Metamorphic malware identification using engine-specific patterns based on co-opcode graphs

A metamorphic virus is a type of malware that modifies its code using a morphing engine. Morphing engines are used to generate a large number of metamorphic malware variants by performing different obfuscation techniques. Since each metamorphic malware has its own unique structure, signature based anti-virus programs are ineffective to detect these metamorphic variants. Therefore, detection of these kind of viruses becomes an increasingly important task. Recently, many researchers have focused on extracting common patterns of metamorphic variants that can be used as micro-signatures to identify the metamorphic malware executables. With the similar motivation, in this work, we propose a novel metamorphic malware identification method, named HLES-MMI (Higher-level Engine Signature based Metamorphic Malware Identification). The proposed method firstly constructs a unique graph structure, called as co-opcode graph, for each metamorphic family, then extracts engine-specific opcode patterns from the graphs. Finally, it generates higher-level signature belonging to each family by representing the extracted opcode-patterns with a binary vector. Experimental results on four datasets produced by different morphing engines demonstrate the effectiveness and efficiency of the proposed method by comparing with several existing malware identification methods.     

Simple substitution distance and metamorphic detection

To evade signature-based detection, metamorphic viruses transform their code before each new infection. Software similarity measures are a potentially useful means of detecting such malware. We can compare a given file to a known sample of metamorphic malware and compute their similarity—if they are sufficiently similar, we classify the file as malware of the same family. In this paper, we analyze an opcode-based software similarity measure inspired by simple substitution cipher cryptanalysis. We show that the technique provides a useful means of classifying metamorphic malware.     

Feature representation and selection in malicious code detection methods based on static system calls

Currently almost all static methods for detecting malicious code are signature-based, this leads the result that viruses can easily escape detection by simple mechanisms such as code obfuscation. In this paper, a behavior-based detection approach is proposed to address this problem. The behaviors of interest are defined as static system call sequences. Unlike the traditional approach, which derives system call sequences by running executables (i.e., dynamic system call sequences), this approach statically analyzes binary code to derive system call sequences. In this paper, a method for deriving static system call sequences is presented, and two automatic feature-selection methods based on n-grams are proposed. We use machine-learning methods, including the K-nearest neighbor, Support Vector Machine, and decision tree methods to classify executables. The proposed approach is compared with the dynamic detection approach using dynamic system call sequences. The experimental results show that the proposed approach has higher accuracy and a lower false positive rate than the dynamic detection approach.     

Hunting for undetectable metamorphic viruses

Commercial anti-virus scanners are generally signature based, that is, they scan for known patterns to determine whether a file is infected. To evade signature-based detection, virus writers have employed code obfuscation techniques to create metamorphic viruses. Metamorphic viruses change their internal structure from generation to generation, which can provide an effective defense against signature-based detection. To combat metamorphic viruses, detection tools based on statistical analysis have been studied. A tool that employs hidden Markov models (HMMs) was previously developed and the results are encouraging—it has been shown that metamorphic viruses created by a reasonably strong metamorphic engine can be detected using an HMM. In this paper, we explore whether there are any exploitable weaknesses in an HMM-based detection approach. We create a highly metamorphic virus-generating tool designed specifically to evade HMM-based detection. We then test our engine, showing that we can generate metamorphic copies that cannot be detected using existing HMM-based detection techniques.     

一种基于特征编码技术的恶意代码检测方法

在对恶意代码进行检测和分类时,由于传统的灰度编码方法将特征转换为图像的过程中,会产生特征分裂和精度损失等问题,严重影响了恶意代码的检测性能.同时,传统的恶意代码检测和分类的数据集中只使用了单一的恶意样本,并没有考虑到良性样本.因此,文中采用了一个包含良性样本和恶意样本的数据集,同时提出了一种双字节特征编码方法.首先将待...     

