Meta opcode space for morphed malware detection

摘要

Metamorphic malware have different code structure but exhibit similar functionality. These viruses have the capability to morph its code after each iteration. This diversity in the structure generate different binary string for variants of same base malware. Consequently, signature based scanners fail in detecting metamorphic malware. This paper describes a statistical approach for detecting metamorphic malwares by employing feature ranking and dimensionality reduction method as the dimensionality of the features/attribute might scale due to obfuscation and size of malicious programs. Weighted score method is used for ranking each bi-gram mnemonics and a proposed method known as Reduced Attribute using Mutual Information (RAMI) is employed for minimizing attributes from large feature space. An overall accuracy of 100% with a F-measure of 1 depict that the proposed approach can be used for supporting commercial anti-virus scanners.