SlideShare ist ein Scribd-Unternehmen logo

Metamorphic Malware Analysis and Detection

Grijesh Chauhan
Grijesh Chauhan

ABSTRACT : -------------------- Modern malware that are metamorphic or polymorphic in nature mutate their code by employing code obfuscation and encryption methods to thwart detection. Thus, conventional signature based scanners fail to detect these malware. In order to address the problems of detecting known variants of metamorphic malware, we propose a method using bioinformatics techniques effectively used for Protein and DNA matching. Instead of using exact signature matching methods, more sophisticated signature(s) are extracted using multiple sequence alignment (MSA). The results show that the proposed method is capable of identifying malware variants with minimum false alarms and misses. Also, the detection rate achieved with our proposed method is better compared to commercial antivirus products used in the study. Status: ---------- This work has been accepted by 8th IEEE International Conference on Innovations in Information Technology (Innovations'12). Link: ------- http://ieeexplore.ieee.org/xpl/login.jsp?reload=true&tp=&arnumber=6207739&url=http://ieeexplore.ieee.org/iel5/6203543/6207707/06207739.pdf?arnumber=6207739 e-mail: grijesh.mnit@gmail.com

BildungTechnologieBusiness
1 von 32
Downloaden Sie, um offline zu lesen
Bioinformatics Techniques for Metamorphic Malware Analysis and Detection Malaviya National Institute of Technology, Jaipur and Detection Supervisors: Dr. M. S. Gaur Dr. V. Laxmi By: Grijesh Chauhan (2009PCP116)
Outline Malware & Metamorphic malware Motivation Objective Bioinformatics TechniquesBioinformatics Techniques MOMENTUM Dataset Result & Analysis References Malaviya National Institute of Technology, Jaipur
Malware Malware are software with intentions to infect and replicate. Threats Loss of data Malaviya National Institute of Technology, Jaipur Loss of data Degrades computer system performance Identity threat Two broad categories Metamorphic: Virus body changes on each replication Polymorphic: Encrypts malicious payload to avoid detection
Metamorphic Malware[1/2] Metamorphic malware have similar functionality, different structure and signature. Malaviya National Institute of Technology, Jaipur Similar to genetic diversity in Biology. Variant -1 Variant -2 Variant -3 Metamorphic Engine Diagram depicts metamorphic malware variants with reordered code
Metamorphic Malware[1/2] Metamorphic Malware automatically re-codes itself each time it propagates or is distributed. Conventional signature based scanners are ineffective for detecting variants of same malware. Malaviya National Institute of Technology, Jaipur Sophisticated signature(s) are required to detect metamorphic variants of malware.
Motivation Variants of metamorphic malware are generated using a small embedded metamorphic engine to defeat detection [2]. Limited number of instructions are used to generate Malaviya National Institute of Technology, Jaipur variants so as to preserve functionality. Metamorphic malware like DNA/ protein sequences mutate from generation to generation, they inherit functionality and some structural similarity with ancestral malware.
Objective To devise a method for detection of metamorphic malware and its variants. To extract the abstract signature(s) using Bioinformatics sequence alignment Malaviya National Institute of Technology, Jaipur base code is preserved in different generations, obfuscated using junk code or equivalent instructions etc. To identify unseen malware samples using best representative signatures (group/single) of a family.
Sequence Alignment [1/2] Sequence alignment is a way of arranging DNA/Protein sequences to identify regions of similarity to infer functional, structural or evolutionary relationship. Malaviya National Institute of Technology, Jaipur Alignment Methods Global Alignment - align sequences end to end. Local Alignment - align substring of one sequence with substring of other. Multiple Sequence Alignment (MSA) - align more than two sequences.
Sequence Alignment [2/2] Global alignment L G P S S K Q T G K G S - S R I D N L N - I T K S A G K G A I M R L D A Local alignment Malaviya National Institute of Technology, Jaipur Local alignment - - - - - - T G - G - - - - - - - - - - - - - A G K G - - - - - - - Alignment Parameter Match Mismatch Gap Point of Mutation
