Statistical Signatures for Fast Filtering of Instruction-Substituting Metamorphic Malware

Provided by: Association for Computing Machinery
Topic: Security
Format: PDF
Introducing program variations via metamorphic transformations is one of the methods used by malware authors in order to help their programs slip past defenses. A method is presented for rapidly deciding whether or not an input program is likely to be a variant of a given metamorphic program. The method is defined for the prominent class of metamorphic engines that work by probabilistically selecting instruction-substituting program transformations. A model of the probabilistic engine is used to predict the expected distribution of instruction forms for different generations of variants. These predicted distributions form a type of \"Statistical signature\" for the output of the metamorphic engines.

Find By Topic