<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2016.73017</article-id><article-id pub-id-type="publisher-id">JIS-65748</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  A Comparison of Malware Detection Techniques Based on Hidden Markov Model
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>aja</surname><given-names>Alqurashi</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Omar</surname><given-names>Batarfi</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib></contrib-group><aff id="aff1"><addr-line>Information Technology Department, King Abdul Aziz University, Jeddah, Saudi Arabia</addr-line></aff><pub-date pub-type="epub"><day>01</day><month>04</month><year>2016</year></pub-date><volume>07</volume><issue>03</issue><fpage>215</fpage><lpage>223</lpage><history><date date-type="received"><day>25</day>	<month>January</month>	<year>2016</year></date><date date-type="rev-recd"><day>accepted</day>	<month>19</month>	<year>April</year>	</date><date date-type="accepted"><day>22</day>	<month>April</month>	<year>2016</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and networks. The three major techniques used for malware detection are heuristic, signature-based, and behavior based. Among these, the most prevalent is the heuristic based malware detection. Hidden Markov Model is the most efficient technique for malware detection. In this paper, we present the Hidden Markov Model as a cutting edge malware detection tool and a comprehensive review of different studies that employ HMM as a detection tool.
 
</p></abstract><kwd-group><kwd>Malware</kwd><kwd> HMM</kwd><kwd> Detection Tool</kwd><kwd> Obfuscation Techniques</kwd><kwd> Metamorphic</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>Malware is a software which is developed for malicious intent [<xref ref-type="bibr" rid="scirp.65748-ref1">1</xref>] . Malware can steal sensitive data from a computer or it can infect files one after the other, and spreads the infection throughout the computer. Malware needs to be caught and removed from the infected computer promptly to avoid the leakage of sensitive data or any other malicious activity in the computer. Malwares can be classified into viruses, worms, Trojans, spywares, adwares, Rootkits, etc. [<xref ref-type="bibr" rid="scirp.65748-ref2">2</xref>] .</p><p>To escape detection tools, malware developers evolve new techniques [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] . They write malware in a fashion that it changes its appearance and alters its code on each infection―thus changes its appearance on each infection. Therefore, the signature-based detection schemes cannot detect them. The various techniques employed by malware developers are discussed below.</p></sec><sec id="s2"><title>2. Obfuscation Techniques</title><p>Obfuscation techniques that change the syntax of program without change the semantic that make the malicious code more difficult to be analyzed and understand while preserving its semantics and functionality [<xref ref-type="bibr" rid="scirp.65748-ref5">5</xref>] . Obfuscation can be achieved by register exchange where registers and variables within the file are switched but the code remains the same; instruction swap, which substitutes instructions with equivalent instructions; instruction permutation; transposition that reorders the independent instructions; dead code insertion where “do nothing” instructions are inserted in the code [<xref ref-type="bibr" rid="scirp.65748-ref6">6</xref>] .</p><sec id="s2_1"><title>2.1. Code Encryption</title><p>Refers to hiding the malicious code. Encrypted malware comprises of decryption/encryption engine, decryption key and encrypted malicious code [<xref ref-type="bibr" rid="scirp.65748-ref2">2</xref>] . Encrypted malwares can be classified.</p></sec><sec id="s2_2"><title>2.2. Oligomorphic</title><p>The malware developers encrypt the code in a manner that it can change its decryptors lightly [<xref ref-type="bibr" rid="scirp.65748-ref2">2</xref>] . However, this malware has some limitations and can be detected by signature-based detection tools [<xref ref-type="bibr" rid="scirp.65748-ref7">7</xref>] .</p></sec><sec id="s2_3"><title>2.3. Polymorphic</title><p>The polymorphic malware encrypts itself with a different encryption algorithm/key in every infection. It can use a large number of encryption algorithms/keys and thus makes its detection very difficult and time consuming [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] .