{"title":"使用余弦相似度分析检测混淆病毒","authors":"Abhishek Karnik, Suchandra Goswami, R. Guha","doi":"10.1109/AMS.2007.31","DOIUrl":null,"url":null,"abstract":"Virus writers are getting smarter by the day. They are coming up with new, innovative ways to evade signature detection by anti-virus software. One such evasion technique used by polymorphic and metamorphic viruses is their ability to morph code so that signature based detection techniques fail. These viruses change form such that every new infected file has different strings, rendering string based signature detection practically useless against such viruses. Our work is based on the premise that given a variant of morphed code, we can detect any obfuscated version of this code with high probability using some simple statistical techniques. We use the cosine similarity function to compare two files based on static analysis of the portable executable (PE) format. Our results show that for certain evasion techniques, it is possible to identify polymorphic/metamorphic versions of files based on cosine similarity","PeriodicalId":198751,"journal":{"name":"First Asia International Conference on Modelling & Simulation (AMS'07)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"73","resultStr":"{\"title\":\"Detecting Obfuscated Viruses Using Cosine Similarity Analysis\",\"authors\":\"Abhishek Karnik, Suchandra Goswami, R. Guha\",\"doi\":\"10.1109/AMS.2007.31\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Virus writers are getting smarter by the day. They are coming up with new, innovative ways to evade signature detection by anti-virus software. One such evasion technique used by polymorphic and metamorphic viruses is their ability to morph code so that signature based detection techniques fail. These viruses change form such that every new infected file has different strings, rendering string based signature detection practically useless against such viruses. Our work is based on the premise that given a variant of morphed code, we can detect any obfuscated version of this code with high probability using some simple statistical techniques. We use the cosine similarity function to compare two files based on static analysis of the portable executable (PE) format. Our results show that for certain evasion techniques, it is possible to identify polymorphic/metamorphic versions of files based on cosine similarity\",\"PeriodicalId\":198751,\"journal\":{\"name\":\"First Asia International Conference on Modelling & Simulation (AMS'07)\",\"volume\":\"50 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-03-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"73\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"First Asia International Conference on Modelling & Simulation (AMS'07)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/AMS.2007.31\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"First Asia International Conference on Modelling & Simulation (AMS'07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AMS.2007.31","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Detecting Obfuscated Viruses Using Cosine Similarity Analysis
Virus writers are getting smarter by the day. They are coming up with new, innovative ways to evade signature detection by anti-virus software. One such evasion technique used by polymorphic and metamorphic viruses is their ability to morph code so that signature based detection techniques fail. These viruses change form such that every new infected file has different strings, rendering string based signature detection practically useless against such viruses. Our work is based on the premise that given a variant of morphed code, we can detect any obfuscated version of this code with high probability using some simple statistical techniques. We use the cosine similarity function to compare two files based on static analysis of the portable executable (PE) format. Our results show that for certain evasion techniques, it is possible to identify polymorphic/metamorphic versions of files based on cosine similarity
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
