defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithmsVenkat Projects
 

Similar to Metamorphic Malware Analysis and Detection (20)

IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning Methods
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real Network
 
Exploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection MethodsExploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection Methods
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant Extraction
 
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
 
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine LearningIRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine Learning
 
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
 
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWBOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer security
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
proposal
proposalproposal
proposal
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEINTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
 
a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
 
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a BookIRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
 
Software defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithmsSoftware defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithms
 

Recently uploaded

DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 

Recently uploaded (20)

DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 

Metamorphic Malware Analysis and Detection

  • 1. Bioinformatics Techniques for Metamorphic Malware Analysis and Detection Malaviya National Institute of Technology, Jaipur and Detection Supervisors: Dr. M. S. Gaur Dr. V. Laxmi By: Grijesh Chauhan (2009PCP116)
  • 2. Outline Malware & Metamorphic malware Motivation Objective Bioinformatics TechniquesBioinformatics Techniques MOMENTUM Dataset Result & Analysis References Malaviya National Institute of Technology, Jaipur
  • 3. Malware Malware are software with intentions to infect and replicate. Threats Loss of data Malaviya National Institute of Technology, Jaipur Loss of data Degrades computer system performance Identity threat Two broad categories Metamorphic: Virus body changes on each replication Polymorphic: Encrypts malicious payload to avoid detection
  • 4. Metamorphic Malware[1/2] Metamorphic malware have similar functionality, different structure and signature. Malaviya National Institute of Technology, Jaipur Similar to genetic diversity in Biology. Variant -1 Variant -2 Variant -3 Metamorphic Engine Diagram depicts metamorphic malware variants with reordered code
  • 5. Metamorphic Malware[1/2] Metamorphic Malware automatically re-codes itself each time it propagates or is distributed. Conventional signature based scanners are ineffective for detecting variants of same malware. Malaviya National Institute of Technology, Jaipur Sophisticated signature(s) are required to detect metamorphic variants of malware.
  • 6. Motivation Variants of metamorphic malware are generated using a small embedded metamorphic engine to defeat detection [2]. Limited number of instructions are used to generate Malaviya National Institute of Technology, Jaipur variants so as to preserve functionality. Metamorphic malware like DNA/ protein sequences mutate from generation to generation, they inherit functionality and some structural similarity with ancestral malware.
  • 7. Objective To devise a method for detection of metamorphic malware and its variants. To extract the abstract signature(s) using Bioinformatics sequence alignment Malaviya National Institute of Technology, Jaipur base code is preserved in different generations, obfuscated using junk code or equivalent instructions etc. To identify unseen malware samples using best representative signatures (group/single) of a family.
  • 8. Sequence Alignment [1/2] Sequence alignment is a way of arranging DNA/Protein sequences to identify regions of similarity to infer functional, structural or evolutionary relationship. Malaviya National Institute of Technology, Jaipur Alignment Methods Global Alignment - align sequences end to end. Local Alignment - align substring of one sequence with substring of other. Multiple Sequence Alignment (MSA) - align more than two sequences.
  • 9. Sequence Alignment [2/2] Global alignment L G P S S K Q T G K G S - S R I D N L N - I T K S A G K G A I M R L D A Local alignment Malaviya National Institute of Technology, Jaipur Local alignment - - - - - - T G - G - - - - - - - - - - - - - A G K G - - - - - - - Alignment Parameter Match Mismatch Gap Point of Mutation