Byte-Level Function-Associated Method for Malware Detection

The byte stream is widely used in malware detection due to its independence of reverse engineering. However, existing methods based on the byte stream implement an indiscriminate feature extraction strategy, which ignores the byte function difference in different segments and fails to achieve targeted feature extraction for various byte semantic representation modes, resulting in byte semantic confusion. To address this issue, an enhanced adversarial byte function associated method for malware backdoor attack is proposed in this paper by categorizing various function bytes into three functions involving structure, code, and data. The Minhash algorithm, grayscale mapping, and state transition probability statistics are then used to capture byte semantics from the perspectives of text signature, spatial structure, and statistical aspects, respectively, to increase the accuracy of byte semantic representation. Finally, the three-channel malware feature image is constructed based on different function byte semantics, and a convolutional neural network is applied for detection. Experiments on multiple data sets from 2018 to 2021 show that the method can effectively combine byte functions to achieve targeted feature extraction, avoid byte semantic confusion, and improve the accuracy of malware detection.     

N-gram analysis for computer virus detection

Generic computer virus detection is the need of the hour as most commercial antivirus software fail to detect unknown and new viruses. Motivated by the success of datamining/machine learning techniques in intrusion detection systems, recent research in detecting malicious executables is directed towards devising efficient non-signature-based techniques that can profile the program characteristics from a set of training examples. Byte sequences and byte n-grams are considered to be basis of feature extraction. But as the number of n-grams is going to be very large, several methods of feature selections were proposed in literature. A recent report on use of information gain based feature selection has yielded the best-known result in classifying malicious executables from benign ones. We observe that information gain models the presence of n-gram in one class and its absence in the other. Through a simple example we show that this may lead to erroneous results. In this paper, we describe a new feature selection measure, class-wise document frequency of byte n-grams. We empirically demonstrate that the proposed method is a better method for feature selection. For detection, we combine several classifiers using Dempster Shafer Theory for better classification accuracy instead of using any single classifier. Our experimental results show that such a scheme detects virus program far more efficiently than the earlier known methods.     

Individual recognition using gait energy image

In this paper, we propose a new spatio-temporal gait representation, called gait energy image (GEI), to characterize human walking properties for individual recognition by gait. To address the problem of the lack of training templates, we also propose a novel approach for human recognition by combining statistical gait features from real and synthetic templates. We directly compute the real templates from training silhouette sequences, while we generate the synthetic templates from training sequences by simulating silhouette distortion. We use a statistical approach for learning effective features from real and synthetic templates. We compare the proposed GEI-based gait recognition approach with other gait recognition approaches on USF HumanID Database. Experimental results show that the proposed GEI is an effective and efficient gait representation for individual recognition, and the proposed approach achieves highly competitive performance with respect to the published gait recognition approaches.     

Attention-CNN在恶意代码检测中的应用研究

恶意代码攻击已经成为互联网最重要的威胁之一,并且现存的恶意代码数据庞大,特征多样.为了更好地提取恶意代码特征以及掌握恶意代码的行为,提出了基于注意力机制的Attention-CNN恶意代码检测模型.首先结合卷积神经网络(CNN)和注意力机制,构建了Attention-CNN恶意代码检测模型;然后将恶意代码转化为灰度图像...     

基于Bi-LSTM和自注意力的恶意代码检测方法

针对当前恶意代码检测方法严重依赖人工提取特征和无法提取恶意代码深层特征的问题,提出一种基于双向长短时记忆(Bidirectional Long Short Term Memory,Bi-LSTM)模型和自注意力的恶意代码检测方法。采用Bi-LSTM自动学习恶意代码样本字节流序列,输出各时间步的隐状态;利用自注意力机制计算各时间步隐状态的线性加权和作为序列的深层特征;通过全连接神经网络层和Softmax层输出深层特征的预测概率。实验结果表明该方法切实可行,相较于次优结果,准确率提高了12.32%,误报率降低了66.42%。     

