Hunting for metamorphic engines

In this paper, we analyze several metamorphic virus generators. We define a similarity index and use it to precisely quantify the degree of metamorphism that each generator produces. Then we present a detector based on hidden Markov models and we consider a simpler detection method based on our similarity index. Both of these techniques detect all of the metamorphic viruses in our test set with extremely high accuracy. In addition, we show that popular commercial virus scanners do not detect the highly metamorphic virus variants in our test set.A talk based on the results in this paper was presented by the authors at Defcon 14, August 5, 2006, Las Vegas, Nevada.     

Code obfuscation techniques for metamorphic viruses

This paper deals with metamorphic viruses. More precisely, it examines the use of advanced code obfuscation techniques with respect to metamorphic viruses. Our objective is to evaluate the difficulty of a reliable static detection of viruses that use such obfuscation techniques. Here we extend Spinellis’ result (IEEE Trans. Inform. Theory, 49(1), 280–284, 2003) on the detection complexity of bounded-length polymorphic viruses to metamorphic viruses. In particular, we prove that reliable static detection of a particular category of metamorphic viruses is an -complete problem. Then we empirically illustrate our result by constructing a practical obfuscator which could be used by metamorphic viruses in the future to evade detection.     

Detection of metamorphic computer viruses using algebraic specification

This paper describes a new approach towards the detection of metamorphic computer viruses through the algebraic specification of an assembly language. Metamorphic computer viruses are computer viruses that apply a variety of syntax-mutating, behaviour-preserving metamorphoses to their code in order to defend themselves against static analysis based detection methods. An overview of these metamorphoses is given. Then, in order to identify behaviourally equivalent instruction sequences, the syntax and semantics of a subset of the IA-32 assembly language instruction set is specified formally using OBJ – an algebraic specification formalism and theorem prover based on order-sorted equational logic. The concepts of equivalence and semi-equivalence are given formally, and a means of proving equivalence from semi-equivalence is given. The OBJ specification is shown to be useful for proving the equivalence or semi-equivalence of IA-32 instruction sequences by applying reductions – sequences of equational rewrites in OBJ. These proof methods are then applied to fragments of two different metamorphic computer viruses, Win95/Bistro and Win9x.Zmorph.A, in order to prove their (semi-)equivalence. Finally, the application of these methods to the detection of metamorphic computer viruses in general is discussed.     

Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics

Metamorphic viruses are particularly insidious as they change their form at each infection, thus making detection hard. Many techniques have been proposed to produce metamorphic malware, and many approaches have been explored to detect it. This paper introduces a detection technique that relies on the assumption that a side effect of the most common metamorphic engines is the dissemination of a high number of repeated instructions in the body of the virus program. We have evaluated our technique on a population of 1,000 programs and the experimentation outcomes indicate that it is accurate in classifying metamorphic viruses and viruses of other nature, too. Virus writers use to introduce code from benign files in order to evade antivirus; our technique is able to recognize virus even if benign code is added to it.     

Eigenvalue analysis for metamorphic detection

Metamorphic malware changes its internal structure on each infection while maintaining its function. Although many detection techniques have been proposed, practical and effective metamorphic detection remains a difficult challenge. In this paper, we analyze a previously proposed eigenvector-based method for metamorphic detection. The approach considered here was inspired by a well-known facial recognition technique. We compute eigenvectors using raw byte data extracted from executables belonging to a metamorphic family. These eigenvectors are then used to compute a score for a collection of executable files that includes family viruses and representative examples of benign code. We perform extensive testing to determine the effectiveness of this classification method. Among other results, we show that this eigenvalue-based approach is effective when applied to a family of highly metamorphic code that successfully evades statistical-based detection. We also experiment computing eigenvectors on extracted opcode sequences, as opposed to raw byte sequences. Our experimental evidence indicates that the use of opcode sequences does not improve the results.     

Evaluating Semi-Exhaustive Verification Techniques for Bug Hunting

We propose a methodology to evaluate a rich set of BDD subsetting heuristics with respect to bug hunting and apply it to a set of real-life Intel designs. Our results illustrate that the evaluation metrics used to rate these heuristics in previous work were not tuned for bug-finding efficiency, which we believe is the major criterion that the heuristics need to meet.     

光网络的快速恢复路径搜索算法

光传送网是电信网的基础，如何在网络发生故障后将受故障影响的业务快速恢复，是光网络面临的重要问题．本文在分析了经典Floyd算法和Dijsktra算法存在的问题的基础上，提出了一种备用路径和搜索算法相结合的恢复算法，且在搜索算法中提出了一种快速不完全遍历算法（FIE算法），该算法适合于网状网结构．当网络发生故障后，首先查找备用路径，在备用路径无法恢复的情况下，以一定的准则进行路径的搜索，并采用双向搜索的方式，从多方面大大缩短了恢复时间．     

Predictive metamorphic control

In spite of its easy implementation, ability to handle constraints and nonlinearities, etc., model predictive control (MPC) does have drawbacks including tuning difficulties. In this paper, we propose a refinement to the basic MPC strategy by incorporating a tuning parameter such that one can move smoothly from an existing controller to a new MPC strategy. Each change of this tuning parameter leads to a new stabilising control law, therefore, allowing one to gradually move from an existing control law to a new and better one. For the infinite horizon case without constraints and for the general case with state and input constraints, stability results are established. We also examine the practical applicability of the proposed approach by employing it in the nominal prediction model of the tube-based output feedback robust MPC method. The merits of the proposed method are illustrated by examples.     

