Article
Simple substitution distance and metamorphic detection
Journal of Computer Virology and Hacking Techniques
(2013)
Abstract
To evade signature-based detection, metamorphic viruses transform their code before each new infection. Software similarity measures are a potentially useful means of detecting such malware. We can compare a given file to a known sample of metamorphic malware and compute their similarity—if they are sufficiently similar, we classify the file as malware of the same family. In this paper, we analyze an opcode-based software similarity measure inspired by simple substitution cipher cryptanalysis. We show that the technique provides a useful means of classifying metamorphic malware.
Keywords
- Metamorphic detection,
- Malware,
- Metamorphic malware,
- cryptanalysis,
- computer science,
- computer engineering
Disciplines
Publication Date
2013
Publisher Statement
SJSU users: use the following link to login and access the article via SJSU databases
Citation Information
Gayathri Shanmugam, Richard M. Low and Mark Stamp. "Simple substitution distance and metamorphic detection" Journal of Computer Virology and Hacking Techniques Vol. 9 Iss. 3 (2013) Available at: http://works.bepress.com/mark_stamp/11/