Structural entropy and metamorphic malware |
| |
| Authors: | Donabelle Baysa Richard M. Low Mark Stamp |
| |
| Affiliation: | 1. Department of Computer Science, San Jose State University, San Jose, USA
2. Department of Mathematics, San Jose State University, San Jose, USA
|
| |
| Abstract: | Metamorphic malware is capable of changing its internal structure without altering its functionality. A common signature is nonexistent in highly metamorphic malware and, consequently, such malware can remain undetected under standard signature scanning. In this paper, we apply previous work on structural entropy to the metamorphic detection problem. This technique relies on an analysis of variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the segmentation stage, we use entropy measurements and wavelet analysis to segment files. The second stage measures the similarity of file pairs by computing an edit distance between the sequences of segments obtained in the first stage. We apply this similarity measure to the metamorphic detection problem and show that we obtain strong results in certain challenging cases. |
| |
| Keywords: | |
| 本文献已被 SpringerLink 等数据库收录! |
|