Multiple Sequence Alignment MSA is extension of pairwise alignment for more than two sequences. It is used to identify conserved regions across a group of sequences. Malaviya National Institute of Technology, Jaipur M1 M2 M3 M4 M5 add add add - add - push push push push Mov mov mov mov mov - call jmp jz jmp jmp jmp mov mov mov • Mi – ith Malware instance
Implementation of MSA MSA is implemented using Progressive technique (ClustalW[9]) Progressive MSA follows three steps: Determine similarity between each pair by pairwise Malaviya National Institute of Technology, Jaipur Determine similarity between each pair by pairwise alignment. Construct a guided tree (Phylogenetic tree) to represent evolutionary relationship. MSA is build by aligning closely related groups to most distant group according to guided tree.
Phylogenetic Tree Phylogenetic Tree depict evolutionary relationship among the sequences. To form groups of similar viruses Malaviya National Institute of Technology, Jaipur viruses Guides MSA progressively to align closer groups first A B D F E ( (E,(A,B)), (D,F) )
Similarity Measurement Alignment Score : Is the sum of score specified for each aligned pair of mnemonics. Higher the score more similar the sequences. Distance (d) : Calculated using following formulas Malaviya National Institute of Technology, Jaipur formulas Higher the distance more dissimilar the sequences )#(# # matchmismatch mismatch Nd + = )##(# gapmatchmismatchLd ++= • Nd is Normalized distance, Ld is Levenshtein distance
Identification of Base Malware Base malware in a family is most similar to rest all with highest sum of score using pairwise alignment (SoP[3]). M1 M2 M3 M4 SoPM2 Malaviya National Institute of Technology, Jaipur M1 - 7 -2 1 6 M2 7 - -3 0 4 M3 -2 -3 - 1 -4 M4 1 0 1 - 2 is Base Malware Score Matrix M1 M3 M4 M2 M1 • Mi – ith Malware instance
Implementation Method MetamOrphic Malware ExploratioN Technique Using MSA (MOMENTUM) demonstrate the applicability of Bioinformatics Techniques for metamorphic malware analysis and detection. Malaviya National Institute of Technology, Jaipur Two phase of MOMENTUN are: Analysis of Metamorphism in Tools/Real Malware Signature Modelling and Testing
MOMENTUM [1/2] Metamorphic Families (Virus Tools and Real Malware) Intra-Family pair-wise Alignment Malaviya National Institute of Technology, Jaipur Distance Matrix Base file Alignments of two files Metamorphic? Inter-Family pair-wise Alignment Families Overlap ? Obfuscation ? • Flow diagram for metamorphism analysis
MOMENTUM [2/2] Training Set Testing Set Divide data set in two parts Malaviya National Institute of Technology, Jaipur Extract Group Signature Testing with single and group signatures Single Signature Scan Logs Threshold Threshold • Diagram depicts Signature Modelling and Testing
MSA Signature MSA signature (single signature) is a sequence of preserved mnemonics in alignment. M1 M2 M3 M4 M5 MSA Sign push push - - push push Mt push Malaviya National Institute of Technology, Jaipur Mnemonic that appears more than 50% in a row is included in MSA signature. - - jump jump jump jump mov mov - lea xor call call call call call call push mov mov - mov mov • Mi – ith Malware instance and Mt – Test Sample jump lea call push
Group Signature Group signature is extracted from single signature for each subgroup. Sub groups are formed using evolutionary relationship. Single signature is extracted for each subgroup and combined in the form of wildcard. Malaviya National Institute of Technology, Jaipur combined in the form of wildcard. DiagramSign1 Sign2 Sign3 Sign4 Sign5 Group Sign push push - - push push jz jz jump jump jump jump|jz mov mov - lea xor mov|lea|xor call call call call call call - mov mov - push mov|push • Signi – Signature for ith sub-group in a family Mt push jz lea call push
Threshold Sign 0 B B M M Score . . . . . . Benign Malware Malaviya National Institute of Technology, Jaipur Threshold 0 Bmin Bmax Mmin Mmax Score Where: Bmin Benign with minimum score Bmax Benign with maximum score Mmin Malware with minimum score Mmax Malware with maximum score Threshold (Bmax + Mmin) /2 , ( Threshold > Bmax )
Dataset [1/2] Dataset Description: Type Source #Family #instances Synthetic NGVCK, PSMPC, G2, MPCGEN 46 1051 User Agencies Malaviya National Institute of Technology, Jaipur * consists of unknown viruses (in test set). Dataset is equally divided into training and testing set. Real User Agencies 52 + 1* 1209 VxHeavens Benign System32,Cygwin etc. 1 150 1*
Dataset [2/2] All samples are in Portable Executables (PE) format. Samples are unpacked using Dynamic unpacker (EtherUnpack [7] ) Malaviya National Institute of Technology, Jaipur Dynamic unpacker (EtherUnpack [7] ) Signature based unpacker (GUNPacker [10]) Malware families are created from combined scanned results of 14 antiviruses. Benign samples are also scanned.