</p></sec><sec id="s2_4"><title>2.4. Metamorphic</title><p>The metamorphic malware is capable of changing itself to a completely new instance that does not have anything common to its original [<xref ref-type="bibr" rid="scirp.65748-ref2">2</xref>] . This behavior makes it the most complicated malware to detect.</p></sec></sec><sec id="s3"><title>3. Malware Detection Techniques</title><p>Malwares are worldwide epidemic and malware detection techniques (MDTs) serve as first line of defense against them. The effectiveness of a malware detection tool is based on the techniques it uses. Malware detection techniques can be primarily divided into the following three classes.</p><sec id="s3_1"><title>3.1. Signature-Based Techniques</title><p>Signature-based detection is widely used to detect known malware. Although it is very effective, but becomes ineffective if there is even a very small change in the code, which in turn changes its signature. Furthermore, this scheme requires the signature database to be updated on regular basis to detect new malware [<xref ref-type="bibr" rid="scirp.65748-ref6">6</xref>] .</p></sec><sec id="s3_2"><title>3.2. Behavior-Based Techniques</title><p>These techniques constantly observe program behavior to determine whether it is harmful or not. Thus, these techniques can also detect unknown malware. However, the effectiveness of these techniques is not yet proven. The experiments show that these techniques have high false positive ratio [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] . Moreover, these techniques take more time in detection process.</p></sec><sec id="s3_3"><title>3.3. Heuristic Techniques</title><p>These techniques mainly use machine learning and data mining methods to identify the behavior of the running program. The major methods that have been used so far include Naive Bayesian, Neural Network and Hidden Markov Model [<xref ref-type="bibr" rid="scirp.65748-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref8">8</xref>] .</p><p>In recent work [<xref ref-type="bibr" rid="scirp.65748-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref9">9</xref>] , Hidden Markov Model (HMM) has been shown as an efficient machine learning model to detect malware. HMM is based on statistical analysis of different states of a code, where each state has an associated probability of transition to other states.</p><p>HMM is a process modeling technique where each state of the process is defined in terms of its input data and its corresponding probability of occurrence. HMM is initially trained for different states of a malicious code along with its statistical properties. Based on this learning, HMM can detect, with high probability, the malicious codes of the same family. Thus, the more the training of HMM with different variants, the higher the chances of detection.</p><p>The following section gives us more details how HMM work.</p></sec></sec><sec id="s4"><title>4. Hidden Markov Model</title><sec id="s4_1"><title>4.1. Hidden Markov Model Overview</title><p>Hidden Markov models (HMMs) are generally used for statistical pattern analysis. Also can be used in speech recognition [<xref ref-type="bibr" rid="scirp.65748-ref10">10</xref>] , malicious code detection [<xref ref-type="bibr" rid="scirp.65748-ref11">11</xref>] and biological sequence analysis [<xref ref-type="bibr" rid="scirp.65748-ref12">12</xref>] .</p><p>Hidden Markov model is a statistical model that has states and known probabilities of the state transitions is called a Markov model [<xref ref-type="bibr" rid="scirp.65748-ref13">13</xref>] . In such a Markov model, the states are visible to the observer. But a hidden Markov model (HMM) has states that are not directly observable [<xref ref-type="bibr" rid="scirp.65748-ref10">10</xref>] . HMM is a machine learning technique. HMM acts as a state machine. Every state is associated with a probability distribution for observing a set of observation symbols. The transition between the states has fixed probabilities. We train an HMM using the observation sequences to represent a set of data [<xref ref-type="bibr" rid="scirp.65748-ref13">13</xref>] . We can match an observation sequence against a trained HMM to determine the probability of seeing such a sequence. If the probability is high, the observation sequence is similar to the training sequences. HMMs are used in protein modeling, also can be used for software piracy detection [<xref ref-type="bibr" rid="scirp.65748-ref14">14</xref>] . As mentioned in [<xref ref-type="bibr" rid="scirp.65748-ref13">13</xref>] , the notations used in the hidden Markov models as following (<xref ref-type="fig" rid="fig1">Figure 1</xref>):</p><p>T = length of the observation sequence</p><p>N = number of states in the model</p><p>M = number of distinct observation symbols</p><p>Q = distinct states of the Markov Model</p><p>V = set of possible observations</p><p>A = state transition probability matrix</p><p>B = observation probability matrix</p><p>π = initial state distribution</p><p>O = observation sequence</p><p>A hidden Markov model is defined by the matrices A, B and π. An HMM is denoted as<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x6.png" xlink:type="simple"/></inline-formula>.