Association for Computing Machinery
Introducing program variations via metamorphic transformations is one of the methods used by malware authors in order to help their programs slip past defenses. A method is presented for rapidly deciding whether or not an input program is likely to be a variant of a given metamorphic program. The method is defined for the prominent class of metamorphic engines that work by probabilistically selecting instruction-substituting program transformations. A model of the probabilistic engine is used to predict the expected distribution of instruction forms for different generations of variants. These predicted distributions form a type of \"Statistical signature\" for the output of the metamorphic engines.