Result for Intra Family 0.05 0.1 0.15 0.2 0.25 0.3 AverageDistance Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Non zero values indicates presence of metamorphism in synthetic data. Levenshtein distance is high due to junk code insertion. Inspite of high values of global distance, local distances are low in most of the samples. This indicates presence of similar regions in code. 0 NGVCK PSMPC G2 MPCGEN • Average distance is between 0 to 1
Result for Inter Family 0.1 0.2 0.3 0.4 0.5 0.6 0.7 AverageDistnce Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Distance is less than intra family distance. This indicates most of malware share some base code. Levenshtein distance is higher because of change in functionality. 0 0.1 NGVCK PSMPC G2 MPCGEN VX HEAVENS • Average distance is between 0 to 1
Comparative Analysis VIRUS TYPE Replacements/ Alignment Avg. SoD OBFUSCATION NGVCK 47 1.03 Average Simple G2 3 1.45 Low Simple MPCGEN 31 0.61 Average Simple Malaviya National Institute of Technology, Jaipur MPCGEN 31 0.61 Average Simple PSMPC 1 1.35 Low Weak Vx-Heavens 122 8.3 Large Complex Viruses generated using tools belong to same family. Families of real malware are distinct. In PSMPC loop and jump instructions contribute for obfuscation this increases the distance between samples. NGVCK viruses overlaps with real malware (Savior). • SoD – Sum of distances of a family with rest other family
Detection Results 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 EvaluationMetrics MSA Single Group Signature Malaviya National Institute of Technology, Jaipur 95.5% of malware is detected with MSA signature, detection with Group signature is 72.4% . 53% of benign is falsely detected as malware with MSA signature due to loss mnemonics used for mutation in malware. Group signature preserves point of mutation that is absent in benign samples. 0 0.1 TPR FPR
MOMENTUM with Antiviruses 20 30 40 50 60 70 80 90 DetectionRate Malaviya National Institute of Technology, Jaipur MOMENTUM (group signature) is found to be comparable to best ant-viruses. Out of 35 undetected malware with antiviruses, MOMENTUM could detect 20 malware. 0 10 20
Scope for Improvement Instead of same mismatch score, compute weighted score for each pair of mnemonics using frequency of mismatches. In the alignment, operand part can be considered to verify actual changes (replacement/gap). Malaviya National Institute of Technology, Jaipur to verify actual changes (replacement/gap). This can fetch the way morpher preserves functionality.
List of Publications [1] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Detecting Malicious Files using Non-Signature based Methods, (To appear) Oxford Computer Journal. [2] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Malware Detection using Non-Signature based Method, In Malaviya National Institute of Technology, Jaipur Malware Detection using Non-Signature based Method, In Proceeding of IEEE International Conference on Network Communication and Computer-ICNCC 2011, pp-427-43, DOI: 978-1-4244-9551-1/11.
References [1] E.Karim, A.Walenstein, A.Lakhotia, “Malware Phylogeny using Permutation of code”, In Proceedings of EICAR 2005, pp 167-174 [2] M.R. Chouchane and A. Lakhotia , “Using engine signature to detect metamorphic malware”, In Proceedings of the 4th ACM workshop on Recurring malcode, WORM '06, 2006,73-78. Malaviya National Institute of Technology, Jaipur [3] Mona Singh, " Multiple Sequence Alignment ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [4] Mona Singh, " Phylogenetics ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [5] T. Smith and M. Waterman, “Identification of Common Molecular Subsequences”, Journal of Molecular Biology, pp 195-197, 1987 [6] Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Journal in Computer Virology, 2(3):211-229
References [7] Ether for Malware Unpacking: http://ether.gtisc.gatech.edu/malware.html (Last viewed on 14-6-2011) [8] Jian Li, Jun Xu, Ming Xu, HengiLi Zhao, Ning Zheng, “Malware Obfuscation Measuring via Evolutionary Similarity”, In Proceedings of IEEE Int. Conference on Future Information Network 2009. Malaviya National Institute of Technology, Jaipur [9] Larkin MA et al, " Clustal W and Clustal X version 2.0 ". Bioinformatics, 23, 2947-2948, 2007. [10] GUnPacker : http://www.woodmann.com/collaborative/tools/index.php/GUnPacker (Last viewed on 14-6-2011)
Thanks! Malaviya National Institute of Technology, Jaipur