</p><p>The following three problems can be solved efficiently using HMM algorithms:</p><p>Problem 1: Given a model <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x7.png" xlink:type="simple"/></inline-formula> and an observation sequence O, we need to find P(O|λ). That is, an observation sequence that can be scored to see how well it fits a given model.</p><p>Problem 2: Given a model <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x8.png" xlink:type="simple"/></inline-formula> and an observation sequence O, we can determine an optimal state sequence for the Markov model. That is, the most likely hidden state sequence can be uncovered.</p><p>Problem 3: Given O, N, M, we can find a model λ that maximizes probability of O. This is the training of a model in order to best fit an observation sequence.</p><p>These three problems can be efficiently solved by the following three algorithms:</p><p>・ The Forward algorithm</p><p>・ The Backward algorithm</p><p>・ The Baum-Welch re-estimation algorithm</p><p>The forward-backward algorithm is for calculating the probability of being in a state qi at time t given an observation sequence O [<xref ref-type="bibr" rid="scirp.65748-ref13">13</xref>] . The forward algorithm, or α pass, determines<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x9.png" xlink:type="simple"/></inline-formula>. The algorithm can be stated as follows.</p><fig id="fig1"  position="float"><label><xref ref-type="fig" rid="fig1">Figure 1</xref></label><caption><title> Represents a generic view of a hidden Markov model [<xref ref-type="bibr" rid="scirp.65748-ref13">13</xref>] </title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/11-7800347x10.png"/></fig><p>1) For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x11.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x12.png" xlink:type="simple"/></inline-formula></p><p>2) <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x13.png" xlink:type="simple"/></inline-formula></p><p>The probability of the partial observation sequence up to time t is<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x14.png" xlink:type="simple"/></inline-formula>. Using the forward algorithm, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x15.png" xlink:type="simple"/></inline-formula>can be computed as follows:</p><p>1) Let<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x16.png" xlink:type="simple"/></inline-formula>, for <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x17.png" xlink:type="simple"/></inline-formula></p><p>2) For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x18.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x19.png" xlink:type="simple"/></inline-formula> compute</p><disp-formula id="scirp.65748-formula180"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x20.png"  xlink:type="simple"/></disp-formula><p>3) Then <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x21.png" xlink:type="simple"/></inline-formula></p><p>The backward algorithm helps to find a most likely optimal state sequence. This algorithm can be stated as follows:</p><p>1) For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x22.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x22.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x23.png" xlink:type="simple"/></inline-formula> define</p><p>2) <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x24.png" xlink:type="simple"/></inline-formula></p><p>Then <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x25.png" xlink:type="simple"/></inline-formula> can be calculated in following steps:</p><p>3) Let<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x26.png" xlink:type="simple"/></inline-formula>, for <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x26.