Self-organizing algorithms for generalized eigen-decomposition

We discuss a new approach to self-organization that leads to novel adaptive algorithms for generalized eigen-decomposition and its variance for a single-layer linear feedforward neural network. First, we derive two novel iterative algorithms for linear discriminant analysis (LDA) and generalized eigen-decomposition by utilizing a constrained least-mean-squared classification error cost function, and the framework of a two-layer linear heteroassociative network performing a one-of-m classification. By using the concept of deflation, we are able to find sequential versions of these algorithms which extract the LDA components and generalized eigenvectors in a decreasing order of significance. Next, two new adaptive algorithms are described to compute the principal generalized eigenvectors of two matrices (as well as LDA) from two sequences of random matrices. We give a rigorous convergence analysis of our adaptive algorithms by using stochastic approximation theory, and prove that our algorithms converge with probability one.     

二进制代码中函数混淆调用的识别

函数调用相关信息识别是二进制代码静态分析的基础,也是恶意代码分析的重要线索。二进制代码混淆技术通过对函数调用指令call、参数传递过程和调用返回过程的混淆来隐藏代码中函数的信息。这大大增加了程序逆向分析的难度,此技术被广泛应用在变形和多态病毒中,使其逃脱杀毒软件的查杀。论文给出了一种静态分析方法,引入了抽象栈图的概念,给出了其构造算法,利用它能够有效识别出代码中对函数调用的混淆。     

An artificial intelligence membrane to detect network intrusion

We propose an artificial intelligence membrane to detect network intrusion, which is analogous to a biological membrane that prevents viruses from entering cells. This artificial membrane is designed to monitor incoming packets and to prevent a malicious program code (e.g., a shellcode) from breaking into a stack or heap in a memory. While monitoring incoming TCP packets, the artificial membrane constructs a TCP segment of incoming packets, and derives the byte frequency of the TCP segment (from 0 to 255 bytes) as well as the entropy and size of the segment. These features of the segment can be classified by a data-mining technique such as a decision tree or neural network. If the data-mining method finds a suspicious byte sequence, the sequence is emulated to ensure that it is just a shellcode. If the byte sequence is a shellcode, the sequence is dropped. At the same time, an alert is communicated to the system administrator. Our experiments examined seven data-mining methods for normal and malicious network traffic. The malicious traffic included 114 shellcodes, provided by the Metasploit framework, and including 10 types of metamorphic or polymorphic shellcodes. In addition, real network traffic involving shellcodes was examined. We found that a random forest method outperformed all the other datamining methods and had a very high detection accuracy, including a true-positive rate of 99.6% and a false-positive rate of 0.4%.     

基于多种技术的混合式程序代码抄袭检测方法

在分析现有程序代码抄袭检测系统的特点及局限性的基础上,提出一种综合文本分析、结构度量和属性计数技术的混合式程序抄袭检测方法。应用文档指纹技术和Winnowing算法计算程序的文本相似度;将程序代码表示成动态控制结构树（Dynamic Control Structure tree,DCS）,运用Winnowing算法计算DCS树相似度,从而得到结构相似度;收集并统计程序中的每个变量信息,应用变量相似度算法分析变量信息节点获取变量相似度;分别赋予文本相似度、结构相似度和变量相似度一个权值,计算得到总体的代码相似度。实验结果表明,所提出的方法能够有效检测出各种抄袭行为。针对不同的抄袭门槛值,使用该方法的检测结果准确度和查全率高于JPLAG系统。特别对于结构简单的程序组,此方法和JPLAG系统检测结果的平均准确度分别为82.5%和69.5%,说明所提的方法更加有效。     

Metamorphic code generation from LLVM bytecode

Metamorphic software changes its internal structure across generations with its functionality remaining unchanged. Metamorphism has been employed by malware writers as a means of evading signature detection and other advanced detection strategies. However, code morphing also has potential security benefits, since it can serve to increase the “genetic diversity” of software. We have created a metamorphic code generator within the LLVM compiler framework. LLVM is a three-phase compiler that supports multiple source languages and target architectures. It uses a common intermediate representation (IR) bytecode in its optimizer. Consequently, any supported high-level programming language is transformed to this IR bytecode as part of the LLVM compilation process. Our metamorphic generator functions at the IR bytecode level, which provides many advantages over morphing at the assembly or source code level. The morphing techniques that we employ include dead code insertion and transposition, where the dead code is actually executed within the morphed code, making its detection and removal more challenging. We have verified the effectiveness of our code morphing using hidden Markov model analysis.     

