Computers: Polymorphism Malware Detection

Running head: POLYMORPHISM MALWARE DETECTION 1

POLYMORPHISM MALWARE DETECTION 8

Polymorphism malware detection
Name
Institution
Professor
Course
Date

Abstract
Polymorphism nature of malware has given challenge to computer security expert. Due to its capability to exist in more than one form, it has fostered a big challenge on how to prevent, detect and minimize its impact on the damage it can cause on data or information stored on computers or machine servers. Malware that exist in this form have different forms that they can exhibit. Their changing nature makes them hard to be noticed as they infect or spread from one machine to another. They exist as junk code insertion, spaghetti code, control replacement, statement replacement, variable renaming and statement reordering. Dependency graphs and graph reduction are some of the measures used to show how polymorphism occur and the many forms malware can exhibit. Codes are used to describe the malware variation from one form to another. It changes from normal code to semantic codes.
Computer Malware
Computer malware is a malicious code with capability to destroy other files 2. These malicious codes are created with intention of causing damages to valuable information in machines or stored in servers. Such software has capability to spreads or mutate to fit in to certain environmental conditions. These malwares are divided into different categories according to the way they infect other files and cause damages 2. The damage of data or information varies from malware to malware and mainly depends on the target file format. Some malwares exist without causing any damage until some conditions are met. These conditions are like activation of some program, opening of a certain file, visiting certain website or during specific time of the day.
Since malware are very dangerous and causes damage on data and information stored on computers, information need to be secured from infection or corruption by such malwares 4. There need to be some methods to prevent, detect and clear them from the individual machine or program. Proper measures need to be put in place to prevent malware from spreading to other machine through different means 4. Example of malware is scripting malwares which has become very hard to detect and counter attack. This has been made possible by the fact that, many of the computer programs are able to support scripting capability. The advanced nature of viral polymorphism, the current technologies for detecting cannot catch the exponential polymorphic malware growth. First, this paper will seek to propose any detection method for script malware. It will make use of dependency graph analysis. Every script malware is capable to be represented using dependency graph and detection be transformed to a problem of finding maximum sub-graph isomorphism in polymorphism and still maintain the malware logical structure.
This paper will also seek to present a heuristic approaches for maximum sub- graph isomorphism, which might improve accuracy of detection and minimize computational cost. The above design gives an implementation of dependency graph based detection tool for malware. The experiment will be set out to determine if the proposed method would be effective and efficient. It would be set out to determine if it will catch polymorphic malware and test if it will outperform ant virus and if heuristic approaches reduces consumption time.
There are several detection methods which have been proposed to counter attack different types of malware and other viruses and spywares. One of the simplest available method is signature based. It requires behavioral malware study by experts and use the results in updating the signatures in the database. It then compares every available file to all malwares that are available in the database and looks for sequence of patterns matching a certain malware. It then became difficult to detect the virus in the early stages of malware development. Several other virus detection techniques were implemented. They include; rule learning, data mining, control flow graph and neural networks. Apart from other virus that propagate in an executable format, script requires forensic experts to perform various static analysis. There are also different polymorphic transformations which are applicable in the field of obfuscation.
Polymorphism Nature of Malware
Polymorphic nature of the script malware confuse virus scanners due to its changing nature of their appearance hence making detection of the virus very hard 3. There are different types of polymorphism in which it can change its appearance of malware codes. Various polymorphism nature in which script malware exist are: Format alteration which is done by inserting and removing some comments. This is simplest and least effective methods of polymorphism. Variable renaming involves situations where identifiers names of variables changes constantly without changing correctness of the program 3. It can confuse human beings though futile to detection tools. The polymorphism of statement reordering also exist. It stipulates that, there is possibility of rearranging a sequence of statements and fail to cause an error in the program. Another polymorphism is insertion of junk code which involves insertion of immaterial code 5. It serves to confuse the detection system but not to disturb any original logic.
The Proposed system
The system would choose a known malware named p1’s dependency graph G1 from the virus database and the target file p2 which is neither classified as malware or it can begin yet to test whether p2 might be variant polymorphic of p1 1. Then, the p2 code is parsed and it’s transformed into a code with semantic meaning. Finally, dependency graph G2 is extracted by the system and graph reduction is conducted to diminish the size of the graph 1.

Original code
1. Dim n, p, i
2. N=5
3. P=1
4. For i=1 to n do
5. P=p*i
6. End for
Semantic code
1. Dim n
2. Dim p
3. Dim i
4. N= 5
5. P= 1
6. I=1
7. If I <=n then 8. P=p*i 9. I=i+1 10. Goto 7 11. End if © control flow graph (d) Dependency graph Variable Dependency graph Dependency graph is described as a directed graph which represents object dependencies towards each other. It is considered on the relation among lines of semantic code 3. Each vertex in a directed graph represents a line in a semantic code. Dependency edges. There exist a dependency edge from vertex v1 to vertex v2 if there is a certain given variable X such that X is used on V2 as value of X is assigned to v1 3. Polymorphism such as format alteration and variable renaming do not change even in control flow graph. On the other hand reordering changes the vertices order on dependency graph. Some complex techniques like statement replacement, junk code insertion, control replacement may add more vertices into dependency graph. Graph Reduction Dependency graph may be reduced. Some part of code where flow control flow never reaches can be removed. Vertices that can satisfy any of the given conditions can be eliminated 3. A vertex with outgoing edge with any incoming edge. It mostly involves variable declaration which is critical when considering program core part. A vertex with one incoming edge without any outgoing edge meaning that the first vertex uses later value. Conclusion There is malware detection mechanism which is based on the dependency graph analysis and using GAs. Large proportion of malware exist as script format and mainly spread through USB and browsers, the malware code dependency analysis seems to be fairly useful in detecting unknown polymorphic malwares. Also, graph reduction and any two heuristic approaches are still crucial part of the system. The limit on the proposed system is on the GAs computational cost although graph reduction and heuristics to save computational time significantly. References 1. Han, K., Lim, J. H., & Im, E. G. (2013, October). Malware analysis method using visualization of binary files. In Proceedings of the 2013 Research in Adaptive and Convergent Systems (pp. 317-321). ACM. 2. J. Aycock. Computer Viruses and Malware. Springer, 2006. 3. Kim, K., & Moon, B. R. (2010, July). Malware detection based on dependency graph using hybrid genetic algorithm. In Proceedings of the 12th annual conference on Genetic and evolutionary computation (pp. 1211-1218). ACM. 4. Pluskal, O. (2015, October). Behavioral malware detection using efficient SVM implementation. In Proceedings of the 2015 Conference on research in adaptive and convergent systems (pp. 296-301). ACM. 5. S. Pearce. Viral polymorphism. Sans Institute, 2003.