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x27.png" xlink:type="simple"/></inline-formula></p><p>4) For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x28.png" xlink:type="simple"/></inline-formula> and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x28.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x29.png" xlink:type="simple"/></inline-formula>, compute</p><disp-formula id="scirp.65748-formula181"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x30.png"  xlink:type="simple"/></disp-formula><p>For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x31.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x32.png" xlink:type="simple"/></inline-formula> define</p><disp-formula id="scirp.65748-formula182"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x33.png"  xlink:type="simple"/></disp-formula><p>The relevant probability up to time t is given by:</p><disp-formula id="scirp.65748-formula183"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x34.png"  xlink:type="simple"/></disp-formula><p>The most likely state at any time t is the state for which <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x35.png" xlink:type="simple"/></inline-formula> is maximum. The Baum-Welch algorithm helps in iteratively re-estimating the parameters A, B, π [<xref ref-type="bibr" rid="scirp.65748-ref13">13</xref>] .</p><p>It provides efficient way to best fit the observations. The number of states N and number of unique observation symbols M are constant. However, other parameters like A, B and π are changeable with row stochastic condition. This process of re-estimating the model is explained as follows:</p><p>1) Initialize <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x36.png" xlink:type="simple"/></inline-formula> with an appropriate guess or random values. For example</p><p>π = 1/N, A<sub>ij</sub> = 1/N, B<sub>ij</sub> = 1/M.</p><p>2) Compute<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x37.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x38.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x39.png" xlink:type="simple"/></inline-formula>and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x39.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x40.png" xlink:type="simple"/></inline-formula> where <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x39.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x40.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x41.png" xlink:type="simple"/></inline-formula> is a digamma. The digammas can be defined as:</p><disp-formula id="scirp.65748-formula184"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x42.png"  xlink:type="simple"/></disp-formula><p><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x43.png" xlink:type="simple"/></inline-formula>and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x43.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x44.png" xlink:type="simple"/></inline-formula> are related by:</p><disp-formula id="scirp.65748-formula185"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x45.png"  xlink:type="simple"/></disp-formula><p>3) Re-estimate model parameters as: For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x46.png" xlink:type="simple"/></inline-formula> let</p><disp-formula id="scirp.65748-formula186"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x47.png"  xlink:type="simple"/></disp-formula><p>For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x48.png" xlink:type="simple"/></inline-formula> and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x48.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x49.png" xlink:type="simple"/></inline-formula>, compute:</p><disp-formula id="scirp.65748-formula187"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x50.png"  xlink:type="simple"/></disp-formula><p>For <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x51.png" xlink:type="simple"/></inline-formula> and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x51.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x52.png" xlink:type="simple"/></inline-formula>, compute:</p><disp-formula id="scirp.65748-formula188"><graphic  xlink:href="http://html.scirp.org/file/11-7800347x53.png"  xlink:type="simple"/></disp-formula><p>4) If <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/11-7800347x54.png" xlink:type="simple"/></inline-formula> increases go to Step 3.</p><p>Considering the potential and effectiveness of HMM-based MDTs, we have studied their strengths and weaknesses. In this paper, we examined 10 HMM-based MDTs and compared them to facilitate their selection for designing and developing secure systems. In addition, we also present a comprehensive literature review of MDT.