Off-campus SJSU users: To download campus access theses, please use the following link to log into our proxy server with your SJSU library user name and PIN.

Publication Date

Spring 2014

Degree Type

Thesis - Campus Access Only

Degree Name

Master of Science (MS)

Department

Computer Science

Advisor

Thomas Austin

Keywords

compression, detection, malware, metamorphic

Subject Areas

Computer science

Abstract

Recent work has presented a technique based on structural entropy measurement as an effective way to detect metamorphic malware. The technique uses two steps, file segmentation and sequence comparison, to calculate file similarity. In previous work, it was observed that similar malware have similar measures of Kolmogorov complexity. A proposed method of estimating Kolmogorov complexity was to calculate the compression ratio of a given malware which could then be used to cluster the malicious software. Malware detection has also been attempted through the use of adaptive data compression and showed promising results. In this paper, we combine these concepts and propose using compression ratios as an alternative measure of entropy with the purpose of segmenting files according to their structural characteristics. We then compare the segment-based sequences of two given files to determine file similarity. The idea is that, even after malware is transformed using a metamorphic engine, the resulting variants still share identifiable structural similarities with the original. Using this proposed technique to identify metamorphic malware, we compare our results with previous work.

Download

Share

COinS