Metamorphic Malware Detection using Statistical Analysis
Kevadia Kaushal1, Prashant Swadas2, Nilesh Prajapat3

1Kevadia Kaushal, Department of Computer Engineering, BVM Engineering College, Vallabh Vidyanagar, Gujarat, INDIA.
2Prof. Prashat Swadas, Head of Computer Engineering Department, BVM Engineering College, Vallabh Vidyanagar, Gujarat, INDIA.
3Prof. Nilesh Prajapati, Associate Professor of Information Technology Department, BVM Engineering College, Vallabh Vidyanagar, Gujarat, INDIA.

Manuscript received on July 01, 2012. | Revised Manuscript received on July 04, 2012. | Manuscript published on July 05, 2012. | PP: 49-53 | Volume-2, Issue-3, July 2012. | Retrieval Number: C0676052312/2012©BEIESP
Open Access | Ethics and Policies | Cite 
© The Authors. Published By: Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP). This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)

Abstract: Typically, computer viruses and other malware are detected by searching for a string of bits found in the virus or malware. Such a string can be viewed as a “fingerprint” of the virus identified as the signature of the virus. The technique of detecting viruses using signatures is known as signature based detection. Today, virus writers often camouflage their viruses by using code obfuscation techniques in an effort to defeat signature-based detection schemes. So-called metamorphic viruses transform their code as they propagate, thus evading detection by static signature-based virus scanners, while keeping their functionality but differing in internal structure. Many dynamic analysis based detection have been proposed to detect metamorphic viruses but dynamic analysis technique have limitations like difficult to learn normal behavior, high run time overhead and high false positive rate compare to static detection technique. A similarity measure method has been successfully applied in the field of document classification problem. We want to apply similarity measures methods on static feature, API calls of executable to classify it as malware or benign. In this paper we present limitations of signature based detection for detecting metamorphic viruses. We focus on statically analyzing an executable to extract API calls and count the frequency this API calls to generate the feature set. These feature set is used to classify unknown executable as malware or benign by applying various similarity function.

Keywords: Metamorphic Virus, Malware Detection, API calls, Similarity measures.