  • 10. Multiple Sequence Alignment MSA is extension of pairwise alignment for more than two sequences. It is used to identify conserved regions across a group of sequences. Malaviya National Institute of Technology, Jaipur M1 M2 M3 M4 M5 add add add - add - push push push push Mov mov mov mov mov - call jmp jz jmp jmp jmp mov mov mov • Mi – ith Malware instance
  • 11. Implementation of MSA MSA is implemented using Progressive technique (ClustalW[9]) Progressive MSA follows three steps: Determine similarity between each pair by pairwise Malaviya National Institute of Technology, Jaipur Determine similarity between each pair by pairwise alignment. Construct a guided tree (Phylogenetic tree) to represent evolutionary relationship. MSA is build by aligning closely related groups to most distant group according to guided tree.
  • 12. Phylogenetic Tree Phylogenetic Tree depict evolutionary relationship among the sequences. To form groups of similar viruses Malaviya National Institute of Technology, Jaipur viruses Guides MSA progressively to align closer groups first A B D F E ( (E,(A,B)), (D,F) )
  • 13. Similarity Measurement Alignment Score : Is the sum of score specified for each aligned pair of mnemonics. Higher the score more similar the sequences. Distance (d) : Calculated using following formulas Malaviya National Institute of Technology, Jaipur formulas Higher the distance more dissimilar the sequences )#(# # matchmismatch mismatch Nd + = )##(# gapmatchmismatchLd ++= • Nd is Normalized distance, Ld is Levenshtein distance
  • 14. Identification of Base Malware Base malware in a family is most similar to rest all with highest sum of score using pairwise alignment (SoP[3]). M1 M2 M3 M4 SoPM2 Malaviya National Institute of Technology, Jaipur M1 - 7 -2 1 6 M2 7 - -3 0 4 M3 -2 -3 - 1 -4 M4 1 0 1 - 2 is Base Malware Score Matrix M1 M3 M4 M2 M1 • Mi – ith Malware instance
  • 15. Implementation Method MetamOrphic Malware ExploratioN Technique Using MSA (MOMENTUM) demonstrate the applicability of Bioinformatics Techniques for metamorphic malware analysis and detection. Malaviya National Institute of Technology, Jaipur Two phase of MOMENTUN are: Analysis of Metamorphism in Tools/Real Malware Signature Modelling and Testing
  • 16. MOMENTUM [1/2] Metamorphic Families (Virus Tools and Real Malware) Intra-Family pair-wise Alignment Malaviya National Institute of Technology, Jaipur Distance Matrix Base file Alignments of two files Metamorphic? Inter-Family pair-wise Alignment Families Overlap ? Obfuscation ? • Flow diagram for metamorphism analysis
  • 17. MOMENTUM [2/2] Training Set Testing Set Divide data set in two parts Malaviya National Institute of Technology, Jaipur Extract Group Signature Testing with single and group signatures Single Signature Scan Logs Threshold Threshold • Diagram depicts Signature Modelling and Testing
  • 18. MSA Signature MSA signature (single signature) is a sequence of preserved mnemonics in alignment. M1 M2 M3 M4 M5 MSA Sign push push - - push push Mt push Malaviya National Institute of Technology, Jaipur Mnemonic that appears more than 50% in a row is included in MSA signature. - - jump jump jump jump mov mov - lea xor call call call call call call push mov mov - mov mov • Mi – ith Malware instance and Mt – Test Sample jump lea call push
  • 19. Group Signature Group signature is extracted from single signature for each subgroup. Sub groups are formed using evolutionary relationship. Single signature is extracted for each subgroup and combined in the form of wildcard. Malaviya National Institute of Technology, Jaipur combined in the form of wildcard. DiagramSign1 Sign2 Sign3 Sign4 Sign5 Group Sign push push - - push push jz jz jump jump jump jump|jz mov mov - lea xor mov|lea|xor call call call call call call - mov mov - push mov|push • Signi – Signature for ith sub-group in a family Mt push jz lea call push
  • 20. Threshold Sign 0 B B M M Score . . . . . . Benign Malware Malaviya National Institute of Technology, Jaipur Threshold 0 Bmin Bmax Mmin Mmax Score Where: Bmin Benign with minimum score Bmax Benign with maximum score Mmin Malware with minimum score Mmax Malware with maximum score Threshold (Bmax + Mmin) /2 , ( Threshold > Bmax )
  • 21. Dataset [1/2] Dataset Description: Type Source #Family #instances Synthetic NGVCK, PSMPC, G2, MPCGEN 46 1051 User Agencies Malaviya National Institute of Technology, Jaipur * consists of unknown viruses (in test set). Dataset is equally divided into training and testing set. Real User Agencies 52 + 1* 1209 VxHeavens Benign System32,Cygwin etc. 1 150 1*
