TY - GEN
T1 - A compression-based technique to classify metamorphic malware
AU - Ekhtoom, Duaa
AU - Al-Ayyoub, Mahmoud
AU - Al-Saleh, Mohammed
AU - Alsmirat, Mohammad
AU - Hmeidi, Ismail
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/7/2
Y1 - 2016/7/2
N2 - Metamorphic malware are able to change their appearance to evade detection by traditional anti-malware software. One of the ways to help mitigate the threat of new metamorphic malware is to determine their origins, i.e., the families to which they belong. This type of metamorphic malware analysis is not typically handled by commercial software. Moreover, existing works rely on analyzing the op-code sequences extracted from the Assembly files of the malware. Very few papers have tried to perform analysis on the binary files of the malware. However, they focused on the simple binary problem of differentiating between a certain malware family and benign files. In this work, we address the more difficult problem of determining the origin of a new metamorphic malware by measuring its similarity to hundreds of variants taken from 13 families of real malware. To address this problem, we use a compression-based classification approach. We experiment with two such approaches: AMDL and BCN. The results showed that AMDL performed no better than a random guess (11% accuracy for AMDL and 18% for the random baseline). On the other hand, BCN performed really well with 67% accuracy.
AB - Metamorphic malware are able to change their appearance to evade detection by traditional anti-malware software. One of the ways to help mitigate the threat of new metamorphic malware is to determine their origins, i.e., the families to which they belong. This type of metamorphic malware analysis is not typically handled by commercial software. Moreover, existing works rely on analyzing the op-code sequences extracted from the Assembly files of the malware. Very few papers have tried to perform analysis on the binary files of the malware. However, they focused on the simple binary problem of differentiating between a certain malware family and benign files. In this work, we address the more difficult problem of determining the origin of a new metamorphic malware by measuring its similarity to hundreds of variants taken from 13 families of real malware. To address this problem, we use a compression-based classification approach. We experiment with two such approaches: AMDL and BCN. The results showed that AMDL performed no better than a random guess (11% accuracy for AMDL and 18% for the random baseline). On the other hand, BCN performed really well with 67% accuracy.
UR - https://www.scopus.com/pages/publications/85019738610
U2 - 10.1109/AICCSA.2016.7945801
DO - 10.1109/AICCSA.2016.7945801
M3 - Conference contribution
AN - SCOPUS:85019738610
T3 - Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA
BT - 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications, AICCSA 2016 - Proceedings
PB - IEEE Computer Society
T2 - 13th IEEE/ACS International Conference of Computer Systems and Applications, AICCSA 2016
Y2 - 29 November 2016 through 2 December 2016
ER -