Empfohlen

Operating System Security
Operating System SecurityOperating System Security
Operating System Security
Ramesh Upadhaya
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
Fabrizio Farinacci
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoors
Shrey Vyas
 
Cyber Forensics & Challenges
Cyber Forensics & ChallengesCyber Forensics & Challenges
Cyber Forensics & Challenges
Deepak Kumar (D3)
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Ids(final)
Ids(final)Ids(final)
Ids(final)
Not yet working. I am still studying
 

Empfohlen

Operating System Security
Operating System SecurityOperating System Security
Operating System Security
Ramesh Upadhaya
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
Fabrizio Farinacci
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoors
Shrey Vyas
 
Cyber Forensics & Challenges
Cyber Forensics & ChallengesCyber Forensics & Challenges
Cyber Forensics & Challenges
Deepak Kumar (D3)
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Ids(final)
Ids(final)Ids(final)
Ids(final)
Not yet working. I am still studying
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing Lab
Syed Ubaid Ali Jafri
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Hacking presentation BASIC
Hacking presentation BASICHacking presentation BASIC
Hacking presentation BASIC
Lakkireddy Bali Reddy Collage of Engineering
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
sayyed azam
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
LakshayNRReddy
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
Mustafash79
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
What is malware
What is malwareWhat is malware
What is malware
Malcolm York
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Priyanshu Ratnakar
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Malware
MalwareMalware
Malware
Anoushka Srivastava
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentation
ikmal91
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
Dinesh O Bareja
 
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET Journal
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET Journal
 

Weitere ähnliche Inhalte

Was ist angesagt?

VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentation
ikmal91
 

Was ist angesagt? (20)

Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing Lab
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Hacking presentation BASIC
Hacking presentation BASICHacking presentation BASIC
Hacking presentation BASIC
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
What is malware
What is malwareWhat is malware
What is malware
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Malware
MalwareMalware
Malware
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentation
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 

Ähnlich wie Metamorphic Malware Analysis and Detection

Ähnlich wie Metamorphic Malware Analysis and Detection (20)

IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning Methods
 
IRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real NetworkIRJET- Intrusion Detection using IP Binding in Real Network
IRJET- Intrusion Detection using IP Binding in Real Network
 
Exploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection MethodsExploiting Semantics-Based Plagiarism Detection Methods
Exploiting Semantics-Based Plagiarism Detection Methods
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant Extraction
 
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
 
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine LearningIRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine Learning
 
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
PROVIDING CYBER SECURITY SOLUTION FOR MALWARE DETECTION USING SUPPORT VECTOR ...
 
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEWBOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
BOTNET DETECTION USING VARIOUS MACHINE LEARNING ALGORITHMS: A REVIEW
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer security
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
proposal
proposalproposal
proposal
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEINTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
 
a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
IRJET - A Review on Replay Spoof Detection in Automatic Speaker Verificat...
 
