Metamorphic malware detection using opcode frequency rate and decision tree

Peyman Khodamoradi, Farhad Mardukhi, Masoud Nosrati, Mohammad Mahdi Dehshibi

Research output: Contribution to journalArticlepeer-review

7 Citations (Scopus)

Abstract

Malware is defined as any type of malicious code that is the potent to harm a computer or a network. Modern malwares are accompanied with mutation characteristics, namely polymorphism and metamorphism. They let malwares to generate enormous number of variants. Rising number of metamorphic malwares entails hardship in analyzing them for signature extraction and database updates. In spite of the broad use of signature-based methods in the security products, they are not able detect the new unseen morphs of malware, and it is stemmed from changing the structure of malware as well as the signature in each infection. In this paper, a novel method is proposed in which the proportion of opcodes is used for detecting the new morphs. Decision trees are utilized for classification and detection of malware variants based on the rate of opcode frequencies. Three metrics for evaluating the proposed method are speed, efficiency and accuracy. It was observed in the course of experiments that speed and time complexity will not be challenging factors; because of the fast nature of extracting the frequencies of opcodes from source assembly file. Empirical validation reveals that the proposed method outperforms the entire commercial antivirus programs with a high level of efficiency and accuracy.

Original languageEnglish
Pages (from-to)67-86
Number of pages20
JournalInternational Journal of Information Security and Privacy (IJISP)
Volume10
Issue number3
DOIs
Publication statusPublished - 1 Jul 2016
Externally publishedYes

Keywords

  • Classification
  • Feature extraction
  • Metamorphic engine
  • Metamorphic malware
  • Obfuscation

Fingerprint

Dive into the research topics of 'Metamorphic malware detection using opcode frequency rate and decision tree'. Together they form a unique fingerprint.

Cite this