Structural entropy and metamorphic malware

Baysa, Donabelle; Low, Richard M.; Stamp, Mark

doi:10.1007/s11416-013-0185-4

Cited by 123 publications

(100 citation statements)

References 18 publications

(37 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent research [3] further developed the concept of using structural entropy calculations to identify file similarity. The structural entropy technique, originally introduced in [22], produced good results when applied to polymorphic malware.…”

Section: Structural Entropymentioning

confidence: 99%

“…The structural entropy technique, originally introduced in [22], produced good results when applied to polymorphic malware. As a logical next step, the technique was adapted by [3] to apply it to metamorphic malware. As opposed to several previous detection techniques, structural entropy analysis examines the raw bytes of files rather than analyzing the disassembled opcode sequences.…”

Section: Structural Entropymentioning

confidence: 99%

“…We now describe the technique presented in [3]. The proposed technique can be divided into two main stages, file segmentation and sequence comparison.…”

Section: Structural Entropymentioning

confidence: 99%

“…Recently, a novel approach utilizing structural entropy analysis has been developed and shows good resilience against obfuscation [3,22]. This approach takes advantage of structural entropy to measure varying levels of data complexity throughout a file and uses these characteristics to calculate a similarity measure.…”

Section: Introductionmentioning

confidence: 99%

“…Good results were shown when the structural entropy technique was applied to various families of metamorphic malware [3]. However, some cases proved particularly difficult to detect.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Compression-based analysis of metamorphic malware

Lee

Austin

Stamp

2015

IJSN

Self Cite

View full text Add to dashboard Cite

Compression-based Analysis of Metamorphic Malware by Jared LeeRecent work has presented a technique based on structural entropy measurement as an effective way to detect metamorphic malware. The technique uses two steps, file segmentation and sequence comparison, to calculate file similarity. In another previous work, it was observed that similar malware have similar measures of Kolmogorov complexity. A proposed method of estimating Kolmogorov complexity was to calculate the compression ratio of a given malware which could then be used to cluster the malicious software. Malware detection has also been attempted through the use of adaptive data compression and showed promising results. In this paper, we attempt to combine these concepts and propose using compression ratios as an alternative measure of entropy with the purpose of segmenting files according to their structural characteristics. We then compare the segment-based sequences of two given files to determine file similarity. The idea is that even after malware is transformed using a metamorphic engine, the resulting variants still share identifiable structural similarities with the original. Using this proposed technique to identify metamorphic malware, we compare our results with previous work. ACKNOWLEDGMENTS

show abstract

Section: Structural Entropymentioning

confidence: 99%

Section: Structural Entropymentioning

confidence: 99%

“…We now describe the technique presented in [3]. The proposed technique can be divided into two main stages, file segmentation and sequence comparison.…”

Section: Structural Entropymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

“…Good results were shown when the structural entropy technique was applied to various families of metamorphic malware [3]. However, some cases proved particularly difficult to detect.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Compression-based analysis of metamorphic malware

Lee

Austin

Stamp

2015

IJSN

Self Cite

View full text Add to dashboard Cite

show abstract

VAED: VMI‐assisted evasion detection approach for infrastructure as a service cloud

Mishra

Pilli

Varadharajan

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

Cloud computing provides on demand provisioning of resources mostly offered as Infrastructure as a Service. The flexibility in services has opened doors for attackers. Research has been performed to detect various malware in the last few years. However, modern malware are advanced enough to detect the presence of virtualization environment, security analyzer, or even the hypervisor by observing the virtualization-specific information such as virtual processor features, timing features, etc. The malware exhibit evasive nature and can fool existing security solutions by performing modern antidetection tactics. In this paper, we propose an approach named as VMI-assisted evasion detection (VAED), deployed at virtual machine monitor, to detect the evasion-based malware attacks. The VAED is based on learning the program semantic of evasive malware. It uses system call dependency graph approach generated using Markov Chain principle and keeps track of system call ordering with transition probability distribution between each pair system calls. It uses software break point injection technique to extract the system call traces of evasive malware samples, which is free from any modification in hardware-specific values. Hence, it is secure from evasion attempts. The VAED is validated over evasive samples collected from the University of California on request, and results seem to be promising. KEYWORDS cloud security, intrusion detection, system call analysis, virtual machine introspection 1 advanced malware that can detect the presence of the security analyzer, virtualization environment, or hypervisor. 1 On detection of such analysis environment, malware change their behavior to thwart the detection. Moreover, some of these attacks hide their presence from tenant virtual machine (TVM) by manipulating the kernel-data structure. Hence, analysis environment incorrectly classifies such intrusions as benign applications. A compromised VM is a big threat to cloud infrastructure, which can breach security of other VM, virtual machine monitor (VMM), or Host OS, etc. Cloud service provider needs to ensure the security of their infrastructure and VMs of their customers. Signature-based analysis, static analysis, dynamic analysis, and VM introspection (VMI) approaches are popular intrusion detection techniques used by researchers in their security solutions. Signature analysis techniques maintain a database of known attack signatures. Static analysis techniques perform the reverse engineering on the binary code to understand the program-syntax behavior. Dynamic analysis techniques observe the Concurrency Computat: Pract Exper. 2017;29:e4133.wileyonlinelibrary.com/journal/cpe

show abstract

BotCatch: leveraging signature and behavior for bot detection

et al. 2014

Security Comm Networks

View full text Add to dashboard Cite

The goal of bot detection is to discover malicious bot processes by signature comparison or behavior analysis. Existing approaches have several drawbacks, such as requiring a lot of prior knowledge, low detection accuracy, and high false alarm rate. In this paper, we propose a multi‐feedback approach, BotCatch, to detect bots effectively and efficiently on a host by leverage of a combination of signature and behavior. First, BotCatch assigns suspicious files to signature‐analysis and behavior‐analysis modules, which generate each detection result. Second, BotCatch correlates signature and behavior results to generate the final detection result through correlation engine. Third, BotCatch feeds back signature, behavior, and correlation results to dynamically adjust detecting modules through multi‐feedback engine. We evaluated the performance of BotCatch with 636 bot and 150 benign samples. Our results indicate that BotCatch achieves an accuracy of 97.1% and an F‐measure value of 0.982 simultaneously, which is better than existing approaches without feedbacks. BotCatch, due to the multi‐feedback mechanism, has the ability to gradually get more robust and accurate as the number of samples increases. The final stage even reaches an accuracy of 98.5% and F‐measure value of 0.991. Copyright © 2014 John Wiley & Sons, Ltd.

show abstract

Structural entropy and metamorphic malware

Cited by 123 publications

References 18 publications

Compression-based analysis of metamorphic malware

Compression-based analysis of metamorphic malware

VAED: VMI‐assisted evasion detection approach for infrastructure as a service cloud

BotCatch: leveraging signature and behavior for bot detection

Contact Info

Product

Resources

About