SilentKnock: practical, provably undetectable authentication

Port knocking is a technique to prevent attackers from discovering and exploiting vulnerable network services, while allowing access for authenticated users. Unfortunately, most work in this area suffers from a lack of a clear threat model or motivation. To remedy this, we introduce a formal security model for port knocking, show how previous schemes fail to meet our definition, and give a provably secure scheme. We also present SilentKnock, an implementation of this protocol that is provably secure under the assumption that AES and a modified version of MD4 are pseudorandom functions, and integrates seamlessly with existing applications.     

黑客追踪系统的设计

针对日渐猖狂黑客攻击活动,该文设计了一套专用的黑客追踪系统,讨论了系统的主要功能、体系结构、主要模块,以及关键的技术点,解决了黑客攻击案件侦查困难,取证困难,追踪困难等问题。     

龙格库塔程序的似然蜕变关系识别方法

为解决蜕变测试中的蜕变关系识别问题,提出一种似然蜕变关系识别方法.根据程序算法层面的数学性质,结合领域知识给出识别输入模式的指导规则;利用SPSS工具从程序输出结果中自动化地挖掘出相应的输出模式,使输出模式的挖掘过程既简单又高效;通过产生新的测试数据来检验输入、输出模式,获得一批有意义的似然蜕变关系.通过常微分方程龙格...     

Structural entropy and metamorphic malware

Metamorphic malware is capable of changing its internal structure without altering its functionality. A common signature is nonexistent in highly metamorphic malware and, consequently, such malware can remain undetected under standard signature scanning. In this paper, we apply previous work on structural entropy to the metamorphic detection problem. This technique relies on an analysis of variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the segmentation stage, we use entropy measurements and wavelet analysis to segment files. The second stage measures the similarity of file pairs by computing an edit distance between the sequences of segments obtained in the first stage. We apply this similarity measure to the metamorphic detection problem and show that we obtain strong results in certain challenging cases.     

An entropy-based distance measure for analyzing and detecting metamorphic malware

Metamorphic malware is a kind of malware which evades signature-based anti-viruses by changing its internal structure in each infection. This paper, firstly, introduces a new measure of distance between two computer programs called program dissimilarity measure based on entropy (PDME). Then, it suggests a measure for the degree of metamorphism, based on the suggested distance measure. The distance measure is defined based on the Entropy of the two malware programs. Moreover, the paper shows that the distance measure can be used for classifying metamorphic malware via K-Nearest Neighbors (KNN) method. The method is evaluated by four metamorphic malware families. The results demonstrate that the measure can indicate the degree of metamorphism efficiently, and the KNN classification method using PDME can classify the metamorphic malware with a high precision.     

Distributed reconfiguration of metamorphic robot chains

The problem we address is the distributed reconfiguration of a planar metamorphic robotic system composed of any number of hexagonal modules. After presenting a framework for classifying motion planning algorithms for metamorphic robotic systems, we describe distributed algorithms for reconfiguring a straight chain of hexagonal modules to any intersecting straight chain configuration. We prove our algorithms are correct, and show that they are either optimal or asymptotically optimal in the number of moves and asymptotically optimal in the time required for parallel reconfiguration.Received: 28 October 2002, Accepted: 31 October 2003, Published online: 1 March 2004 Corresdpondence to: Jennifer E. WalterNancy M. Amato: amato]@cs.tamu.edu A preliminary version of this paper appeared in the Proc. of the 19th ACM Symposium on Principles of Distributed Computing, July 2000, pages 171-180. The work of N. Amato and J. Walter was supported in part by NSF CAREER Award CCR-9624315, NSF Grants IIS-9619850, ACI-9872126, EIA-9975018, EIA-0103742, EIA-9805823, ACR-0081510, ACR-0113971, CCR-0113974, EIA-9810937, EIA-0079874, by the Texas Higher Education Coordinating Board grant ARP-036327-017, and by the DOE ASCI ASAP program grant B347886. The work of J. Walter was supported in part by Department of Education GAANN and GE Faculty of the Future fellowships.     

Learning metamorphic malware signatures from samples

Journal of Computer Virology and Hacking Techniques - Metamorphic malware are self-modifying programs which apply semantic preserving transformations to their own code in order to foil detection...     

基于MapX的IP追捕系统

设计和实现了一个基于MapX的IP追捕系统，该系统能实时获取从主机到目标主机接条路径的节点信息，如目标节点的操作系统、多种服务、所在位置、域名信息、国家等，同时能把这些信息显示在地图上，实现了网络追捕的可视化。     

Simple substitution distance and metamorphic detection

To evade signature-based detection, metamorphic viruses transform their code before each new infection. Software similarity measures are a potentially useful means of detecting such malware. We can compare a given file to a known sample of metamorphic malware and compute their similarity—if they are sufficiently similar, we classify the file as malware of the same family. In this paper, we analyze an opcode-based software similarity measure inspired by simple substitution cipher cryptanalysis. We show that the technique provides a useful means of classifying metamorphic malware.