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a BookIRJET - Cognitive based Emotion Analysis of a Child Reading a Book
IRJET - Cognitive based Emotion Analysis of a Child Reading a Book
 
Software defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithmsSoftware defect estimation using machine learning algorithms
Software defect estimation using machine learning algorithms
 

Kürzlich hochgeladen

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Kürzlich hochgeladen (20)

Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 

Metamorphic Malware Analysis and Detection

  • 1. Bioinformatics Techniques for Metamorphic Malware Analysis and Detection Malaviya National Institute of Technology, Jaipur and Detection Supervisors: Dr. M. S. Gaur Dr. V. Laxmi By: Grijesh Chauhan (2009PCP116)
  • 2. Outline Malware & Metamorphic malware Motivation Objective Bioinformatics TechniquesBioinformatics Techniques MOMENTUM Dataset Result & Analysis References Malaviya National Institute of Technology, Jaipur
  • 3. Malware Malware are software with intentions to infect and replicate. Threats Loss of data Malaviya National Institute of Technology, Jaipur Loss of data Degrades computer system performance Identity threat Two broad categories Metamorphic: Virus body changes on each replication Polymorphic: Encrypts malicious payload to avoid detection
  • 4. Metamorphic Malware[1/2] Metamorphic malware have similar functionality, different structure and signature. Malaviya National Institute of Technology, Jaipur Similar to genetic diversity in Biology. Variant -1 Variant -2 Variant -3 Metamorphic Engine Diagram depicts metamorphic malware variants with reordered code
  • 5. Metamorphic Malware[1/2] Metamorphic Malware automatically re-codes itself each time it propagates or is distributed. Conventional signature based scanners are ineffective for detecting variants of same malware. Malaviya National Institute of Technology, Jaipur Sophisticated signature(s) are required to detect metamorphic variants of malware.
  • 6. Motivation Variants of metamorphic malware are generated using a small embedded metamorphic engine to defeat detection [2]. Limited number of instructions are used to generate Malaviya National Institute of Technology, Jaipur variants so as to preserve functionality. Metamorphic malware like DNA/ protein sequences mutate from generation to generation, they inherit functionality and some structural similarity with ancestral malware.
  • 7. Objective To devise a method for detection of metamorphic malware and its variants. To extract the abstract signature(s) using Bioinformatics sequence alignment Malaviya National Institute of Technology, Jaipur base code is preserved in different generations, obfuscated using junk code or equivalent instructions etc. To identify unseen malware samples using best representative signatures (group/single) of a family.
  • 8. Sequence Alignment [1/2] Sequence alignment is a way of arranging DNA/Protein sequences to identify regions of similarity to infer functional, structural or evolutionary relationship. Malaviya National Institute of Technology, Jaipur Alignment Methods Global Alignment - align sequences end to end. Local Alignment - align substring of one sequence with substring of other. Multiple Sequence Alignment (MSA) - align more than two sequences.
  • 9. Sequence Alignment [2/2] Global alignment L G P S S K Q T G K G S - S R I D N L N - I T K S A G K G A I M R L D A Local alignment Malaviya National Institute of Technology, Jaipur Local alignment - - - - - - T G - G - - - - - - - - - - - - - A G K G - - - - - - - Alignment Parameter Match Mismatch Gap Point of Mutation
  • 10. Multiple Sequence Alignment MSA is extension of pairwise alignment for more than two sequences. It is used to identify conserved regions across a group of sequences. Malaviya National Institute of Technology, Jaipur M1 M2 M3 M4 M5 add add add - add - push push push push Mov mov mov mov mov - call jmp jz jmp jmp jmp mov mov mov • Mi – ith Malware instance
  • 11. Implementation of MSA MSA is implemented using Progressive technique (ClustalW[9]) Progressive MSA follows three steps: Determine similarity between each pair by pairwise Malaviya National Institute of Technology, Jaipur Determine similarity between each pair by pairwise alignment. Construct a guided tree (Phylogenetic tree) to represent evolutionary relationship. MSA is build by aligning closely related groups to most distant group according to guided tree.
