Eigenvalue Analysis for Metamorphic Detection

Metamorphic viruses change their structure on each infection while maintaining their function. Although many detection techniques have been proposed, practical and effective metamorphic detection remains a difficult challenge. In this project, we analyze a novel method for detecting metamorphic viruses. Our approach was inspired by a well-known facial recognition technique that is based on eigenvalue analysis. We compute eigenvectors using opcode sequences extracted from a set of known metamorphic viruses. These eigenvectors can then be used to score a given executable file, based on its extracted opcode sequence. We perform extensive testing to determine the effectiveness of this scoring technique for classifying metamorphic malware. Our results show that this approach yields very good results when applied to highly metamorphic malware

Metamorphic Detection Using Singular Value Decomposition

Metamorphic malware changes its internal structure with each infection, while maintaining its original functionality. Such malware can be difficult to detect using static techniques, since there may be no common signature across infections. In this research we apply a score based on Singular Value Decomposition (SVD) to the problem of metamorphic detection. SVD is a linear algebraic technique which is applicable to a wide range of problems, including facial recognition. Previous research has shown that a similar facial recognition technique yields good results when applied to metamorphic malware detection. We present experimental results and we analyze the effectiveness and efficiency of this SVD-based approach

Hunting for Pirated Software Using Metamorphic Analysis

In this paper, we consider the problem of detecting software that has been pirated and modified. We analyze a variety of detection techniques that have been previously studied in the context of malware detection. For each technique, we empirically determine the detection rate as a function of the degree of modification of the original code. We show that the code must be greatly modified before we fail to reliably distinguish it, and we show that our results offer a significant improvement over previous related work. Our approach can be applied retroactively to any existing software and hence, it is both practical and effective

Metamorphic malware detection based on support vector machine classification of malware sub-signatures

Achieving accurate and efficient metamorphic malware detection remains a challenge. Metamorphic malware is able to mutate and alter its code structure in each infection that can circumvent signature matching detection. However, some vital functionalities and code segments remain unchanged between mutations. We exploit these unchanged features by the mean of classification using Support Vector Machine (SVM). N-gram features are extracted directly from malware binaries to avoid disassembly, which these features are then masked with the extracted known malware signature n-grams. These masked features reduce the number of selected n-gram features considerably. Our method is capable to accurately detect metamorphic malware with ~99 accuracy and low false positive rate. The proposed method is also superior to commercially available anti-viruses for detecting metamorphic malware

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

Achieving accurate and efficient metamorphic malware detection remains a challenge. Metamorphic malware is able to mutate and alter its code structure in each infection, with some vital functionality and codesegment remain unchanged. We exploit these unchanged features for detecting metamorphic malware detection using Support Vector Machine(SVM) classifier. n-gram features are extracted directly from sample malware binaries to avoid disassembly, which are then masked with the extracted Snort signature n-grams. These masked features reduce considerably the number of selected n-gram features. Our method is capable to accurately detect metamorphic malware with ~99 % accuracy and low false positive rate. The proposed method is also superior than commercially available anti-viruses in detecting metamorphicmalware

Pre-filters in-transit malware packets detection in the network

Conventional malware detection systems cannot detect most of the new malware in the network without the availability of their signatures. In order to solve this problem, this paper proposes a technique to detect both metamorphic (mutated malware) and general (non-mutated) malware in the network using a combination of known malware sub-signature and machine learning classification. This network-based malware detection is achieved through a middle path for efficient processing of non-malware packets. The proposed technique has been tested and verified using multiple data sets (metamorphic malware, non-mutated malware, and UTM real traffic), this technique can detect most of malware packets in the network-based before they reached the host better than the previous works which detect malware in host-based. Experimental results showed that the proposed technique can speed up the transmission of more than 98% normal packets without sending them to the slow path, and more than 97% of malware packets are detected and dropped in the middle path. Furthermore, more than 75% of metamorphic malware packets in the test dataset could be detected. The proposed technique is 37 times faster than existing technique

Accuracy in mineral identification: image spectral and spatial resolutions and mineral spectral properties

Problems related to airborne hyperspectral image data are reviewed and the requirements for data analysis applied to mineralogical (rocks and soils) interpretation are discussed. The variability of mineral spectral features, including absorption position, shape and depth is considered and interpreted as due to chemical composition, grain size effects and mineral association. It is also shown how this variability can be related to well defined geologic processes. The influence of sensor noise and diffuse atmospheric radiance in classification accuracy is also analyzed

Study of LANDSAT-D thematic mapper performance as applied to hydrocarbon exploration

Improved delineation of known oil and gas fields in southern Ontario and a spectacularly high amount of structural information on the Owl Creek, Wyoming scene were obtained from analysis of TM data. The use of hue, saturation, and value image processing techniques on a Death Valley, California scene permitted direct comparison of TM processed imagery with existing 1:250,000 scale geological maps of the area and revealed small outcrops of Tertiary volcanic material overlying Paleozoic sections. Analysis of TM data over Lawton, Oklahoma suggests that the reducing chemical environment associated with hydrocarbon seepage change ferric iron to soluble ferrous iron, allowing it to be leached. Results of the band selection algorithm show a suprising consistency, with the 1,4,5 combination selected as optimal in most cases

Accuracy in mineral identification: image spectral and spatial resolutions and mineral spectral properties

Problems related to airborne hyperspectral image data are reviewed and the requirements for data analysis applied to mineralogical (rocks and soils) interpretation are discussed. The variability of mineral spectral features, including absorption position, shape and depth is considered and interpreted as due to chemical composition, grain size effects and mineral association. It is also shown how this variability can be related to well defined geologic processes. The influence of sensor noise and diffuse atmospheric radiance in classification accuracy is also analyzed