Title: Effective methods to detect metamorphic malware: a systematic review

Authors: Mustafa Irshad; Haider M. Al-Khateeb; Ali Mansour; Moses Ashawa; Muhammad Hamisu

Addresses: School of Computer Science and Technology, University of Bedfordshire, University Square, Luton, Bedfordshire, LU1 3JU, UK ' School of Computer Science and Technology, University of Bedfordshire, University Square, Luton, Bedfordshire, LU1 3JU, UK ' School of Computer Science and Technology, University of Bedfordshire, University Square, Luton, Bedfordshire, LU1 3JU, UK ' School of Computer Science and Technology, University of Bedfordshire, University Square, Luton, Bedfordshire, LU1 3JU, UK ' School of Computer Science and Technology, University of Bedfordshire, University Square, Luton, Bedfordshire, LU1 3JU, UK

Abstract: The succeeding code for metamorphic malware is routinely rewritten to remain stealthy and undetected within infected environments. This characteristic is maintained by means of encryption and decryption methods, obfuscation through garbage code insertion, code transformation and registry modification which makes detection very challenging. The main objective of this study is to contribute an evidence-based narrative demonstrating the effectiveness of recent proposals. 16 primary studies were included in this analysis based on a pre-defined protocol. The majority of the reviewed detection methods used Opcode, control flow graph (CFG) and API call graph. Key challenges facing the detection of metamorphic malware include code obfuscation, lack of dynamic capabilities to analyse code and application difficulty. Methods were further analysed on the basis of their approach, limitation, empirical evidence and key parameters such as dataset, detection rate (DR) and false positive rate (FPR).

Keywords: metaphoric malware; malware detection; review; Opcode; control flow graph; CFG; API call graph.

DOI: 10.1504/IJESDF.2018.090948

International Journal of Electronic Security and Digital Forensics, 2018 Vol.10 No.2, pp.138 - 154

Received: 08 Aug 2016
Accepted: 22 May 2017

Published online: 04 Apr 2018 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article