Similarity Tests for Metamorphic Virus Detection

Author

Mahim Patel, San Jose State University

Publication Date

Spring 2011

Degree Type

Master's Project

Degree Name

Master of Science (MS)

Department

Computer Science

First Advisor

Mark Stamp

Second Advisor

Chris Pollett

Third Advisor

Soon Tee Teoh

Keywords

HMM edit distance sequence alignment Metamorphic Virus Detection

Abstract

A metamorphic computer virus generates copies of itself using code morphing techniques. A new virus has the same functionality as the parent but it has a different internal structure. The goal of the metamorphic virus writer is to produce viral copies that have no common signature. If the viral copies are sufficiently different, they can evade signature detection, which is the most widely-used anti-virus technique.
In previous research, hidden Markov models (HMMs) have been used to detect some metamorphic viruses. However, recent research has shown that it is possible for carefully designed metamorphic viruses to evade HMM-based detection.
In this project, we analyze similarity-based techniques for detecting metamorphic viruses. We first consider a similarity index technique that was previously studied. We then consider new similarity techniques based on edit distance and pairwise sequence alignment. We test these similarity measures on the challenging problem of metamorphic virus detection. We compare our detection results with those obtained using an HMM-based detection method.

Recommended Citation

Patel, Mahim, "Similarity Tests for Metamorphic Virus Detection" (2011). Master's Projects. 175.
DOI: https://doi.org/10.31979/etd.6j9f-9drn
https://scholarworks.sjsu.edu/etd_projects/175