SlideShare une entreprise Scribd logo

Metamorphic Malware Analysis and Detection

Grijesh Chauhan
Grijesh Chauhan

ABSTRACT : -------------------- Modern malware that are metamorphic or polymorphic in nature mutate their code by employing code obfuscation and encryption methods to thwart detection. Thus, conventional signature based scanners fail to detect these malware. In order to address the problems of detecting known variants of metamorphic malware, we propose a method using bioinformatics techniques effectively used for Protein and DNA matching. Instead of using exact signature matching methods, more sophisticated signature(s) are extracted using multiple sequence alignment (MSA). The results show that the proposed method is capable of identifying malware variants with minimum false alarms and misses. Also, the detection rate achieved with our proposed method is better compared to commercial antivirus products used in the study. Status: ---------- This work has been accepted by 8th IEEE International Conference on Innovations in Information Technology (Innovations'12). Link: ------- http://ieeexplore.ieee.org/xpl/login.jsp?reload=true&tp=&arnumber=6207739&url=http://ieeexplore.ieee.org/iel5/6203543/6207707/06207739.pdf?arnumber=6207739 e-mail: grijesh.mnit@gmail.com

FormationTechnologieBusiness
1  sur  32
Télécharger pour lire hors ligne
Bioinformatics Techniques for Metamorphic Malware Analysis and Detection Malaviya National Institute of Technology, Jaipur and Detection Supervisors: Dr. M. S. Gaur Dr. V. Laxmi By: Grijesh Chauhan (2009PCP116)
Outline Malware & Metamorphic malware Motivation Objective Bioinformatics TechniquesBioinformatics Techniques MOMENTUM Dataset Result & Analysis References Malaviya National Institute of Technology, Jaipur
Malware Malware are software with intentions to infect and replicate. Threats Loss of data Malaviya National Institute of Technology, Jaipur Loss of data Degrades computer system performance Identity threat Two broad categories Metamorphic: Virus body changes on each replication Polymorphic: Encrypts malicious payload to avoid detection
Metamorphic Malware[1/2] Metamorphic malware have similar functionality, different structure and signature. Malaviya National Institute of Technology, Jaipur Similar to genetic diversity in Biology. Variant -1 Variant -2 Variant -3 Metamorphic Engine Diagram depicts metamorphic malware variants with reordered code
Metamorphic Malware[1/2] Metamorphic Malware automatically re-codes itself each time it propagates or is distributed. Conventional signature based scanners are ineffective for detecting variants of same malware. Malaviya National Institute of Technology, Jaipur Sophisticated signature(s) are required to detect metamorphic variants of malware.
Motivation Variants of metamorphic malware are generated using a small embedded metamorphic engine to defeat detection [2]. Limited number of instructions are used to generate Malaviya National Institute of Technology, Jaipur variants so as to preserve functionality. Metamorphic malware like DNA/ protein sequences mutate from generation to generation, they inherit functionality and some structural similarity with ancestral malware.
Objective To devise a method for detection of metamorphic malware and its variants. To extract the abstract signature(s) using Bioinformatics sequence alignment Malaviya National Institute of Technology, Jaipur base code is preserved in different generations, obfuscated using junk code or equivalent instructions etc. To identify unseen malware samples using best representative signatures (group/single) of a family.
Sequence Alignment [1/2] Sequence alignment is a way of arranging DNA/Protein sequences to identify regions of similarity to infer functional, structural or evolutionary relationship. Malaviya National Institute of Technology, Jaipur Alignment Methods Global Alignment - align sequences end to end. Local Alignment - align substring of one sequence with substring of other. Multiple Sequence Alignment (MSA) - align more than two sequences.
Sequence Alignment [2/2] Global alignment L G P S S K Q T G K G S - S R I D N L N - I T K S A G K G A I M R L D A Local alignment Malaviya National Institute of Technology, Jaipur Local alignment - - - - - - T G - G - - - - - - - - - - - - - A G K G - - - - - - - Alignment Parameter Match Mismatch Gap Point of Mutation