</p></sec><sec id="s4_2"><title>4.2. HMM as Malware Detection Tool</title><sec id="s4_2_1"><title>4.2.1. Traditional HMM Detector</title><p>Wong and Stamp in [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] proposed a detection tool based on HMM to detect metamorphic virus. In their work, the authors compared their tool with commercial anti-virus tools for the morphed viruses generated by four virus engines: Next Generation Virus Creation Kit (NGVCK), Second Generation virus generator (G2), Virus Creation Lab for Win32 (VCL32), and Mass Code Generator (MCGEN). The commercial anti-virus could not detect morphed virus generated by NGVCK, whereas HMM based detector not only classified each virus to a particular family but showed a detection rate of 97% with only 3% false positive detections [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] . <xref ref-type="fig" rid="fig2">Figure 2</xref> show the HMM score used to classify the family virus, non-family virus and normal file.</p><p>The authors in [<xref ref-type="bibr" rid="scirp.65748-ref6">6</xref>] developed a code obfuscation engine that creates metamorphic viruses, which cannot be detected by any signature based technique, and validate detection based on HMM. The authors created 120 different variants of seed viruses. The code morphing engine randomly shuffles the virus assembly code by dividing it into different blocks and also inserts some blocks of dead code in the original code. These metamorphic viruses were scanned using commercial anti-virus (McAfee), which failed to detect any of these viruses. Then, these metamorphic viruses were tested using the proposed HMM detector. For all of the viruses, the score significantly varied from that for normal files. Thus, the HMM-based detector identified viruses from their similarity score only [<xref ref-type="bibr" rid="scirp.65748-ref6">6</xref>] .</p><p>Another work in [<xref ref-type="bibr" rid="scirp.65748-ref15">15</xref>] developed metamorphic engine to produce highly diverse morphed copies of base viruses. The code obfuscation techniques used to develop engine are dead code insertion, equivalent instruction substitute and transposition. These metamorphic viruses were tested against a commercial anti-virus and HMM detector. The results showed that HMM detector is effective to identify metamorphic viruses with high accuracy [<xref ref-type="bibr" rid="scirp.65748-ref15">15</xref>] .</p><p>Authors in [<xref ref-type="bibr" rid="scirp.65748-ref8">8</xref>] proposed a code emulator designed to detect dead code in metamorphic virus. This emulator enhanced the effectiveness of HMM detector. The following graph shows us the architecture of the Code Emulator Process Flow. This emulator has capability to emulate all important CPU registers and can filter out changes in the instructions/subroutines caused by code obfuscation. The proposed emulator effectively identified 15%, 25% and 35% morphed viruses [<xref ref-type="bibr" rid="scirp.65748-ref8">8</xref>] .</p><p>Shabana et al. [<xref ref-type="bibr" rid="scirp.65748-ref14">14</xref>] used HMM to detect software piracy (<xref ref-type="fig" rid="fig3">Figure 3</xref>). In their work, the authors [<xref ref-type="bibr" rid="scirp.65748-ref14">14</xref>] used a metamorphic generator to create morphed copies of a basic code. The authors extracted opcode sequences from these copies and trained HMM on these sequences. Based on this learning, HMM computed similarity score of</p><fig id="fig2"  position="float"><label><xref ref-type="fig" rid="fig2">Figure 2</xref></label><caption><title> HMM score (LLPO)</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/11-7800347x55.png"/></fig><fig id="fig3"  position="float"><label><xref ref-type="fig" rid="fig3">Figure 3</xref></label><caption><title> Code emulator process flow [<xref ref-type="bibr" rid="scirp.65748-ref8">8</xref>] </title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/11-7800347x56.png"/></fig><p>the suspicious program to the basiccode. The higher the similarity score, the more likely it is that the suspicious program is an altered version of the basiccode, and vice versa. This approach proved to be highly effective for detecting morphed viruses.