Opcode position aware metamorphic malware detection: Signature vs histogram approach

Unlike the conventional approaches in the detection of metamorphic malware, a novel statistical non signature based detection technique is proposed. The proposed methodology aims to determine if alignment of locations or histogram of a specific opcode bigram is superior in the classification of metamorphic malware samples. In this work, we used Term Frequency-Inverse Document Frequency-Class Frequency (TF-IDF-CF) as feature selection method for synthesizing prominent features. Vector space models has been constructed by preserving hamming distance and Smith Waterman local sequence alignment score. Experiment results depicted that with Smith Waterman sequence alignment, best results were obtained with 300 significant malware features (94.01% accuracy, 92.24% F-measure, 100% precision and 49.89% recall). However, hamming distance based reference model, with 7 bigrams resulted in 100% precision, 99.76% accuracy, 99.71% F-measure and 99.42% recall.