Multiple Sequence Alignment MSA is extension of pairwise alignment for more than two sequences. It is used to identify conserved regions across a group of sequences. Malaviya National Institute of Technology, Jaipur M1 M2 M3 M4 M5 add add add - add - push push push push Mov mov mov mov mov - call jmp jz jmp jmp jmp mov mov mov • Mi – ith Malware instance
Implementation of MSA MSA is implemented using Progressive technique (ClustalW[9]) Progressive MSA follows three steps: Determine similarity between each pair by pairwise Malaviya National Institute of Technology, Jaipur Determine similarity between each pair by pairwise alignment. Construct a guided tree (Phylogenetic tree) to represent evolutionary relationship. MSA is build by aligning closely related groups to most distant group according to guided tree.
Phylogenetic Tree Phylogenetic Tree depict evolutionary relationship among the sequences. To form groups of similar viruses Malaviya National Institute of Technology, Jaipur viruses Guides MSA progressively to align closer groups first A B D F E ( (E,(A,B)), (D,F) )
Similarity Measurement Alignment Score : Is the sum of score specified for each aligned pair of mnemonics. Higher the score more similar the sequences. Distance (d) : Calculated using following formulas Malaviya National Institute of Technology, Jaipur formulas Higher the distance more dissimilar the sequences )#(# # matchmismatch mismatch Nd + = )##(# gapmatchmismatchLd ++= • Nd is Normalized distance, Ld is Levenshtein distance
Identification of Base Malware Base malware in a family is most similar to rest all with highest sum of score using pairwise alignment (SoP[3]). M1 M2 M3 M4 SoPM2 Malaviya National Institute of Technology, Jaipur M1 - 7 -2 1 6 M2 7 - -3 0 4 M3 -2 -3 - 1 -4 M4 1 0 1 - 2 is Base Malware Score Matrix M1 M3 M4 M2 M1 • Mi – ith Malware instance
Implementation Method MetamOrphic Malware ExploratioN Technique Using MSA (MOMENTUM) demonstrate the applicability of Bioinformatics Techniques for metamorphic malware analysis and detection. Malaviya National Institute of Technology, Jaipur Two phase of MOMENTUN are: Analysis of Metamorphism in Tools/Real Malware Signature Modelling and Testing
MOMENTUM [1/2] Metamorphic Families (Virus Tools and Real Malware) Intra-Family pair-wise Alignment Malaviya National Institute of Technology, Jaipur Distance Matrix Base file Alignments of two files Metamorphic? Inter-Family pair-wise Alignment Families Overlap ? Obfuscation ? • Flow diagram for metamorphism analysis
MOMENTUM [2/2] Training Set Testing Set Divide data set in two parts Malaviya National Institute of Technology, Jaipur Extract Group Signature Testing with single and group signatures Single Signature Scan Logs Threshold Threshold • Diagram depicts Signature Modelling and Testing
MSA Signature MSA signature (single signature) is a sequence of preserved mnemonics in alignment. M1 M2 M3 M4 M5 MSA Sign push push - - push push Mt push Malaviya National Institute of Technology, Jaipur Mnemonic that appears more than 50% in a row is included in MSA signature. - - jump jump jump jump mov mov - lea xor call call call call call call push mov mov - mov mov • Mi – ith Malware instance and Mt – Test Sample jump lea call push
Group Signature Group signature is extracted from single signature for each subgroup. Sub groups are formed using evolutionary relationship. Single signature is extracted for each subgroup and combined in the form of wildcard. Malaviya National Institute of Technology, Jaipur combined in the form of wildcard. DiagramSign1 Sign2 Sign3 Sign4 Sign5 Group Sign push push - - push push jz jz jump jump jump jump|jz mov mov - lea xor mov|lea|xor call call call call call call - mov mov - push mov|push • Signi – Signature for ith sub-group in a family Mt push jz lea call push
Threshold Sign 0 B B M M Score . . . . . . Benign Malware Malaviya National Institute of Technology, Jaipur Threshold 0 Bmin Bmax Mmin Mmax Score Where: Bmin Benign with minimum score Bmax Benign with maximum score Mmin Malware with minimum score Mmax Malware with maximum score Threshold (Bmax + Mmin) /2 , ( Threshold > Bmax )
Dataset [1/2] Dataset Description: Type Source #Family #instances Synthetic NGVCK, PSMPC, G2, MPCGEN 46 1051 User Agencies Malaviya National Institute of Technology, Jaipur * consists of unknown viruses (in test set). Dataset is equally divided into training and testing set. Real User Agencies 52 + 1* 1209 VxHeavens Benign System32,Cygwin etc. 1 150 1*
Dataset [2/2] All samples are in Portable Executables (PE) format. Samples are unpacked using Dynamic unpacker (EtherUnpack [7] ) Malaviya National Institute of Technology, Jaipur Dynamic unpacker (EtherUnpack [7] ) Signature based unpacker (GUNPacker [10]) Malware families are created from combined scanned results of 14 antiviruses. Benign samples are also scanned.
