A Framework for Metamorphic Malware Analysis and Real-Time Detection
| dc.contributor.author | Alam, Shahid | |
| dc.contributor.supervisor | Horspool, R. Nigel | |
| dc.contributor.supervisor | Traore, Issa | |
| dc.date.accessioned | 2014-08-19T20:08:41Z | |
| dc.date.available | 2014-08-19T20:08:41Z | |
| dc.date.copyright | 2014 | en_US |
| dc.date.issued | 2014-08-19 | |
| dc.degree.department | Department of Computer Science | |
| dc.degree.level | Doctor of Philosophy Ph.D. | en_US |
| dc.description.abstract | Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (syntax) more than the behavior (semantic) of such a new malware. On this assumption and motivation, this thesis presents a new framework named MARD for Metamorphic Malware Analysis and Real-Time Detection. We also introduce a new intermediate language named MAIL (Malware Analysis Intermediate Language). Each MAIL statement is assigned a pattern that can be used to annotate a control flow graph for pattern matching to analyse and detect metamorphic malware. MARD uses MAIL to achieve platform independence, automation and optimizations for metamorphic malware analysis and detection. As part of the new framework, to build a behavioral signature and detect metamorphic malware in real-time, we propose two novel techniques, named ACFG (Annotated Control Flow Graph) and SWOD-CFWeight (Sliding Window of Difference and Control Flow Weight). Unlike other techniques, ACFG provides a faster matching of CFGs, without compromising detection accuracy; it can handle malware with smaller CFGs, and contains more information and hence provides more accuracy than a CFG. SWOD-CFWeight mitigates and addresses key issues in current techniques, related to the change of the frequencies of opcodes, such as the use of different compilers, compiler optimizations, operating systems and obfuscations. The size of SWOD can change, which gives anti-malware tool developers the ability to select appropriate parameter values to further optimize malware detection. CFWeight captures the control flow semantics of a program to an extent that helps detect metamorphic malware in real-time. Experimental evaluation of the two proposed techniques, using an existing dataset, achieved detection rates in the range 94% - 99.6% and false positive rates in the range 0.93% - 12.44%. Compared to ACFG, SWOD-CFWeight significantly improves the detection time, and is suitable to be used where the time for malware detection is more important as in real-time (practical) anti-malware applications. | en_US |
| dc.description.proquestcode | 0984 | en_US |
| dc.description.proquestemail | alam_shahid@yahoo.com | en_US |
| dc.description.scholarlevel | Graduate | en_US |
| dc.identifier.bibliographicCitation | Shahid Alam, Ibrahim Sogukpinar, Issa Traore and R. Nigel Horspool. Sliding Window and Control Flow Weight for Metamorphic Malware Detection. Springer Journal of Computer Virology and Hacking Techniques, http://dx.doi.org/10.1007/s11416-014-0222-y. | en_US |
| dc.identifier.bibliographicCitation | Shahid Alam, Ibrahim Sogukpinar, Issa Traore and Yvonne Coady. In-Cloud Malware Anlaysis and Detection: State of the Art. The Seventh ACM International Conference on Security of Information and Networks (SIN 2014), September, 2014. Glasgow, UK (in print). | en_US |
| dc.identifier.bibliographicCitation | Shahid Alam, Issa Traore and Ibrahim Sogukpinar. Current Trends and the Future of Metamorphic Malware Detection. The Seventh ACM International Conference on Security of Information and Networks (SIN 2014), September, 2014. Glasgow, UK (in print). | en_US |
| dc.identifier.bibliographicCitation | Shahid Alam, R. Nigel Horspool and Issa Traore. MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection. In Proceedings of the 28th IEEE International Conference on Advanced Information Networking and Applications, Research Track - Security and Privacy, May, 2014. Washington DC, USA, IEEE Computer Society. | en_US |
| dc.identifier.bibliographicCitation | Shahid Alam, R. Nigel Horspool and Issa Traore. MAIL: Malware Analysis Intermediate Language - A Step Towards Automating and Optimizing Malware Detection. In Proceedings of the Sixth ACM International Conference on Security of Information and Networks, November, 2013. New York, USA, ACM SIGSAC. | en_US |
| dc.identifier.uri | http://hdl.handle.net/1828/5576 | |
| dc.language | English | eng |
| dc.language.iso | en | en_US |
| dc.rights.temp | Available to the World Wide Web | en_US |
| dc.subject | End point security | en_US |
| dc.subject | Malware detection | en_US |
| dc.subject | Metamorphic malware | en_US |
| dc.subject | Control flow analysis | en_US |
| dc.subject | Heuristics | en_US |
| dc.subject | Data mining | en_US |
| dc.subject | Window of difference | en_US |
| dc.title | A Framework for Metamorphic Malware Analysis and Real-Time Detection | en_US |
| dc.type | Thesis | en_US |