Detecting encrypted metamorphic viruses by hidden Markov Models

Author

Rezaei, Fatemeh ; Nezhad, Masoud Khalil ; Rezaei, Saeid ; Payandeh, Ali

Author_Institution

Kish Int. campus, Tehran Univ., Tehran, Iran

fYear

2014

fDate

19-21 Aug. 2014

Firstpage

973

Lastpage

977

Abstract

Virus writers make their viruses undetectable by using obfuscation methods, which ends in metamorphic viruses. We propose a method named detection circle which is based on the hidden Markov Model theory. We have used three elements to characterize a family of viruses: string occurrence probability, specifically-located character occurrence probability, and the amount of virus similarities. For the evaluation, we have created viruses and tested them by our method and four anti-virus software packages. The experimental results show that our detection rate was much higher in the first stage without obfuscation. Then we have encrypted the detected viruses and tested the proposed algorithm again. At this stage none of the four anti-viruses software packages detected viruses while our method found 70% of them.

Keywords

computer viruses; cryptography; hidden Markov models; probability; software packages; antivirus software packages; detection circle; encrypted metamorphic virus detection; hidden Markov model theory; obfuscation methods; specifically-located character occurrence probability; string occurrence probability; Accuracy; Assembly; Cryptography; Educational institutions; Hidden Markov models; Probability; Viruses (medical); hidden Markov model; malware; metamorphic virus; obfuscation Introduction;

fLanguage

English

Publisher

ieee

Conference_Titel

Fuzzy Systems and Knowledge Discovery (FSKD), 2014 11th International Conference on

Conference_Location

Xiamen

Print_ISBN

978-1-4799-5147-5

Type

conf

DOI

10.1109/FSKD.2014.6980971

Filename

6980971