Richard M. Low

Opcode graph similarity and metamorphic detection

In this paper, we consider a method for computing the similarity of executable files, based on opcode graphs. We apply this technique to the challenging problem of metamorphic malware detection and compare the results to previous work based on hidden Markov models. In addition, we analyze the effect of various morphing techniques on the success of our proposed opcode graph-based detection scheme.

Structural entropy and metamorphic malware

Metamorphic malware is capable of changing its internal structure without altering its functionality. A common signature is nonexistent in highly metamorphic malware and, consequently, such malware can remain undetected under standard signature scanning. In this paper, we apply previous work on structural entropy to the metamorphic detection problem. This technique relies on an analysis of variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the segmentation stage, we use entropy measurements and wavelet analysis to segment files. The second stage measures the similarity of file pairs by computing an edit distance between the sequences of segments obtained in the first stage. We apply this similarity measure to the metamorphic detection problem and show that we obtain strong results in certain challenging cases.

Simple substitution distance and metamorphic detection

To evade signature-based detection, metamorphic viruses transform their code before each new infection. Software similarity measures are a potentially useful means of detecting such malware. We can compare a given file to a known sample of metamorphic malware and compute their similarity—if they are sufficiently similar, we classify the file as malware of the same family. In this paper, we analyze an opcode-based software similarity measure inspired by simple substitution cipher cryptanalysis. We show that the technique provides a useful means of classifying metamorphic malware.

HTTP attack detection using n-gram analysis

Previous research has shown that byte-level analysis of network traffic can be useful for network intrusion detection and traffic analysis. Such an approach does not require any knowledge of applications running on web servers or any pre-processing of incoming data. In this paper, we apply three n-gram techniques to the problem of HTTP attack detection. The goal is to provide a first line of defense by filtering the vast majority of benign HTTP traffic, leaving only a relatively small amount of suspect traffic for more costly processing. We analyze these n-gram techniques in terms of accuracy and performance. Our results show that we can attain equal or better detection rates at considerably less cost, in comparison to a previously developed HMM-based technique. We also apply these techniques to a highly realistic dataset consisting of four recent attacks and show that we obtain equally strong results in this case. Overall, these results indicate that this type of byte-level analysis is highly effective and practical.

Efficient Cryptanalysis of Homophonic Substitution Ciphers

Abstract Substitution ciphers are among the earliest methods of encryption. Examples of classic substitution ciphers include the well-known simple substitution and the less well-known homophonic substitution. Simple substitution ciphers are indeed simple, both in terms of their use and their cryptanalysis. Homophonic substitutions—in which a plaintext symbol can map to more than one ciphertext symbol—are also easy to use, but far more challenging to break. Even with modern computing technology, homophonic substitutions can present a significant cryptanalytic challenge. This article focuses on the design and implementation of an efficient algorithm to break homophonic substitution ciphers. The authors employ a nested hill climb approach that generalizes the fastest known attack on simple substitution ciphers. They test their algorithm on a wide variety of homophonic substitutions and provide success rates as a function of both the ciphertext alphabet size and ciphertext length. Finally, they apply their technique to the “Zodiac 340” cipher, which is an unsolved message created by the infamous Zodiac killer.

Integer-magic spectra of sun graphs

Abstract Let A be a non-trivial Abelian group. A graph G=(V,E) is A-magic if there exists a labeling f:E→A∖{0} such that the induced vertex set labeling f+:V→A, defined by f+(v)=∑f(uv) where the sum is over all uv∈E, is a constant map. The integer-magic spectrum of a graph G is the set IM(G)={k∈ℕ∣G is ℤk-magic}. A sun graph is obtained from an n-cycle, by attaching paths to each pair of adjacent vertices in the cycle. In this paper, we investigate the integer-magic spectra of some sun graphs.

Classic cryptanalysis using hidden Markov models

ABSTRACT In this article, the authors present a detailed introduction to hidden Markov models (HMM). They then apply HMMs to the problem of solving simple substitution ciphers, and they empirically determine the accuracy as a function of the ciphertext length and the number of random restarts. Application to homophonic substitutions and other classic ciphers is briefly considered.

Rank classification of tensors over

We consider tensors of format over the finite field . We use computer algebra to classify these tensors by their tensor rank, thus determining the maximum tensor rank to be 9. As a corollary, we provide a new upper bound that the maximum rank of an order-n tensor of format , for , over is at most . We also determine that there are 261 canonical forms of the rank 9 (maximum rank) tensors under the action of , the semi-direct product of (a direct product of) general linear groups with the symmetric group on five elements.

Notes on the combinatorial game: graph Nim

The combinatorial game of Nim can be played on graphs. Over the years, various Nim-like games on graphs have been proposed and studied by N.J. Calkin et al., L.A. Erickson and M. Fukuyama. In this paper, we focus on the version of Nim played on graphs which was introduced by N.J. Calkin et al.: Two players alternate turns, each time choosing a vertex

Cryptanalysis of Typex

v