Detecting Obfuscated Viruses Using Cosine Similarity Analysis

Abstract

Virus writers are getting smarter by the day. They are coming up with new, innovative ways to evade signature detection by anti-virus software. One such evasion technique used by polymorphic and metamorphic viruses is their ability to morph code so that signature based detection techniques fail. These viruses change form such that every new infected file has different strings, rendering string based signature detection practically useless against such viruses. Our work is based on the premise that given a variant of morphed code, we can detect any obfuscated version of this code with high probability using some simple statistical techniques. We use the cosine similarity function to compare two files based on static analysis of the portable executable (PE) format. Our results show that for certain evasion techniques, it is possible to identify polymorphic/metamorphic versions of files based on cosine similarity