</p></sec><sec id="s4_2_2"><title>4.2.2. Dueling HMM Detector</title><p>As mentioned in [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] , HMM detector is effective for detecting metamorphic viruses. The work in [<xref ref-type="bibr" rid="scirp.65748-ref16">16</xref>] explored HMM in more depth. The authors built models for different compilers, extracted salient features of those models and used them in their proposed model to detect metamorphic viruses. In its classical implementation, HMM has been used to mark a file as infected if its virus code similarity exceeds a given threshold [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref5">5</xref>] . However, authors’ proposed approach marks the suspect file as a virus only if the HMM estimates a high probability by comparing the suspect file with several developed HMMs. This approach proved to be highly effective in detecting the malware that even used advanced metamorphic techniques. On the other hand, this approach is deficient in balancing false negative and false positive results. In addition, this approach suffers from high performance overheads as compared with the work in [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] and [<xref ref-type="bibr" rid="scirp.65748-ref5">5</xref>] . To overcome this problem of high overheads, the work in [<xref ref-type="bibr" rid="scirp.65748-ref13">13</xref>] brings forth a hybrid approach of dueling HMM and traditional HMM.</p><p>Thunga and Neelisetti [<xref ref-type="bibr" rid="scirp.65748-ref17">17</xref>] proposed an intelligent classification approach based on HMM to identify viruses of metamorphic family. In the proposed approach, the authors train multiple HMMs, one for each virus family. They represent “n” opcodes sequences in an executable file as “n-gram”. The selection of n-gram affects the overall accuracy of the proposed approach. The n-gram sequence in the metamorphic virus is analyzed by comparing with the trained HMMs one by one using a “log-likelihood similarity measure”. A virus is considered to be a part of the family for which the “log-likelihood similarity measure” is the highest. The authors observed 90% accuracy for each family of viruses. The proposed method is easily scalable for a higher number of virus families. In addition, parallel implementation of the comparison phase makes the method very efficient [<xref ref-type="bibr" rid="scirp.65748-ref17">17</xref>] (<xref ref-type="fig" rid="fig4">Figure 4</xref>).</p></sec><sec id="s4_2_3"><title>4.2.3. Hyper HMM Detector</title><p>Researchers are still working to enhance the HMM detector. The authors in [<xref ref-type="bibr" rid="scirp.65748-ref18">18</xref>] proposed to use genetic algorithm with HMM. In HMM based techniques Baum-Welch method is used for solving one of the three problems [<xref ref-type="bibr" rid="scirp.65748-ref15">15</xref>] , i.e. estimating the parameters of the corresponding HMM given an output sequence. In this work the authors used genetic algorithm to solve the problem. The Baum-Welch algorithm is linear in nature and suffers from the local optima problem. The selection of genetic algorithm over traditional Baum-Welch method lies in the non-linearity of genetic algorithm.</p><p>There are two reasons to choose genetic algorithm over Baum-Welch algorithm [<xref ref-type="bibr" rid="scirp.65748-ref18">18</xref>] :</p><p>・ Genetic algorithm is a part of random and evolutionary algorithms and does not suffer from the local optima problem but Baum-Welch algorithm suffers from this problem.</p><fig id="fig4"  position="float"><label><xref ref-type="fig" rid="fig4">Figure 4</xref></label><caption><title> Work flow of the proposed HMM based classifier [<xref ref-type="bibr" rid="scirp.65748-ref17">17</xref>] </title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/11-7800347x57.png"/></fig><p>・ Genetic algorithm works on set of populations (comprising of numbers of chromosomes at time, while the Baum-Welch algorithm works on individuals, so the time required to train the model increases and set of opcodes remains shallow.</p><p>This proposed work [<xref ref-type="bibr" rid="scirp.65748-ref18">18</xref>] enhances HMM and results in higher accuracy in detecting metamorphic viruses.</p><p>Annachatre et al. [<xref ref-type="bibr" rid="scirp.65748-ref1">1</xref>] proposed new approach using HMM to detect metamorphic viruses based on classifier algorithm. In previous works like [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] and [<xref ref-type="bibr" rid="scirp.65748-ref16">16</xref>] , the authors used HMM alone to detect metamorphic viruses. In contrast to these studies, Annachatre et al. used a classifier algorithm to enhance the effectiveness of HMM detector. The authors trained HMMs on a collection of malware. Then these models were evaluated and based on the resulting score the malware samples were separated into clusters using k-means clustering algorithm as a classifier. This work showed the highest accuracy as compared to previous works such as [<xref ref-type="bibr" rid="scirp.65748-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.65748-ref4">4</xref>] and [<xref ref-type="bibr" rid="scirp.65748-ref16">16</xref>] .