Result for Intra Family 0.05 0.1 0.15 0.2 0.25 0.3 AverageDistance Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Non zero values indicates presence of metamorphism in synthetic data. Levenshtein distance is high due to junk code insertion. Inspite of high values of global distance, local distances are low in most of the samples. This indicates presence of similar regions in code. 0 NGVCK PSMPC G2 MPCGEN • Average distance is between 0 to 1
Result for Inter Family 0.1 0.2 0.3 0.4 0.5 0.6 0.7 AverageDistnce Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Distance is less than intra family distance. This indicates most of malware share some base code. Levenshtein distance is higher because of change in functionality. 0 0.1 NGVCK PSMPC G2 MPCGEN VX HEAVENS • Average distance is between 0 to 1
Comparative Analysis VIRUS TYPE Replacements/ Alignment Avg. SoD OBFUSCATION NGVCK 47 1.03 Average Simple G2 3 1.45 Low Simple MPCGEN 31 0.61 Average Simple Malaviya National Institute of Technology, Jaipur MPCGEN 31 0.61 Average Simple PSMPC 1 1.35 Low Weak Vx-Heavens 122 8.3 Large Complex Viruses generated using tools belong to same family. Families of real malware are distinct. In PSMPC loop and jump instructions contribute for obfuscation this increases the distance between samples. NGVCK viruses overlaps with real malware (Savior). • SoD – Sum of distances of a family with rest other family
Detection Results 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 EvaluationMetrics MSA Single Group Signature Malaviya National Institute of Technology, Jaipur 95.5% of malware is detected with MSA signature, detection with Group signature is 72.4% . 53% of benign is falsely detected as malware with MSA signature due to loss mnemonics used for mutation in malware. Group signature preserves point of mutation that is absent in benign samples. 0 0.1 TPR FPR
MOMENTUM with Antiviruses 20 30 40 50 60 70 80 90 DetectionRate Malaviya National Institute of Technology, Jaipur MOMENTUM (group signature) is found to be comparable to best ant-viruses. Out of 35 undetected malware with antiviruses, MOMENTUM could detect 20 malware. 0 10 20
Scope for Improvement Instead of same mismatch score, compute weighted score for each pair of mnemonics using frequency of mismatches. In the alignment, operand part can be considered to verify actual changes (replacement/gap). Malaviya National Institute of Technology, Jaipur to verify actual changes (replacement/gap). This can fetch the way morpher preserves functionality.
List of Publications [1] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Detecting Malicious Files using Non-Signature based Methods, (To appear) Oxford Computer Journal. [2] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Malware Detection using Non-Signature based Method, In Malaviya National Institute of Technology, Jaipur Malware Detection using Non-Signature based Method, In Proceeding of IEEE International Conference on Network Communication and Computer-ICNCC 2011, pp-427-43, DOI: 978-1-4244-9551-1/11.
References [1] E.Karim, A.Walenstein, A.Lakhotia, “Malware Phylogeny using Permutation of code”, In Proceedings of EICAR 2005, pp 167-174 [2] M.R. Chouchane and A. Lakhotia , “Using engine signature to detect metamorphic malware”, In Proceedings of the 4th ACM workshop on Recurring malcode, WORM '06, 2006,73-78. Malaviya National Institute of Technology, Jaipur [3] Mona Singh, " Multiple Sequence Alignment ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [4] Mona Singh, " Phylogenetics ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [5] T. Smith and M. Waterman, “Identification of Common Molecular Subsequences”, Journal of Molecular Biology, pp 195-197, 1987 [6] Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Journal in Computer Virology, 2(3):211-229
References [7] Ether for Malware Unpacking: http://ether.gtisc.gatech.edu/malware.html (Last viewed on 14-6-2011) [8] Jian Li, Jun Xu, Ming Xu, HengiLi Zhao, Ning Zheng, “Malware Obfuscation Measuring via Evolutionary Similarity”, In Proceedings of IEEE Int. Conference on Future Information Network 2009. Malaviya National Institute of Technology, Jaipur [9] Larkin MA et al, " Clustal W and Clustal X version 2.0 ". Bioinformatics, 23, 2947-2948, 2007. [10] GUnPacker : http://www.woodmann.com/collaborative/tools/index.php/GUnPacker (Last viewed on 14-6-2011)
Thanks! Malaviya National Institute of Technology, Jaipur

