Detecting Obfuscated Viruses Using Cosine Similarity Analysis

Author

Karnik, Abhishek ; Goswami, Suchandra ; Guha, Ratan

Author_Institution

Sch. of Electr. Eng. & Comput. Sci., Central Florida Univ., Orlando, FL

fYear

2007

fDate

27-30 March 2007

Firstpage

165

Lastpage

170

Abstract

Virus writers are getting smarter by the day. They are coming up with new, innovative ways to evade signature detection by anti-virus software. One such evasion technique used by polymorphic and metamorphic viruses is their ability to morph code so that signature based detection techniques fail. These viruses change form such that every new infected file has different strings, rendering string based signature detection practically useless against such viruses. Our work is based on the premise that given a variant of morphed code, we can detect any obfuscated version of this code with high probability using some simple statistical techniques. We use the cosine similarity function to compare two files based on static analysis of the portable executable (PE) format. Our results show that for certain evasion techniques, it is possible to identify polymorphic/metamorphic versions of files based on cosine similarity

Keywords

codes; computer viruses; handwriting recognition; statistics; antivirus software; cosine similarity analysis; morphed code; obfuscated virus detection; portable executable format; signature detection; statistics; virus writers; Computer science; Computer viruses; Cryptography; Delay; Humans; Payloads; Probability; Taxonomy; Time factors; Viruses (medical);

fLanguage

English

Publisher

ieee

Conference_Titel

Modelling & Simulation, 2007. AMS '07. First Asia International Conference on

Conference_Location

Phuket

Print_ISBN

0-7695-2845-7

Type

conf

DOI

10.1109/AMS.2007.31

Filename

4148653