Practical Aspects Related to Using Hidden Markov Models for Detecting Metamorphic File Infectors

摘要

Hidden Markov Models (HMMs) have been widely used recently for detection of metamorphic malware families. In this paper, we address some practical aspects which should be taken into consideration when modeling file infectors using HMMs. We highlight how patient zero and the way in which generations of infections are spread is important to correctly choose and extract the code (sequences of instructions) on which to perform the training / testing. Specifically, we perform some tests in order to show the devastating effects on the detection rate for cases in which: testing is performed on buffers of code bigger in size than the ones used for training; training is performed on latter generations as opposed to using earlier generations; code belonging to the file infector ends with one random instruction or a few instructions belonging to the clean host. We performed the tests on Evol, a highly metamorphic malware family, which has the desired property of evolving significantly across two different generations.