Recommandé

White hat and black hat hackers
White hat and black hat hackersWhite hat and black hat hackers
White hat and black hat hackersBilal Ahmed
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Bayesian networks
Bayesian networksBayesian networks
Bayesian networksOrochi Krizalid
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...Edureka!
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Syllabus for Cyber security and Ethical Hacking
Syllabus for Cyber security and Ethical HackingSyllabus for Cyber security and Ethical Hacking
Syllabus for Cyber security and Ethical HackingMehedi Hasan
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 

Recommandé

White hat and black hat hackers
White hat and black hat hackersWhite hat and black hat hackers
White hat and black hat hackersBilal Ahmed
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Bayesian networks
Bayesian networksBayesian networks
Bayesian networksOrochi Krizalid
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...Edureka!
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Syllabus for Cyber security and Ethical Hacking
Syllabus for Cyber security and Ethical HackingSyllabus for Cyber security and Ethical Hacking
Syllabus for Cyber security and Ethical HackingMehedi Hasan
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxShubham Agrawal
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Plant disease detection using machine learning algorithm-1.pptx
Plant disease detection using machine learning algorithm-1.pptxPlant disease detection using machine learning algorithm-1.pptx
Plant disease detection using machine learning algorithm-1.pptxRummanHajira
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
trojan horse- malware(virus)
trojan horse- malware(virus)trojan horse- malware(virus)
trojan horse- malware(virus)NamanKikani
 
K - Nearest neighbor ( KNN )
K - Nearest neighbor ( KNN )K - Nearest neighbor ( KNN )
K - Nearest neighbor ( KNN )Mohammad Junaid Khan
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutionsmaryrowling
 
Kali linux
Kali linuxKali linux
Kali linuxHarsh Gor
 
Plant recognition system
Plant recognition systemPlant recognition system
Plant recognition systemSinisa Vukovic
 
FAKE NEWS DETECTION PPT
FAKE NEWS DETECTION PPT FAKE NEWS DETECTION PPT
FAKE NEWS DETECTION PPT VaishaliSrigadhi
 
Hate speech detection
Hate speech detectionHate speech detection
Hate speech detectionNASIM ALAM
 
Intro to Deep learning - Autoencoders
Intro to Deep learning - Autoencoders Intro to Deep learning - Autoencoders
Intro to Deep learning - Autoencoders Akash Goel
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...Simplilearn
 
Image Search: Then and Now
Image Search: Then and NowImage Search: Then and Now
Image Search: Then and NowSi Krishan
 
Feature selection concepts and methods
Feature selection concepts and methodsFeature selection concepts and methods
Feature selection concepts and methodsReza Ramezani
 
Machine Learning in Cyber Security
Machine Learning in Cyber SecurityMachine Learning in Cyber Security
Machine Learning in Cyber SecurityRishi Kant
 
Linear Regression vs Logistic Regression | Edureka
Linear Regression vs Logistic Regression | EdurekaLinear Regression vs Logistic Regression | Edureka
Linear Regression vs Logistic Regression | EdurekaEdureka!
 
