Compression-based analysis of metamorphic malware.
详细信息
文摘
Recent work has presented a technique based on structural entropy measurement as an effective way to detect metamorphic malware. The technique uses two steps,file segmentation and sequence comparison,to calculate file similarity. In previous work,it was observed that similar malware have similar measures of Kolmogorov complexity. A proposed method of estimating Kolmogorov complexity was to calculate the compression ratio of a given malware which could then be used to cluster the malicious software. Malware detection has also been attempted through the use of adaptive data compression and showed promising results. In this paper,we combine these concepts and propose using compression ratios as an alternative measure of entropy with the purpose of segmenting files according to their structural characteristics. We then compare the segment-based sequences of two given files to determine file similarity. The idea is that,even after malware is transformed using a metamorphic engine,the resulting variants still share identifiable structural similarities with the original. Using this proposed technique to identify metamorphic malware,we compare our results with previous work.