Testing Detection of K-Ary Code Obfuscated by Metamorphic and Polymorphic Techniques

Autor:	George T. Harter, Neil C. Rowe
Rok vydání:	2021
Předmět:	Theoretical computer science Steganography Computer science business.industry Cosine similarity Evasion (network security) Keystroke logging computer.software_genre Encryption Obfuscation Code (cryptography) Malware business computer
Zdroj:	National Cyber Summit (NCS) Research Track 2021 ISBN: 9783030846138 NCS
DOI:	10.1007/978-3-030-84614-5_9
Popis:	K-ary codes are a form of obfuscation used by malware in which the code is distributed across K distinct files. Detecting them is difficult because recognizing the pieces that belong together is hard and provably impossible in general, and the techniques of encryption, metamorphism, and steganography can further obfuscate the code. We built a proof-of-concept K-ary program to test its detectability. It simulated a “keylogger”, malware that records keystrokes. We distributed it into parallel obfuscated processes run by a central controller process. We ran both static and dynamic tests to try to detect the keylogger using a variety of parameters. These tests used cosine similarity and clustering methods to correlate pieces of the malware, assuming that using a controller process meant the pieces would have similar code for communications, and that similarity could still be recognized even if obfuscated. Results showed moderate but not perfect success at recognizing our simulated malware. This should provide new tools to detect malware camouflage and evasion.
Databáze:	OpenAIRE
Externí odkaz:	https://explore.openaire.eu/search/publication?articleId=doi_________::8f45db1d883e56573192cc10cc06d610 https://doi.org/10.1007/978-3-030-84614-5_9 Zobrazit plný text záznamu