High-speed and accurate malware detection for metamorphic malware are two goals in antiviruses. To reach beyond this issue, this chapter presents a new malware detection method that can be summarized as follows: (1) Input file is disassembled and classified to obtain the minimal opcode pattern as feature vectors; (2) a forward feature selection method (i.e., maximum relevancy and minimum redundancy) is applied to remove the redundant as well as irrelevant features; and (3) the process ends by classification through using decision tree. The results indicate the proposed method can effectively detect metamorphic malware in terms of speed, efficiency, and accuracy.
TopIntroduction
The enterprise network security is currently under highly volatile conditions, and the security landscape gets darker when mixing up internet environments with the rate of the increasing and improved malicious software (malware) (Fernandes et al. 2014). The huge amount of files on the net makes the efficient and effective investigation of particular files as a challenging activity through common methods like static and signature-based approaches. The signature based approach is a well-known malware detection type that is utilized by antivirus developer (Aycock, 2006). A signature is a string of bits that specifically appear in the structure of malware.since malware programmers are aware of signature-based approaches, they invented new techniques to prevent detections techniques (Lin & Stamp, 2011; Szor, 2005) like polymorphism and metamorphosis aim at complicating the detection process via reconstructing the malware programs without destructing their functions (Mathur & Hiranwal, 2013).
Metamorphic malware (Chouchane & Lakhotia, 2006) is one of the most serious threatening types of malware, which generates new code structures after each infection, while no destruction happens in their functions. This continuous mutation causes difficulty in detecting the malware. Besides, the number of emerging worms and Trojans that utilize this technique is rising (Anderson et al. 2011). Some examples of these malicious functions are the destruction of data, information theft and assuming ownership of computer resources. Also, money is another major trend in developing malwares (Plonk, A., & Carblanc, 2008).
Metamorphic malwares emerged as a new generation of polymorphic malware. A polymorphic malware encrypts its instruction codes and alters the decryption code section by generating a new decryption procedure after each infection. This mechanism creates different morphs of a virus (Szor, 2005). The main limitation of polymorphic malwares is derived from their unpacked code section. Although they have an encrypted code section, their unpacked code is constant and it must be loaded into the memory to perform the functions. Therefore, an approach for detecting polymorphic malware is to wait for the virus to start decryption. Then, compare the signature of the program with the dictionary of signatures. On the other hand, metamorphic malware has no decryption procedure, since they directly alter the body of codes (Schiffman, 2010; You and Yim, 2010).
There are two classes for present methods of metamorphic malware detection: dynamic analysis and static analysis approaches (Konstantinou, E., & Wolthusen, 2008). Dynamic analysis executes the suspicious code and observes its behavior. The suspicious code may contain an infected code section. A vivid problem is the execution environment; in the sense that running the malicious code might diffuse the infection from the analyst machine. On the other hand, execution of code on a dedicated machine has overhead (Bayer et al. 2006). Static analysis is prior to dynamic approach if malicious code is detectable through features analysis or pattern recognition. In addition, when detecting the threatening code needs uncommon execution situations, the static analysis might eventuate to a better performance. On the other side, static analysis techniques are dependent on the source of the code; so they will fail if the code is not available (Daoud, Jebril, & Zaqaibeh, 2008).