Penetration testing
Penetration testingPenetration testing
Penetration testingNameen Singh
 
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET Journal
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET Journal
 

Contenu connexe

Tendances

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Plant disease detection using machine learning algorithm-1.pptx
Plant disease detection using machine learning algorithm-1.pptxPlant disease detection using machine learning algorithm-1.pptx
Plant disease detection using machine learning algorithm-1.pptxRummanHajira
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
trojan horse- malware(virus)
trojan horse- malware(virus)trojan horse- malware(virus)
trojan horse- malware(virus)NamanKikani
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutionsmaryrowling
 
Plant recognition system
Plant recognition systemPlant recognition system
Plant recognition systemSinisa Vukovic
 
Hate speech detection
Hate speech detectionHate speech detection
Hate speech detectionNASIM ALAM
 
Intro to Deep learning - Autoencoders
Intro to Deep learning - Autoencoders Intro to Deep learning - Autoencoders
Intro to Deep learning - Autoencoders Akash Goel
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...Simplilearn
 
Image Search: Then and Now
Image Search: Then and NowImage Search: Then and Now
Image Search: Then and NowSi Krishan
 
Feature selection concepts and methods
Feature selection concepts and methodsFeature selection concepts and methods
Feature selection concepts and methodsReza Ramezani
 
Machine Learning in Cyber Security
Machine Learning in Cyber SecurityMachine Learning in Cyber Security
Machine Learning in Cyber SecurityRishi Kant
 
Linear Regression vs Logistic Regression | Edureka
Linear Regression vs Logistic Regression | EdurekaLinear Regression vs Logistic Regression | Edureka
Linear Regression vs Logistic Regression | EdurekaEdureka!
 
Penetration testing
Penetration testingPenetration testing
Penetration testingNameen Singh
 

Tendances (20)

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Plant disease detection using machine learning algorithm-1.pptx
Plant disease detection using machine learning algorithm-1.pptxPlant disease detection using machine learning algorithm-1.pptx
Plant disease detection using machine learning algorithm-1.pptx
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
trojan horse- malware(virus)
trojan horse- malware(virus)trojan horse- malware(virus)
trojan horse- malware(virus)
 
K - Nearest neighbor ( KNN )
K - Nearest neighbor ( KNN )K - Nearest neighbor ( KNN )
K - Nearest neighbor ( KNN )
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutions
 
Kali linux
Kali linuxKali linux
Kali linux
 
Plant recognition system
Plant recognition systemPlant recognition system
Plant recognition system
 
FAKE NEWS DETECTION PPT
FAKE NEWS DETECTION PPT FAKE NEWS DETECTION PPT
FAKE NEWS DETECTION PPT
 
Hate speech detection
Hate speech detectionHate speech detection
Hate speech detection
 
Intro to Deep learning - Autoencoders
Intro to Deep learning - Autoencoders Intro to Deep learning - Autoencoders
Intro to Deep learning - Autoencoders
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...
Decision Tree Algorithm With Example | Decision Tree In Machine Learning | Da...
 
Image Search: Then and Now
Image Search: Then and NowImage Search: Then and Now
Image Search: Then and Now
 
Feature selection concepts and methods
Feature selection concepts and methodsFeature selection concepts and methods
Feature selection concepts and methods
 
Machine Learning in Cyber Security
Machine Learning in Cyber SecurityMachine Learning in Cyber Security
Machine Learning in Cyber Security
 
Linear Regression vs Logistic Regression | Edureka
Linear Regression vs Logistic Regression | EdurekaLinear Regression vs Logistic Regression | Edureka
Linear Regression vs Logistic Regression | Edureka
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 

Similaire à Metamorphic Malware Analysis and Detection

IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET Journal
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET Journal
 
Exploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection MethodsExploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection MethodsIJSRED
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionIOSR Journals
 
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...Silvio Cesare
 
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine LearningIRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine LearningIRJET Journal
 
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...IRJET Journal
 
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWBOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWIRJET Journal
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...IEEEGLOBALSOFTSTUDENTSPROJECTS
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer securityKishor Datta Gupta
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEINTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEIRJET Journal
 
a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...swathi78
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Akash Karwande
 
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...IRJET Journal
 
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a BookIRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a BookIRJET Journal
 
Software defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithmsSoftware defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithmsVenkat Projects
 

Similaire à Metamorphic Malware Analysis and Detection (20)

IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning Methods
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real Network
 
Exploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection MethodsExploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection Methods
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant Extraction
 
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
 
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine LearningIRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine Learning
 
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
 
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWBOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer security
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
proposal
proposalproposal
proposal
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEINTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
 
a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
 
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a BookIRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
 