基于多分辨分析的脑电癫痫波自动检测*

分析了小波多分辨分析特征提取的特点,提出了八通道脑电信号癫痫波自动检测的方法。每个通道的信号利用小波变换进行五层分解,以提取小波变换各子带的小波系数和信号偏差组成特征值计算自适应阈值,并将其应用到关键子带,提取出信号中的癫痫波。研究的重点是对脑电信号进行分解选择合适的小波;确定适当的分解层次以及自适应阈值的计算。实验结果表明,方法能够为癫痫脑电的特征提取提供快速而有效的手段。     

HINOC系统探测帧的单频检测与BCH解码相结合的方案设计

提出了一种针对HINOC系统探测帧的单频检测算法与BCH编解码结合应用的方案,以改善HINOC系统的抗单频干扰能力。首先介绍了单频检测的一般方法及实现流程;接着简述了BCH编解码的基本原理;最后详细阐述了将单频检测算法与BCH编解码算法结合应用于HINOC系统的方案及实现流程。仿真结果表明,该方案能明显改善HINOC系统的抗单频干扰性能,具有较强的实用价值。     

Hypercatadioptric line images for 3D orientation and image rectification

In central catadioptric systems 3D lines are projected into conics. In this paper we present a new approach to extract conics in the raw catadioptric image, which correspond to projected straight lines in the scene. Using the internal calibration and two image points we are able to compute analytically these conics which we name hypercatadioptric line images. We obtain the error propagation from the image points to the 3D line projection in function of the calibration parameters. We also perform an exhaustive analysis on the elements that can affect the conic extraction accuracy. Besides that, we exploit the presence of parallel lines in man-made environments to compute the dominant vanishing points (VPs) in the omnidirectional image. In order to obtain the intersection of two of these conics we analyze the self-polar triangle common to this pair. With the information contained in the vanishing points we are able to obtain the 3D orientation of the catadioptric system. This method can be used either in a vertical stabilization system required by autonomous navigation or to rectify images required in applications where the vertical orientation of the catadioptric system is assumed. We use synthetic and real images to test the proposed method. We evaluate the 3D orientation accuracy with a ground truth given by a goniometer and with an inertial measurement unit (IMU). We also test our approach performing vertical and full rectifications in sequences of real images.     

A Comparison of Experimental Results with an Evolution Strategy and Competitive Neural Networks for Near Real-Time Color Quantization of Image Sequences

Color quantization of image sequences is a case of non-stationary clustering problem. The approach we adopt to deal with this kind of problems is to propose adaptive algorithms to compute the cluster representatives. We have studied the application of Competitive Neural Networks and Evolution Strategies to the one-pass adaptive solution of this problem. One-pass adaptation is imposed by the near real-time constraint that we try to achieve. In this paper we propose a simple and effective evolution strategy for this task. Two kinds of competitive neural networks are also applied. Experimental results show that the proposed evolution strategy can produce results comparable to that of competitive neural networks.     

Structural entropy and metamorphic malware

Metamorphic malware is capable of changing its internal structure without altering its functionality. A common signature is nonexistent in highly metamorphic malware and, consequently, such malware can remain undetected under standard signature scanning. In this paper, we apply previous work on structural entropy to the metamorphic detection problem. This technique relies on an analysis of variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the segmentation stage, we use entropy measurements and wavelet analysis to segment files. The second stage measures the similarity of file pairs by computing an edit distance between the sequences of segments obtained in the first stage. We apply this similarity measure to the metamorphic detection problem and show that we obtain strong results in certain challenging cases.