A Comparison of Clustering Techniques for Malware Analysis

In this research, we apply clustering techniques to the malware detection problem. Our goal is to classify malware as part of a fully automated detection strategy. We compute clusters using the well-known �-means and EM clustering algorithms, with scores obtained from Hidden Markov Models (HMM). The previous work in this area consists of using HMM and �-means clustering technique to achieve the same. The current effort aims to extend it to use EM clustering technique for detection and also compare this technique with the �-means clustering

Metamorphic Code Generation from LLVM IR Bytecode

Metamorphic software changes its internal structure across generations with its functionality remaining unchanged. Metamorphism has been employed by malware writers as a means of evading signature detection and other advanced detection strate- gies. However, code morphing also has potential security benefits, since it increases the “genetic diversity” of software. In this research, we have created a metamorphic code generator within the LLVM compiler framework. LLVM is a three-phase compiler that supports multiple source languages and target architectures. It uses a common intermediate representation (IR) bytecode in its optimizer. Consequently, any supported high-level programming language can be transformed to this IR bytecode as part of the LLVM compila- tion process. Our metamorphic generator functions at the IR bytecode level, which provides many advantages over previously developed metamorphic generators. The morphing techniques that we employ include dead code insertion—where the dead code is actually executed within the morphed code—and subroutine permutation. We have tested the effectiveness of our code morphing using hidden Markov model analysis

Geometry-based Detection of Flash Worms

While it takes traditional internet worms hours to infect all the vulnerable hosts on the Internet, a flash worm takes seconds. Because of the rapid rate with which flash worms spread, the existing worm defense mechanisms cannot respond fast enough to detect and stop the flash worm infections. In this project, we propose a geometric-based detection mechanism that can detect the spread of flash worms in a short period of time. We tested the mechanism on various simulated flash worm traffics consisting of more than 10,000 nodes. In addition to testing on flash worm traffics, we also tested the mechanism on non-flash worm traffics to see if our detection mechanism produces false alarms. In order to efficiently analyze bulks of various network traffics, we implemented an application that can be used to convert the network traffic data into graphical notations. Using the application, the analysis can be done graphically as it displays the large amount of network relationships as tree structures

A Tiered Approach to Detect Metamorphic Malware With Hidden Markov Models

Work on the use of hidden Markov models (HMM) to detect viruses has been carried out previously with good results [2], but metamorphic viruses like MetaPHOR [27] and metamorphic worms like MWOR [3] have proven to be able to evade detection techniques based on HMMs. The dueling HMM approach looks to detect such viruses by training an HMM model for each of the metamorphic virus / worm families. The tests and the results from these have shown that this approach has been able to detect the metamorphic MetaPHOR virus with reasonable accuracy but with significantly more overhead. This paper presents a tiered approach that improves on this by achieving the same results as the dueling approach but with significant performance improvement in terms of time. Essentially the idea is to eliminate most putative malware with the threshold approach, reserving the dueling HMM analysis for more difficult cases. We achieve accurate results with significantly less performance overhead than the dueling HMM strategy. Furthermore, our approach successfully detects MWOR worms with a high degree of accuracy

Function Call Graph Score for Malware Detection

Metamorphic malware changes its internal structure with each infection, while maintaining its core functionality. Detecting such malware is a challenging research problem. Function call graph analysis has previously shown promise in detecting such malware. In this research, we analyze the robustness of a function call graph score with respect to various code morphing strategies. We also consider modifications of the score that make it more robust in the face of such morphing

‘Viral’ hunts? A cultural Darwinian analysis of witch persecutions

The theory of Darwinian cultural evolution is gaining currency in many parts of the socio-cultural sciences, but it remains contentious. Critics claim that the theory is either fundamentally mistaken or boils down to a fancy re-description of things we knew all along. We will argue that cultural Darwinism can indeed resolve long-standing socio-cultural puzzles; this is demonstrated through a cultural Darwinian analysis of the European witch persecutions. Two central and unresolved questions concerning witch-hunts will be addressed. From the fifteenth to the seventeenth centuries, a remarkable and highly specific concept of witchcraft was taking shape in Europe. The first question is: who constructed it? With hindsight, we can see that the concept contains many elements that appear to be intelligently designed to ensure the continuation of witch persecutions, such as the witches’ sabbat, the diabolical pact, nightly flight, and torture as a means of interrogation. The second question is: why did beliefs in witchcraft and witch-hunts persist and disseminate, despite the fact that, as many historians have concluded, no one appears to have substantially benefited from them? Historians have convincingly argued that witch-hunts were not inspired by some hidden agenda; persecutors genuinely believed in the threat of witchcraft to their communities. We propose that the apparent ‘design’ exhibited by concepts of witchcraft resulted from a Darwinian process of evolution, in which cultural variants that accidentally enhanced the reproduction of the witch-hunts were selected and accumulated. We argue that witch persecutions form a prime example of a ‘viral’ socio-cultural phenomenon that reproduces ‘selfishly’, even harming the interests of its human hosts