Software defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithmsSoftware defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithms
 

Dernier

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxdhanalakshmis0310
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 

Dernier (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 

Metamorphic Malware Analysis and Detection

  • 1. Bioinformatics Techniques for Metamorphic Malware Analysis and Detection Malaviya National Institute of Technology, Jaipur and Detection Supervisors: Dr. M. S. Gaur Dr. V. Laxmi By: Grijesh Chauhan (2009PCP116)
  • 2. Outline Malware & Metamorphic malware Motivation Objective Bioinformatics TechniquesBioinformatics Techniques MOMENTUM Dataset Result & Analysis References Malaviya National Institute of Technology, Jaipur
  • 3. Malware Malware are software with intentions to infect and replicate. Threats Loss of data Malaviya National Institute of Technology, Jaipur Loss of data Degrades computer system performance Identity threat Two broad categories Metamorphic: Virus body changes on each replication Polymorphic: Encrypts malicious payload to avoid detection
  • 4. Metamorphic Malware[1/2] Metamorphic malware have similar functionality, different structure and signature. Malaviya National Institute of Technology, Jaipur Similar to genetic diversity in Biology. Variant -1 Variant -2 Variant -3 Metamorphic Engine Diagram depicts metamorphic malware variants with reordered code
  • 5. Metamorphic Malware[1/2] Metamorphic Malware automatically re-codes itself each time it propagates or is distributed. Conventional signature based scanners are ineffective for detecting variants of same malware. Malaviya National Institute of Technology, Jaipur Sophisticated signature(s) are required to detect metamorphic variants of malware.
  • 6. Motivation Variants of metamorphic malware are generated using a small embedded metamorphic engine to defeat detection [2]. Limited number of instructions are used to generate Malaviya National Institute of Technology, Jaipur variants so as to preserve functionality. Metamorphic malware like DNA/ protein sequences mutate from generation to generation, they inherit functionality and some structural similarity with ancestral malware.
  • 7. Objective To devise a method for detection of metamorphic malware and its variants. To extract the abstract signature(s) using Bioinformatics sequence alignment Malaviya National Institute of Technology, Jaipur base code is preserved in different generations, obfuscated using junk code or equivalent instructions etc. To identify unseen malware samples using best representative signatures (group/single) of a family.
  • 8. Sequence Alignment [1/2] Sequence alignment is a way of arranging DNA/Protein sequences to identify regions of similarity to infer functional, structural or evolutionary relationship. Malaviya National Institute of Technology, Jaipur Alignment Methods Global Alignment - align sequences end to end. Local Alignment - align substring of one sequence with substring of other. Multiple Sequence Alignment (MSA) - align more than two sequences.
  • 9. Sequence Alignment [2/2] Global alignment L G P S S K Q T G K G S - S R I D N L N - I T K S A G K G A I M R L D A Local alignment Malaviya National Institute of Technology, Jaipur Local alignment - - - - - - T G - G - - - - - - - - - - - - - A G K G - - - - - - - Alignment Parameter Match Mismatch Gap Point of Mutation
  • 10. Multiple Sequence Alignment MSA is extension of pairwise alignment for more than two sequences. It is used to identify conserved regions across a group of sequences. Malaviya National Institute of Technology, Jaipur M1 M2 M3 M4 M5 add add add - add - push push push push Mov mov mov mov mov - call jmp jz jmp jmp jmp mov mov mov • Mi – ith Malware instance
  • 11. Implementation of MSA MSA is implemented using Progressive technique (ClustalW[9]) Progressive MSA follows three steps: Determine similarity between each pair by pairwise Malaviya National Institute of Technology, Jaipur Determine similarity between each pair by pairwise alignment. Construct a guided tree (Phylogenetic tree) to represent evolutionary relationship. MSA is build by aligning closely related groups to most distant group according to guided tree.