</p><p>Payandeh et al. proposed a HMM based detection circle in [<xref ref-type="bibr" rid="scirp.65748-ref18">18</xref>] , where he characterized a virus family using three parameters: 1) the amount of virus similarities; 2) specifically-located character occurrence probability; 3) string occurrence probability. The proposed virus detection circle is developed on x, y coordinate axis, where x and y represent probabilities of the factors considered in the study. To evaluate the proposed approach, the authors used NGVCK kit to create morphed malware. Next, they calculated similarity scores of these viruses using Mishra’s algorithm after making using Mishra method samples in each family are compared two by tow. The least, the most and the average quantity of samples comparison in each virus creation kit can be seen in the following <xref ref-type="table" rid="table1">Table 1</xref>. The proposed approach detected these malware with 91% accuracy. This work shows good result in malware detection but need to improve the detection speed.</p><table-wrap id="table1" ><label><xref ref-type="table" rid="table1">Table 1</xref></label><caption><title> Min, Max and average kits similarities percentage</title></caption><table><tbody><thead><tr><th align="center" valign="middle" ></th><th align="center" valign="middle" >NGVCK</th><th align="center" valign="middle" >G2</th><th align="center" valign="middle" >VCL</th><th align="center" valign="middle" >PSMPC</th></tr></thead><tr><td align="center" valign="middle" >Min</td><td align="center" valign="middle" >0.00000</td><td align="center" valign="middle" >0.12858</td><td align="center" valign="middle" >0.19909</td><td align="center" valign="middle" >0.00000</td></tr><tr><td align="center" valign="middle" >MAX</td><td align="center" valign="middle" >0.23099</td><td align="center" valign="middle" >1.00000</td><td align="center" valign="middle" >0.97642</td><td align="center" valign="middle" >0.96875</td></tr><tr><td align="center" valign="middle" >Average</td><td align="center" valign="middle" >0.04835</td><td align="center" valign="middle" >0.470112</td><td align="center" valign="middle" >0.650315</td><td align="center" valign="middle" >0.32857</td></tr></tbody></table></table-wrap></sec></sec></sec><sec id="s5"><title>5. Comparison</title></sec><sec id="s6"><title>6. Research Directions</title><p>・ To detect malware based on clustering algorithms such as K-means, decision Tree etc. based on learning models such as HMM and Neural Network.</p><p>・ To study how different detection approaches performs against each obfuscation techniques like dead code technique.</p></sec><sec id="s7"><title>7. Conclusion</title><p>Malware is any code that is developed for malicious intent. The malware has rapidly become a major security threat for computing community and is the basic reason for the most of the security problems on internet. Recent malware can easily deceive the signature-based detection approaches by altering their code while keeping its function intact. To solve this problem, some machine learning techniques such as, HMM and Neural Network are used. In current study, we have compared several HMM based malware detection approaches. From this survey, we conclude that HMM is an efficient model to detect malware and further studies may focus on how to improve the classification of malware based on HMM as malware detection tool.</p></sec><sec id="s8"><title>Cite this paper</title><p>Saja Alqurashi,Omar Batarfi, (2016) A Comparison of Malware Detection Techniques Based on Hidden Markov Model. Journal of Information Security,07,215-223. doi: 10.4236/jis.2016.73017</p></sec></body><back><ref-list><title>References</title><ref id="scirp.65748-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Annachhatre, C., Austin, T.H. and Stamp, M. (2015) Hidden Markov Models for Malware Classification. Journal in Computer Virology and Hacking Techniques, 11, 59-73. http://dx.doi.org/10.1007/s11416-014-0215-x</mixed-citation></ref><ref id="scirp.65748-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Bazrafshan, Z., Hashemi, H., Fard, S.M.H. and Hamzeh, A. (2013) A Survey on Heuristic Malware Detection Techniques. The 5th Conference on Information and Knowledge Technology (IKT 2013), Shiraz, 28-30 May 2013, 113-120. http://dx.doi.org/10.1109/ikt.2013.6620049</mixed-citation></ref><ref id="scirp.65748-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Wong, W. (2006) Analysis and Detection of Metamorphic Computer Viruses. MSc, San Jose State University.