PRACTICAL DETECTION OF METAMORPHIC COMPUTER VIRUSES

By Sharmidha Govindaraj

A metamorphic computer virus employs code obfuscation techniques to mutate itself. Such viruses avoid signature-based detection by modifying their internal structure without compromising their original functionality. However, it has been demonstrated that machine learning techniques, such as hidden Markov models (HMMs), can detect metamorphic viruses with a very high probability. An HMM can be trained to distinguish the statistical properties of a family of metamorphic viruses, and the trained HMM can then be used to detect viruses of the same metamorphic family.

Previous HMM-based detection techniques have relied on opcode sequences which are obtained by disassembling the binary (executable) code. Such an approach is impractical, since the disassembly process is slow, and this process must be applied to each file when scanning for viruses. In this paper, we develop a practical HMM-based metamorphic virus detector. We efficiently parses a Windows PE file and generate an approximate opcode sequence which is then used for scoring against the HMM.