  • 12. Phylogenetic Tree Phylogenetic Tree depict evolutionary relationship among the sequences. To form groups of similar viruses Malaviya National Institute of Technology, Jaipur viruses Guides MSA progressively to align closer groups first A B D F E ( (E,(A,B)), (D,F) )
  • 13. Similarity Measurement Alignment Score : Is the sum of score specified for each aligned pair of mnemonics. Higher the score more similar the sequences. Distance (d) : Calculated using following formulas Malaviya National Institute of Technology, Jaipur formulas Higher the distance more dissimilar the sequences )#(# # matchmismatch mismatch Nd + = )##(# gapmatchmismatchLd ++= • Nd is Normalized distance, Ld is Levenshtein distance
  • 14. Identification of Base Malware Base malware in a family is most similar to rest all with highest sum of score using pairwise alignment (SoP[3]). M1 M2 M3 M4 SoPM2 Malaviya National Institute of Technology, Jaipur M1 - 7 -2 1 6 M2 7 - -3 0 4 M3 -2 -3 - 1 -4 M4 1 0 1 - 2 is Base Malware Score Matrix M1 M3 M4 M2 M1 • Mi – ith Malware instance
  • 15. Implementation Method MetamOrphic Malware ExploratioN Technique Using MSA (MOMENTUM) demonstrate the applicability of Bioinformatics Techniques for metamorphic malware analysis and detection. Malaviya National Institute of Technology, Jaipur Two phase of MOMENTUN are: Analysis of Metamorphism in Tools/Real Malware Signature Modelling and Testing
  • 16. MOMENTUM [1/2] Metamorphic Families (Virus Tools and Real Malware) Intra-Family pair-wise Alignment Malaviya National Institute of Technology, Jaipur Distance Matrix Base file Alignments of two files Metamorphic? Inter-Family pair-wise Alignment Families Overlap ? Obfuscation ? • Flow diagram for metamorphism analysis
  • 17. MOMENTUM [2/2] Training Set Testing Set Divide data set in two parts Malaviya National Institute of Technology, Jaipur Extract Group Signature Testing with single and group signatures Single Signature Scan Logs Threshold Threshold • Diagram depicts Signature Modelling and Testing
  • 18. MSA Signature MSA signature (single signature) is a sequence of preserved mnemonics in alignment. M1 M2 M3 M4 M5 MSA Sign push push - - push push Mt push Malaviya National Institute of Technology, Jaipur Mnemonic that appears more than 50% in a row is included in MSA signature. - - jump jump jump jump mov mov - lea xor call call call call call call push mov mov - mov mov • Mi – ith Malware instance and Mt – Test Sample jump lea call push
  • 19. Group Signature Group signature is extracted from single signature for each subgroup. Sub groups are formed using evolutionary relationship. Single signature is extracted for each subgroup and combined in the form of wildcard. Malaviya National Institute of Technology, Jaipur combined in the form of wildcard. DiagramSign1 Sign2 Sign3 Sign4 Sign5 Group Sign push push - - push push jz jz jump jump jump jump|jz mov mov - lea xor mov|lea|xor call call call call call call - mov mov - push mov|push • Signi – Signature for ith sub-group in a family Mt push jz lea call push
  • 20. Threshold Sign 0 B B M M Score . . . . . . Benign Malware Malaviya National Institute of Technology, Jaipur Threshold 0 Bmin Bmax Mmin Mmax Score Where: Bmin Benign with minimum score Bmax Benign with maximum score Mmin Malware with minimum score Mmax Malware with maximum score Threshold (Bmax + Mmin) /2 , ( Threshold > Bmax )
  • 21. Dataset [1/2] Dataset Description: Type Source #Family #instances Synthetic NGVCK, PSMPC, G2, MPCGEN 46 1051 User Agencies Malaviya National Institute of Technology, Jaipur * consists of unknown viruses (in test set). Dataset is equally divided into training and testing set. Real User Agencies 52 + 1* 1209 VxHeavens Benign System32,Cygwin etc. 1 150 1*
  • 22. Dataset [2/2] All samples are in Portable Executables (PE) format. Samples are unpacked using Dynamic unpacker (EtherUnpack [7] ) Malaviya National Institute of Technology, Jaipur Dynamic unpacker (EtherUnpack [7] ) Signature based unpacker (GUNPacker [10]) Malware families are created from combined scanned results of 14 antiviruses. Benign samples are also scanned.
