Detecting metamorphic malware by using behavior-based aggregated signature

The capability of advanced malware, such as metamorphic malware and polymorphic malware, are quickly outpacing our current abilities to detect their presence. For example, all current signature based malware-detection methods have become ineffective because they only create signatures based on the executable files that will be obfuscated by every instance of advanced malware. However, behavior is a characteristic in advanced malware that remains consistent throughout variants within a family of malware. We have capitalized upon this to create an aggregated signature for a family of malware. Creating a signature that spans a malware family allows it to identify known and new variants of that family. Using an aggregated signature versus many signatures for each variant for detection of malware provides many benefits to anti-virus vendors and the community as a whole by reducing the size of the signature database, reducing maintenance, and increasing speed of detection without losing accuracy.