Compression-based analysis of metamorphic malware

Jared Lee, Thomas H. Austin, Mark Stamp
2015 International Journal of Security and Networks (IJSN)  
Compression-based Analysis of Metamorphic Malware by Jared Lee Recent work has presented a technique based on structural entropy measurement as an effective way to detect metamorphic malware. The technique uses two steps, file segmentation and sequence comparison, to calculate file similarity. In another previous work, it was observed that similar malware have similar measures of Kolmogorov complexity. A proposed method of estimating Kolmogorov complexity was to calculate the compression ratio
more » ... f a given malware which could then be used to cluster the malicious software. Malware detection has also been attempted through the use of adaptive data compression and showed promising results. In this paper, we attempt to combine these concepts and propose using compression ratios as an alternative measure of entropy with the purpose of segmenting files according to their structural characteristics. We then compare the segment-based sequences of two given files to determine file similarity. The idea is that even after malware is transformed using a metamorphic engine, the resulting variants still share identifiable structural similarities with the original. Using this proposed technique to identify metamorphic malware, we compare our results with previous work. ACKNOWLEDGMENTS
doi:10.1504/ijsn.2015.070426 fatcat:kbrm22owe5fwppbku5d6m6sipy