  • 23. Result for Intra Family 0.05 0.1 0.15 0.2 0.25 0.3 AverageDistance Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Non zero values indicates presence of metamorphism in synthetic data. Levenshtein distance is high due to junk code insertion. Inspite of high values of global distance, local distances are low in most of the samples. This indicates presence of similar regions in code. 0 NGVCK PSMPC G2 MPCGEN • Average distance is between 0 to 1
  • 24. Result for Inter Family 0.1 0.2 0.3 0.4 0.5 0.6 0.7 AverageDistnce Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Distance is less than intra family distance. This indicates most of malware share some base code. Levenshtein distance is higher because of change in functionality. 0 0.1 NGVCK PSMPC G2 MPCGEN VX HEAVENS • Average distance is between 0 to 1
  • 25. Comparative Analysis VIRUS TYPE Replacements/ Alignment Avg. SoD OBFUSCATION NGVCK 47 1.03 Average Simple G2 3 1.45 Low Simple MPCGEN 31 0.61 Average Simple Malaviya National Institute of Technology, Jaipur MPCGEN 31 0.61 Average Simple PSMPC 1 1.35 Low Weak Vx-Heavens 122 8.3 Large Complex Viruses generated using tools belong to same family. Families of real malware are distinct. In PSMPC loop and jump instructions contribute for obfuscation this increases the distance between samples. NGVCK viruses overlaps with real malware (Savior). • SoD – Sum of distances of a family with rest other family
  • 26. Detection Results 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 EvaluationMetrics MSA Single Group Signature Malaviya National Institute of Technology, Jaipur 95.5% of malware is detected with MSA signature, detection with Group signature is 72.4% . 53% of benign is falsely detected as malware with MSA signature due to loss mnemonics used for mutation in malware. Group signature preserves point of mutation that is absent in benign samples. 0 0.1 TPR FPR
  • 27. MOMENTUM with Antiviruses 20 30 40 50 60 70 80 90 DetectionRate Malaviya National Institute of Technology, Jaipur MOMENTUM (group signature) is found to be comparable to best ant-viruses. Out of 35 undetected malware with antiviruses, MOMENTUM could detect 20 malware. 0 10 20
  • 28. Scope for Improvement Instead of same mismatch score, compute weighted score for each pair of mnemonics using frequency of mismatches. In the alignment, operand part can be considered to verify actual changes (replacement/gap). Malaviya National Institute of Technology, Jaipur to verify actual changes (replacement/gap). This can fetch the way morpher preserves functionality.
  • 29. List of Publications [1] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Detecting Malicious Files using Non-Signature based Methods, (To appear) Oxford Computer Journal. [2] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Malware Detection using Non-Signature based Method, In Malaviya National Institute of Technology, Jaipur Malware Detection using Non-Signature based Method, In Proceeding of IEEE International Conference on Network Communication and Computer-ICNCC 2011, pp-427-43, DOI: 978-1-4244-9551-1/11.
  • 30. References [1] E.Karim, A.Walenstein, A.Lakhotia, “Malware Phylogeny using Permutation of code”, In Proceedings of EICAR 2005, pp 167-174 [2] M.R. Chouchane and A. Lakhotia , “Using engine signature to detect metamorphic malware”, In Proceedings of the 4th ACM workshop on Recurring malcode, WORM '06, 2006,73-78. Malaviya National Institute of Technology, Jaipur [3] Mona Singh, " Multiple Sequence Alignment ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [4] Mona Singh, " Phylogenetics ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [5] T. Smith and M. Waterman, “Identification of Common Molecular Subsequences”, Journal of Molecular Biology, pp 195-197, 1987 [6] Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Journal in Computer Virology, 2(3):211-229
  • 31. References [7] Ether for Malware Unpacking: http://ether.gtisc.gatech.edu/malware.html (Last viewed on 14-6-2011) [8] Jian Li, Jun Xu, Ming Xu, HengiLi Zhao, Ning Zheng, “Malware Obfuscation Measuring via Evolutionary Similarity”, In Proceedings of IEEE Int. Conference on Future Information Network 2009. Malaviya National Institute of Technology, Jaipur [9] Larkin MA et al, " Clustal W and Clustal X version 2.0 ". Bioinformatics, 23, 2947-2948, 2007. [10] GUnPacker : http://www.woodmann.com/collaborative/tools/index.php/GUnPacker (Last viewed on 14-6-2011)
  • 32. Thanks! Malaviya National Institute of Technology, Jaipur