Title :
Detecting Obfuscated Viruses Using Cosine Similarity Analysis
Author :
Karnik, Abhishek ; Goswami, Suchandra ; Guha, Ratan
Author_Institution :
Sch. of Electr. Eng. & Comput. Sci., Central Florida Univ., Orlando, FL
Abstract :
Virus writers are getting smarter by the day. They are coming up with new, innovative ways to evade signature detection by anti-virus software. One such evasion technique used by polymorphic and metamorphic viruses is their ability to morph code so that signature based detection techniques fail. These viruses change form such that every new infected file has different strings, rendering string based signature detection practically useless against such viruses. Our work is based on the premise that given a variant of morphed code, we can detect any obfuscated version of this code with high probability using some simple statistical techniques. We use the cosine similarity function to compare two files based on static analysis of the portable executable (PE) format. Our results show that for certain evasion techniques, it is possible to identify polymorphic/metamorphic versions of files based on cosine similarity
Keywords :
codes; computer viruses; handwriting recognition; statistics; antivirus software; cosine similarity analysis; morphed code; obfuscated virus detection; portable executable format; signature detection; statistics; virus writers; Computer science; Computer viruses; Cryptography; Delay; Humans; Payloads; Probability; Taxonomy; Time factors; Viruses (medical);
Conference_Titel :
Modelling & Simulation, 2007. AMS '07. First Asia International Conference on
Conference_Location :
Phuket
Print_ISBN :
0-7695-2845-7
DOI :
10.1109/AMS.2007.31
