Behavioral Entropy Towards Detection of Metamorphic Malwares

Recent metamorphic malware detection methods based on statistical analysis of malware code and measuring similarity between codes are by far more superior compared with signature-based detection methods; yet, lacking against code obfuscation methods including insertion of garbage codes similar to benign files and replacing instructions with equivalent instructions. This paper proposes a method on improved detection of metamorphic malwares based on activity and behavior analysis of executable files. The process involves two stages: initially, behavior of the file is analyzed during runtime and the behavioral pattern is obtained; then, in the second stage, behavioral patterns of the malware files are compared with the sample file in order to determine the level of similarity. The stage on analyzing behavior of the file is accomplished in a monitored environment and then malicious behavioral features of the file are extracted. The second stage involves determining level of similarity between malwares registered into the database in the first stage and the sample files. The obtained experimental results show that the proposed method, by determining the similarity level of behavioral patterns, significantly improves detection of metamorphic malwares and along with no false positives.