  • 22. Dataset [2/2] All samples are in Portable Executables (PE) format. Samples are unpacked using Dynamic unpacker (EtherUnpack [7] ) Malaviya National Institute of Technology, Jaipur Dynamic unpacker (EtherUnpack [7] ) Signature based unpacker (GUNPacker [10]) Malware families are created from combined scanned results of 14 antiviruses. Benign samples are also scanned.
  • 23. Result for Intra Family 0.05 0.1 0.15 0.2 0.25 0.3 AverageDistance Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Non zero values indicates presence of metamorphism in synthetic data. Levenshtein distance is high due to junk code insertion. Inspite of high values of global distance, local distances are low in most of the samples. This indicates presence of similar regions in code. 0 NGVCK PSMPC G2 MPCGEN • Average distance is between 0 to 1
  • 24. Result for Inter Family 0.1 0.2 0.3 0.4 0.5 0.6 0.7 AverageDistnce Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Distance is less than intra family distance. This indicates most of malware share some base code. Levenshtein distance is higher because of change in functionality. 0 0.1 NGVCK PSMPC G2 MPCGEN VX HEAVENS • Average distance is between 0 to 1
  • 25. Comparative Analysis VIRUS TYPE Replacements/ Alignment Avg. SoD OBFUSCATION NGVCK 47 1.03 Average Simple G2 3 1.45 Low Simple MPCGEN 31 0.61 Average Simple Malaviya National Institute of Technology, Jaipur MPCGEN 31 0.61 Average Simple PSMPC 1 1.35 Low Weak Vx-Heavens 122 8.3 Large Complex Viruses generated using tools belong to same family. Families of real malware are distinct. In PSMPC loop and jump instructions contribute for obfuscation this increases the distance between samples. NGVCK viruses overlaps with real malware (Savior). • SoD – Sum of distances of a family with rest other family
  • 26. Detection Results 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 EvaluationMetrics MSA Single Group Signature Malaviya National Institute of Technology, Jaipur 95.5% of malware is detected with MSA signature, detection with Group signature is 72.4% . 53% of benign is falsely detected as malware with MSA signature due to loss mnemonics used for mutation in malware. Group signature preserves point of mutation that is absent in benign samples. 0 0.1 TPR FPR
  • 27. MOMENTUM with Antiviruses 20 30 40 50 60 70 80 90 DetectionRate Malaviya National Institute of Technology, Jaipur MOMENTUM (group signature) is found to be comparable to best ant-viruses. Out of 35 undetected malware with antiviruses, MOMENTUM could detect 20 malware. 0 10 20
  • 28. Scope for Improvement Instead of same mismatch score, compute weighted score for each pair of mnemonics using frequency of mismatches. In the alignment, operand part can be considered to verify actual changes (replacement/gap). Malaviya National Institute of Technology, Jaipur to verify actual changes (replacement/gap). This can fetch the way morpher preserves functionality.
  • 29. List of Publications [1] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Detecting Malicious Files using Non-Signature based Methods, (To appear) Oxford Computer Journal. [2] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Malware Detection using Non-Signature based Method, In Malaviya National Institute of Technology, Jaipur Malware Detection using Non-Signature based Method, In Proceeding of IEEE International Conference on Network Communication and Computer-ICNCC 2011, pp-427-43, DOI: 978-1-4244-9551-1/11.
  • 30. References [1] E.Karim, A.Walenstein, A.Lakhotia, “Malware Phylogeny using Permutation of code”, In Proceedings of EICAR 2005, pp 167-174 [2] M.R. Chouchane and A. Lakhotia , “Using engine signature to detect metamorphic malware”, In Proceedings of the 4th ACM workshop on Recurring malcode, WORM '06, 2006,73-78. Malaviya National Institute of Technology, Jaipur [3] Mona Singh, " Multiple Sequence Alignment ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [4] Mona Singh, " Phylogenetics ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [5] T. Smith and M. Waterman, “Identification of Common Molecular Subsequences”, Journal of Molecular Biology, pp 195-197, 1987 [6] Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Journal in Computer Virology, 2(3):211-229
  • 31. References [7] Ether for Malware Unpacking: http://ether.gtisc.gatech.edu/malware.html (Last viewed on 14-6-2011) [8] Jian Li, Jun Xu, Ming Xu, HengiLi Zhao, Ning Zheng, “Malware Obfuscation Measuring via Evolutionary Similarity”, In Proceedings of IEEE Int. Conference on Future Information Network 2009. Malaviya National Institute of Technology, Jaipur [9] Larkin MA et al, " Clustal W and Clustal X version 2.0 ". Bioinformatics, 23, 2947-2948, 2007. [10] GUnPacker : http://www.woodmann.com/collaborative/tools/index.php/GUnPacker (Last viewed on 14-6-2011)
  • 32. Thanks! Malaviya National Institute of Technology, Jaipur