</mixed-citation></ref><ref id="scirp.65748-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Wong, W. and Stamp, M. (2006) Hunting for Metamorphic Engines. Journal in Computer Virology, 2, 211-229. http://dx.doi.org/10.1007/s11416-006-0028-7</mixed-citation></ref><ref id="scirp.65748-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Bayer, U., Moser, A., Kruegel, C. and Kirda, E. (2006) Dynamic Analysis of Malicious Code. Journal in Computer Virology, 2, 67-77. http://dx.doi.org/10.1007/s11416-006-0012-2</mixed-citation></ref><ref id="scirp.65748-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Venkatesan, A. (2008) Code Obfuscation and Virus Detection. MSc, San Jose State University.</mixed-citation></ref><ref id="scirp.65748-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">Dastidar, S.G., Mandal, S. and Barbhuiya, F.A. (2012) Detecting Metamorphic Virus Using Hidden Markov Model and Genetic Algorithm. Proceedings of the International Conference on Soft Computing for Problem Solving (SocProS 2011). India, 20-22 December 2011.</mixed-citation></ref><ref id="scirp.65748-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Priyadarshi, S. (2011) Metamorphic Detection via Emulation Metamorphic Detection via Emulation. San Jose State University.</mixed-citation></ref><ref id="scirp.65748-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Austin, T.H., Filiol, E., Josse, S. and Stamp, M. (2013) Exploring Hidden Markov Models for Virus Analysis: A Semantic Approach. 46th Hawaii International Conference on System Sciences, Wailea, 7-10 January 2013, 5039-5048. http://dx.doi.org/10.1109/hicss.2013.217</mixed-citation></ref><ref id="scirp.65748-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Rabiner, L.R. (1989) A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proc. IEEE, 77, 257-286. http://dx.doi.org/10.1109/5.18626</mixed-citation></ref><ref id="scirp.65748-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Annachhatre, C. (2013) Hidden Markov Models for Malware Classification. San Jose State University.</mixed-citation></ref><ref id="scirp.65748-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">Krogh, A. (1998) An Introduction to Hidden Markov Models for Biological Sequences. Computational Methods in Molecular Biology, 32, 45-63. http://dx.doi.org/10.1016/s0167-7306(08)60461-5</mixed-citation></ref><ref id="scirp.65748-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Stamp, M. (2004) A Revealing Introduction to Hidden Markov Models. Dep. Comput. Sci. San Jose State, 1-20.</mixed-citation></ref><ref id="scirp.65748-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">Kazi, S. (2012) Hidden Markov Models for Software Piracy Detection. San Jose State University,</mixed-citation></ref><ref id="scirp.65748-ref15"><label>15</label><mixed-citation publication-type="journal" xlink:type="simple"><name name-style="western"><surname>Desai</surname><given-names> P. </given-names></name>,<etal>et al</etal>. (<year>2008</year>)<article-title>Towards an Undetectable Computer Virus</article-title><source> Intelligence</source><volume> 1</volume>,<fpage> 402</fpage>-<lpage>427</lpage>.<pub-id pub-id-type="doi"></pub-id></mixed-citation></ref><ref id="scirp.65748-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">Kalbhor, A., Austin, T.H., Filiol, E., Josse, S. and Stamp, M. (2014) Dueling Hidden Markov Models for Virus Analysis. Journal in Computer Virology and Hacking Techniques, 11, 103-118.</mixed-citation></ref><ref id="scirp.65748-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">Thunga, S.P. and Neelisetti, R.K. (2016) Identifying Metamorphic Virus Using N-Grams and Hidden Markov Model. 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Kochi, 2015, 2016-2022.</mixed-citation></ref><ref id="scirp.65748-ref18"><label>18</label><mixed-citation publication-type="other" xlink:type="simple">Payandeh, A. (2014) Detecting Encrypted Metamorphic Viruses by Hidden Markov Models. 2014 11th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD), Xiamen, 2014, 973-977.</mixed-citation></ref></ref-list></back></article>