skip to main content
10.1145/2659651.2659670acmotherconferencesArticle/Chapter ViewAbstractPublication PagessinConference Proceedingsconference-collections
research-article

Current Trends and the Future of Metamorphic Malware Detection

Published: 09 September 2014 Publication History

Abstract

Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. This stealthy mutation technique helps a malware evade detection by today's signature-based anti-malware programs. This paper analyzes the current trends, provides future directions and reasons about some of the basic characteristics of a system for providing real-time detection of metamorphic malware. Our emphasis is on the most recent advancements and the potentials available in metamorphic malware detection, so we only cover some of the major academic research efforts carried out, including and after, the year 2006. The paper not only serves as a collection of recent references and information for easy comparison and analysis, but also as a motivation for improving the current and developing new techniques for metamorphic malware detection.

References

[1]
A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools (2nd Edition). Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2006.
[2]
S. Alam, R. N. Horspool, and I. Traore. MAIL: Malware Analysis Intermediate Language - A Step Towards Automating and Optimizing Malware Detection. In Security of Information and Networks, New York, NY, USA, November 2013. ACM SIGSAC.
[3]
S. Alam, R. N. Horspool, and I. Traore. MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection. In Advanced Information Networking and Applications, Research Track -- Security and Privacy, Washington, DC, USA, May 2014. IEEE Computer Society.
[4]
T. H. Austin, E. Filiol, S. Josse, and M. Stamp. Exploring Hidden Markov Models for Virus Analysis: A Semantic Approach. In System Sciences (HICSS), 2013 46th Hawaii International Conference on, pages 5039--5048, Jan 2013.
[5]
J. Bacon, D. Eyers, T. Pasquier, J. Singh, I. Papagiannis, and P. Pietzuch. Information flow control for secure cloud computing. Network and Service Management, IEEE Transactions on, 2014.
[6]
B. Bayoglu and I. Sogukpinar. Graph Based Signature Classes for Detecting Polymorphic Worms via Content Analysis. Comput. Netw., 56(2):832--844, Feb. 2012.
[7]
D. Baysa, R. Low, and M. Stamp. Structural entropy and metamorphic malware. Journal of Computer Virology and Hacking Techniques, 9(4):179--192, 2013.
[8]
J.-M. Borello and L. Me. Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology, 4(3):211--220, 2008.
[9]
M. Chandramohan and H. B. K. Tan. Detection of mobile malware in the wild. Computer, 45(9):65--71, 2012.
[10]
C. Collberg, C. Thomborson, and D. Low. Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT, pages 184--196, New York, NY, USA, 1998. ACM.
[11]
C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. ZOZZLE: Fast and Precise In-browser JavaScript Malware Detection. In Proceedings of the 20th USENIX Conference on Security, pages 3--3, Berkeley, CA, USA, 2011. USENIX Association.
[12]
S. Deshpande, Y. Park, and M. Stamp. Eigenvalue analysis for metamorphic detection. Journal of Computer Virology and Hacking Techniques, 10(1):53--65, 2014.
[13]
C. Eagle. The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler. No Starch Press, San Francisco, CA, USA, 2008.
[14]
C. I. P. M. Edwards. An analysis of a cyberattack on a nuclear plant: The stuxnet worm. Critical Infrastructure Protection, 116:59, 2014.
[15]
M. Eskandari and S. Hashemi. ECFGM: Enriched Control Flow Graph Miner for Unknown Vicious Infected Code Detection. Journal in Computer Virology, 8(3):99--108, Aug. 2012.
[16]
P. Faruki, V. Laxmi, M. S. Gaur, and P. Vinod. Mining Control Flow Graph as API Call-Grams to Detect Portable Executable Malware. In Security of Information and Networks, New York, NY, USA, 2012. ACM SIGSAC.
[17]
E. Filiol. Metamorphism, formal grammars and undecidable code mutation. International Journal of Computer Science, 2(1):70--75, 2007.
[18]
M. Ghiasi, A. Sami, and Z. Salehi. Dynamic Malware Detection Using Registers Values Set Analysis. In Information Security and Cryptology, pages 54--59, 2012.
[19]
W. A. Halang, M. Komkhao, and S. Sodsee. Secure cloud computing. In Recent Advances in Information and Communication Technology, pages 305--314. Springer, 2014.
[20]
M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten. The weka data mining software: an update. SIGKDD Explor. Newsl., 11(1):10--18, Nov. 2009.
[21]
ITU. The World in 2013: ICT Facts and Figures. © ITU, 2013.
[22]
T. Jakobsen. A fast method for cryptanalysis of substitution ciphers. Cryptologia, 19(3):265--274, 1995.
[23]
J. Kruskal. Multidimensional Scaling by Optimizing Goodness of fit to a Nonmetric Hypothesis. Psychometrika, 29:1--27, 1964.
[24]
N. Kuzurin, A. Shokurov, N. Varnovsky, and V. Zakharov. On the Concept of Software Obfuscation in Computer Security. In Proceedings of the 10th International Conference on Information Security, pages 281--298, Berlin, Heidelberg, 2007. Springer-Verlag.
[25]
F. Leder, B. Steinbock, and P. Martini. Classification and Detection of Metamorphic Malware Using Value Set Analysis. In MALWARE, 2009, pages 39--46, oct. 2009.
[26]
J. Lee, K. Jeong, and H. Lee. Detecting Metamorphic Malwares Using Code Graphs. In SAC, 2010, pages 1970--1977, New York, NY, USA, 2010. ACM.
[27]
D. Lin and M. Stamp. Hunting for undetectable metamorphic viruses. Journal in Computer Virology, 7(3):201--214, 2011.
[28]
C. Linn and S. Debray. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In ACM CCS, pages 290--299, New York, NY, USA, 2003. ACM.
[29]
S. S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1997.
[30]
J. Oberheide, E. Cooke, and F. Jahanian. CloudAV: N-Version Antivirus in the Network Cloud. In USENIX Security Symposium, pages 91--106. USENIX, 2008.
[31]
P. OKane, S. Sezer, and K. McLaughlin. Obfuscation: The Hidden Malware. IEEE Security and Privacy, 9(5):41--47, Sept. 2011.
[32]
B. Rad, M. Masrom, and S. Ibrahim. Opcodes Histogram for Classifying Metamorphic Portable Executables Malware. In ICEEE, pages 209--213, September 2012.
[33]
N. Runwal, R. M. Low, and M. Stamp. Opcode Graph Similarity and Metamorphic Detection. Journal in Computer Virology, 8(1-2):37--52, May 2012.
[34]
G. Shanmugam, R. M. Low, and M. Stamp. Simple substitution distance and metamorphic detection. Journal of Computer Virology and Hacking Techniques, 9(3):159--170, 2013.
[35]
A. Skarmeta and M. Moreno. Internet of Things. In W. Jonker and M. PetkoviÄĞ, editors, Secure Data Management, pages 48--53. Springer International Publishing, 2014.
[36]
F. Song and T. Touili. Efficient Malware Detection Using Model-Checking. In D. Giannakopoulou and D. MÃl'ry, editors, FM: Formal Methods, volume 7436, pages 418--433. Springer Berlin Heidelberg, 2012.
[37]
C. Symantec. Norton Cybercrime Report. ©Symantec Corporation (http://www.symantec.com), August 2012.
[38]
A. Toderici and M. Stamp. Chi-squared Distance and Metamorphic Virus Detection. Journal in Computer Virology, pages 1--14, 2013.
[39]
W. Wong and M. Stamp. Hunting for Metamorphic Engines. Journal in Computer Virology, 2:211--229, 2006.
[40]
W. Xu, F. Zhang, and S. Zhu. The power of obfuscation techniques in malicious javascript code: A measurement study. In MALWARE, pages 9--16. IEEE, 2012.
[41]
H. Yin and D. Song. Privacy-Breaching Behavior Analysis. In Automatic Malware Analysis, pages 27--42. Springer New York, 2013.
[42]
Z. Zuo, Q. Zhu, and M. Zhou. On the Time Complexity of Computer Viruses. IEEE Trans. Inf. Theor., 51(8):2962--2966, Aug. 2005.