  • 12. Phylogenetic Tree Phylogenetic Tree depict evolutionary relationship among the sequences. To form groups of similar viruses Malaviya National Institute of Technology, Jaipur viruses Guides MSA progressively to align closer groups first A B D F E ( (E,(A,B)), (D,F) )
  • 13. Similarity Measurement Alignment Score : Is the sum of score specified for each aligned pair of mnemonics. Higher the score more similar the sequences. Distance (d) : Calculated using following formulas Malaviya National Institute of Technology, Jaipur formulas Higher the distance more dissimilar the sequences )#(# # matchmismatch mismatch Nd + = )##(# gapmatchmismatchLd ++= • Nd is Normalized distance, Ld is Levenshtein distance
  • 14. Identification of Base Malware Base malware in a family is most similar to rest all with highest sum of score using pairwise alignment (SoP[3]). M1 M2 M3 M4 SoPM2 Malaviya National Institute of Technology, Jaipur M1 - 7 -2 1 6 M2 7 - -3 0 4 M3 -2 -3 - 1 -4 M4 1 0 1 - 2 is Base Malware Score Matrix M1 M3 M4 M2 M1 • Mi – ith Malware instance
  • 15. Implementation Method MetamOrphic Malware ExploratioN Technique Using MSA (MOMENTUM) demonstrate the applicability of Bioinformatics Techniques for metamorphic malware analysis and detection. Malaviya National Institute of Technology, Jaipur Two phase of MOMENTUN are: Analysis of Metamorphism in Tools/Real Malware Signature Modelling and Testing
  • 16. MOMENTUM [1/2] Metamorphic Families (Virus Tools and Real Malware) Intra-Family pair-wise Alignment Malaviya National Institute of Technology, Jaipur Distance Matrix Base file Alignments of two files Metamorphic? Inter-Family pair-wise Alignment Families Overlap ? Obfuscation ? • Flow diagram for metamorphism analysis
  • 17. MOMENTUM [2/2] Training Set Testing Set Divide data set in two parts Malaviya National Institute of Technology, Jaipur Extract Group Signature Testing with single and group signatures Single Signature Scan Logs Threshold Threshold • Diagram depicts Signature Modelling and Testing
  • 18. MSA Signature MSA signature (single signature) is a sequence of preserved mnemonics in alignment. M1 M2 M3 M4 M5 MSA Sign push push - - push push Mt push Malaviya National Institute of Technology, Jaipur Mnemonic that appears more than 50% in a row is included in MSA signature. - - jump jump jump jump mov mov - lea xor call call call call call call push mov mov - mov mov • Mi – ith Malware instance and Mt – Test Sample jump lea call push
  • 19. Group Signature Group signature is extracted from single signature for each subgroup. Sub groups are formed using evolutionary relationship. Single signature is extracted for each subgroup and combined in the form of wildcard. Malaviya National Institute of Technology, Jaipur combined in the form of wildcard. DiagramSign1 Sign2 Sign3 Sign4 Sign5 Group Sign push push - - push push jz jz jump jump jump jump|jz mov mov - lea xor mov|lea|xor call call call call call call - mov mov - push mov|push • Signi – Signature for ith sub-group in a family Mt push jz lea call push
  • 20. Threshold Sign 0 B B M M Score . . . . . . Benign Malware Malaviya National Institute of Technology, Jaipur Threshold 0 Bmin Bmax Mmin Mmax Score Where: Bmin Benign with minimum score Bmax Benign with maximum score Mmin Malware with minimum score Mmax Malware with maximum score Threshold (Bmax + Mmin) /2 , ( Threshold > Bmax )
  • 21. Dataset [1/2] Dataset Description: Type Source #Family #instances Synthetic NGVCK, PSMPC, G2, MPCGEN 46 1051 User Agencies Malaviya National Institute of Technology, Jaipur * consists of unknown viruses (in test set). Dataset is equally divided into training and testing set. Real User Agencies 52 + 1* 1209 VxHeavens Benign System32,Cygwin etc. 1 150 1*
  • 22. Dataset [2/2] All samples are in Portable Executables (PE) format. Samples are unpacked using Dynamic unpacker (EtherUnpack [7] ) Malaviya National Institute of Technology, Jaipur Dynamic unpacker (EtherUnpack [7] ) Signature based unpacker (GUNPacker [10]) Malware families are created from combined scanned results of 14 antiviruses. Benign samples are also scanned.
