By Topic

Using Markov chains to filter machine-morphed variants of malicious programs

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Mohamed R. Chouchane ; Center for Advanced Computer Studies, University of Louisiana at Lafayette, USA ; Andrew Walenstein ; Arun Lakhotia

Of the enormous quantity of malicious programs seen in the wild, most are variations of previously seen programs. Automated program transformation tools-i.e., code morphers-are one of the ways of making such variants in volume. This paper proposes a Markov chain-based framework for fast, approximate detection of variants of known morphers wherein every morphing operation independently and predictably alters quickly-checked global program properties. Specifically, identities from Markov chain theory are applied to approximately determine whether a given program may be a variant created from some given previous program, or whether it definitely is not. The framework is used to define a method for finding telltale signs of the use of closed-world, instruction-substituting transformers within the frequencies of instruction forms found in a program. This decision method may yield a fast technique to aid malware detection.

Published in:

Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on

Date of Conference:

7-8 Oct. 2008