Cited By

View all
  • (2023)Evolutionary Based Transfer Learning Approach to Improving Classification of Metamorphic MalwareApplications of Evolutionary Computation10.1007/978-3-031-30229-9_11(161-176)Online publication date: 9-Apr-2023
  • (2021)IoT Botnet Detection on Flow Data using Autoencoders2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom)10.1109/MeditCom49071.2021.9647639(506-511)Online publication date: 7-Sep-2021
  • (2019)MetaHuntProceedings of the 3rd ACM Workshop on Software Protection10.1145/3338503.3357720(15-26)Online publication date: 15-Nov-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks
September 2014
518 pages
ISBN:9781450330336
DOI:10.1145/2659651
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 September 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. End point security
  2. Malware detection
  3. Metamorphic malware
  4. Obfuscations

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

SIN '14

Acceptance Rates

SIN '14 Paper Acceptance Rate 32 of 109 submissions, 29%;
Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)10
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Evolutionary Based Transfer Learning Approach to Improving Classification of Metamorphic MalwareApplications of Evolutionary Computation10.1007/978-3-031-30229-9_11(161-176)Online publication date: 9-Apr-2023
  • (2021)IoT Botnet Detection on Flow Data using Autoencoders2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom)10.1109/MeditCom49071.2021.9647639(506-511)Online publication date: 7-Sep-2021
  • (2019)MetaHuntProceedings of the 3rd ACM Workshop on Software Protection10.1145/3338503.3357720(15-26)Online publication date: 15-Nov-2019
  • (2019)Nowhere Metamorphic Malware Can Hide - A Biological Evolution Inspired Detection SchemeDependability in Sensor, Cloud, and Big Data Systems and Applications10.1007/978-981-15-1304-6_29(369-382)Online publication date: 5-Nov-2019
  • (2018)VMHuntProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243827(442-458)Online publication date: 15-Oct-2018
  • (2015)Using Chi-Square test and heuristic search for detecting metamorphic malware2015 First International Conference on New Technologies of Information and Communication (NTIC)10.1109/NTIC.2015.7368758(1-4)Online publication date: Nov-2015

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media