Mark Stamp, Priti Desai
Citation
Mark Stamp, Priti Desai. "A highly metamorphic virus generator". International Journal of Multimedia Intelligence and Security, 1(4):402-427, 2010.
Abstract
Metamorphic viruses modify their code to produce viral copies that are syntactically different from their parents. The viral copies have the same functionality as the parent but typically have no common signature. This makes signature-based virus scanners ineffective for detecting metamorphic viruses. But machine learning tool such as Hidden Markov Models (HMMs) have proven effective at detecting metamorphic viruses.
Previous research has shown that most metamorphic generators do not produce a significant degree of metamorphism. In this project, we develop a metamorphic engine that yields highly diverse morphed copies of a base virus. We show that our metamorphic engine easily defeats commercial virus scanners. We then show that, perhaps surprisingly, HMM-based detection is effective against our highly metamorphic viruses. We conclude with a discussion of possible improvements to our generator that might enable it to defeat statistical-based detection methods, such as those that rely on HMMs.
Electronic downloads
- IJMIS010407%20STAMP.pdf · application/pdf · 1105 kbytes
| Citation formats |
- HTML
Mark Stamp, Priti Desai. <a href="http://www.truststc.org/pubs/779.html" >A highly metamorphic virus generator</a>, <i>International Journal of Multimedia Intelligence and Security</i>, 1(4):402-427, 2010.
- Plain text
Mark Stamp, Priti Desai. "A highly metamorphic virus generator". <i>International Journal of Multimedia Intelligence and Security</i>, 1(4):402-427, 2010.
- BibTeX
@article{StampDesai10_HighlyMetamorphicVirusGenerator, author = {Mark Stamp and Priti Desai}, title = {A highly metamorphic virus generator}, journal = {International Journal of Multimedia Intelligence and Security}, volume = {1}, number = {4}, pages = {402-427}, year = {2010}, abstract = {Metamorphic viruses modify their code to produce viral copies that are syntactically different from their parents. The viral copies have the same functionality as the parent but typically have no common signature. This makes signature-based virus scanners ineffective for detecting metamorphic viruses. But machine learning tool such as Hidden Markov Models (HMMs) have proven effective at detecting metamorphic viruses. Previous research has shown that most metamorphic generators do not produce a significant degree of metamorphism. In this project, we develop a metamorphic engine that yields highly diverse morphed copies of a base virus. We show that our metamorphic engine easily defeats commercial virus scanners. We then show that, perhaps surprisingly, HMM-based detection is effective against our highly metamorphic viruses. We conclude with a discussion of possible improvements to our generator that might enable it to defeat statistical-based detection methods, such as those that rely on HMMs.}, URL = {http://www.truststc.org/pubs/779.html} }
Posted by Mark Stamp on 1 May 2011.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.