MSG: Missing-sequence generator for metamorphic malware detection

Abstract

Metamorphic malware is a sophisticated malware that frequently modifies its code to avoid being detected by signature-based methods while maintaining the same output during the run time. Invariably, the output of the register values reflects the malware’s behavior. Therefore, capturing the output sequence from the register values of a binary is essential to identify the evolutionary relationship between the sequences, leading to effective malware detection. In other words, generating register value sequences for the malicious code in a binary, distinct or missing from benign binary, is vital to effectively detecting the typical and metamorphic malware. This paper proposes a novel Missing Sequence Generator (MSG) to generate features in the form of missing sequences by capturing the registers’ output sequence from a binary’s Control Flow Graph (CFG) with context, semantics, and control flow. We create a diverse and large-scale dataset of metamorphic malware using the metamorphic engine to conduct experiments. Also, we experiment with diverse non-metamorphic malware. The proposed model achieves an accuracy of 99.82% for the non-metamorphic dataset and 99.06% for the metamorphic dataset, with negligible False Positive Rates (FPRs). The proposed model outperforms the state-of-the-art models. Further, the proposed work proves its performance and effectiveness by surpassing 47 existing anti-malware.