  • 23. Result for Intra Family 0.05 0.1 0.15 0.2 0.25 0.3 AverageDistance Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Non zero values indicates presence of metamorphism in synthetic data. Levenshtein distance is high due to junk code insertion. Inspite of high values of global distance, local distances are low in most of the samples. This indicates presence of similar regions in code. 0 NGVCK PSMPC G2 MPCGEN • Average distance is between 0 to 1
  • 24. Result for Inter Family 0.1 0.2 0.3 0.4 0.5 0.6 0.7 AverageDistnce Global Local Levenshtein Malaviya National Institute of Technology, Jaipur Distance is less than intra family distance. This indicates most of malware share some base code. Levenshtein distance is higher because of change in functionality. 0 0.1 NGVCK PSMPC G2 MPCGEN VX HEAVENS • Average distance is between 0 to 1
  • 25. Comparative Analysis VIRUS TYPE Replacements/ Alignment Avg. SoD OBFUSCATION NGVCK 47 1.03 Average Simple G2 3 1.45 Low Simple MPCGEN 31 0.61 Average Simple Malaviya National Institute of Technology, Jaipur MPCGEN 31 0.61 Average Simple PSMPC 1 1.35 Low Weak Vx-Heavens 122 8.3 Large Complex Viruses generated using tools belong to same family. Families of real malware are distinct. In PSMPC loop and jump instructions contribute for obfuscation this increases the distance between samples. NGVCK viruses overlaps with real malware (Savior). • SoD – Sum of distances of a family with rest other family
  • 26. Detection Results 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 EvaluationMetrics MSA Single Group Signature Malaviya National Institute of Technology, Jaipur 95.5% of malware is detected with MSA signature, detection with Group signature is 72.4% . 53% of benign is falsely detected as malware with MSA signature due to loss mnemonics used for mutation in malware. Group signature preserves point of mutation that is absent in benign samples. 0 0.1 TPR FPR
  • 27. MOMENTUM with Antiviruses 20 30 40 50 60 70 80 90 DetectionRate Malaviya National Institute of Technology, Jaipur MOMENTUM (group signature) is found to be comparable to best ant-viruses. Out of 35 undetected malware with antiviruses, MOMENTUM could detect 20 malware. 0 10 20
  • 28. Scope for Improvement Instead of same mismatch score, compute weighted score for each pair of mnemonics using frequency of mismatches. In the alignment, operand part can be considered to verify actual changes (replacement/gap). Malaviya National Institute of Technology, Jaipur to verify actual changes (replacement/gap). This can fetch the way morpher preserves functionality.
  • 29. List of Publications [1] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Detecting Malicious Files using Non-Signature based Methods, (To appear) Oxford Computer Journal. [2] Vinod P., V.Laxmi, M.S.Gaur, Grijesh Chauhan Malware Detection using Non-Signature based Method, In Malaviya National Institute of Technology, Jaipur Malware Detection using Non-Signature based Method, In Proceeding of IEEE International Conference on Network Communication and Computer-ICNCC 2011, pp-427-43, DOI: 978-1-4244-9551-1/11.
  • 30. References [1] E.Karim, A.Walenstein, A.Lakhotia, “Malware Phylogeny using Permutation of code”, In Proceedings of EICAR 2005, pp 167-174 [2] M.R. Chouchane and A. Lakhotia , “Using engine signature to detect metamorphic malware”, In Proceedings of the 4th ACM workshop on Recurring malcode, WORM '06, 2006,73-78. Malaviya National Institute of Technology, Jaipur [3] Mona Singh, " Multiple Sequence Alignment ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [4] Mona Singh, " Phylogenetics ", Lecture Notes: www.cs.princeton.edu/~mona/Lecture/msa1.pdf (Last viewed on 14-6-2011) [5] T. Smith and M. Waterman, “Identification of Common Molecular Subsequences”, Journal of Molecular Biology, pp 195-197, 1987 [6] Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Journal in Computer Virology, 2(3):211-229
  • 31. References [7] Ether for Malware Unpacking: http://ether.gtisc.gatech.edu/malware.html (Last viewed on 14-6-2011) [8] Jian Li, Jun Xu, Ming Xu, HengiLi Zhao, Ning Zheng, “Malware Obfuscation Measuring via Evolutionary Similarity”, In Proceedings of IEEE Int. Conference on Future Information Network 2009. Malaviya National Institute of Technology, Jaipur [9] Larkin MA et al, " Clustal W and Clustal X version 2.0 ". Bioinformatics, 23, 2947-2948, 2007. [10] GUnPacker : http://www.woodmann.com/collaborative/tools/index.php/GUnPacker (Last viewed on 14-6-2011)
  • 32. Thanks! Malaviya National Institute of Technology, Jaipur