Metamorphic malicious code behavior detection using probabilistic inference methods

Existing antivirus programs detect malicious code based on fixed signatures; therefore, they have limitations in detecting metamorphic malicious code that lacks signature information or possesses circumventing code inserted into it. Research on the methods for detecting this type of metamorphic malicious code primarily focuses on techniques that can detect code based on behavioral similarity to known malicious code. However, these techniques measure the degree of similarity with existing malicious code using API function call patterns. Therefore, they have certain disadvantages, such as low accuracy and large detection times. In this paper, we propose a method which can overcome the limitations of existing methods by using the FP-Growth algorithm, a data mining technique, and the Markov Logic Networks algorithm, a probabilistic inference method. To perform a comparative evaluation of the proposed method's malicious code behavior detection, we performed inference experiments using malicious code with an inserted code for random malicious behavior. We performed experiments to select optimal weights for each inference rule to improve our malicious code behavior inferences’ accuracy. The results of experiments, in which we performed a comparative evaluation with the General Bayesian Network, showed that the proposed method had an 8% higher classification performance.