{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:44:08Z","timestamp":1759092248603,"version":"3.37.3"},"reference-count":33,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2021,2,19]],"date-time":"2021-02-19T00:00:00Z","timestamp":1613692800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,2,19]],"date-time":"2021-02-19T00:00:00Z","timestamp":1613692800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100007052","name":"Universit\u00e0 degli Studi di Verona","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100007052","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Comput Virol Hack Tech"],"published-print":{"date-parts":[[2021,9]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Metamorphic malware are self-modifying programs which apply semantic preserving transformations to their own code in order to foil detection systems based on signature matching. Metamorphism impacts both software security and code protection technologies: it is used by malware writers to evade detection systems based on pattern matching and by software developers for preventing malicious host attacks through software diversification. In this paper, we consider the problem of automatically extracting metamorphic signatures from the analysis of metamorphic malware variants. We define a metamorphic signature as an abstract program representation that ideally captures all the possible code variants that might be generated during the execution of a metamorphic program. For this purpose, we developed <jats:italic>MetaSign<\/jats:italic>: a tool that takes as input a collection of metamorphic code variants and produces, as output, a set of transformation rules that could have been used to generate the considered metamorphic variants. <jats:italic>MetaSign<\/jats:italic> starts from a control flow graph representation of the input variants and agglomerates them into an automaton which approximates the considered code variants. The upper approximation process is based on the concept of widening automata, while the semantic preserving transformation rules, used by the metamorphic program, can be viewed as rewriting rules and modeled as grammar productions. In this setting, the grammar recognizes the language of code variants, while the production rules model the metamorphic transformations. In particular, we formalize the language of code variants in terms of pure context-free grammars, which are similar to context-free grammars with no terminal symbols. After the widening process, we create a positive set of samples from which we extract the productions of the grammar by applying a learning grammar technique. This allows us to learn the transformation rules used by the metamorphic engine to generate the considered code variants. We validate the results of <jats:italic>MetaSign<\/jats:italic> on some case studies.<\/jats:p>","DOI":"10.1007\/s11416-021-00377-z","type":"journal-article","created":{"date-parts":[[2021,2,20]],"date-time":"2021-02-20T00:13:05Z","timestamp":1613779985000},"page":"167-183","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Learning metamorphic malware signatures from samples"],"prefix":"10.1007","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1099-3494","authenticated-orcid":false,"given":"Marco","family":"Campion","sequence":"first","affiliation":[]},{"given":"Mila","family":"Dalla\u00a0Preda","sequence":"additional","affiliation":[]},{"given":"Roberto","family":"Giacobazzi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,2,19]]},"reference":[{"key":"377_CR1","unstructured":"Schwab, W., and Poujol, M.: \u201cThe state of industrial cybersecurity 2018,\u201d Trend Study Kaspersky Reports, p.\u00a033 (2018)"},{"key":"377_CR2","unstructured":"Institute\u2019s, P.: Ponemon institute\u2019s 2018 state of endpoint security risk (2018)"},{"key":"377_CR3","volume-title":"The Art of Computer Virus Research and Defense","author":"P Szor","year":"2005","unstructured":"Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, New York (2005)"},{"key":"377_CR4","unstructured":"Beaucamps, P.: Advanced metamorphic techniques in computer viruses (2007)"},{"key":"377_CR5","unstructured":"Aycock, J.: Computer viruses and malware, vol.\u00a022. Springer Science & Business Media, New York (2006)"},{"key":"377_CR6","doi-asserted-by":"crossref","unstructured":"OKane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Security Privacy 9(5), 41\u201347 (2011)","DOI":"10.1109\/MSP.2011.98"},{"issue":"2","key":"377_CR7","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1109\/MSP.2007.31","volume":"5","author":"D Bruschi","year":"2007","unstructured":"Bruschi, D., Martignoni, L., Monga, M.: Code normalization for self-mutating malware. IEEE Secur. Priv. 5(2), 46\u201354 (2007)","journal-title":"IEEE Secur. Priv."},{"key":"377_CR8","doi-asserted-by":"crossref","unstructured":"Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Tech. rep., Wisconsin Univ-Madison Dept of Computer Sciences (2006)","DOI":"10.21236\/ADA449067"},{"key":"377_CR9","doi-asserted-by":"crossref","unstructured":"Dalla\u00a0Preda, M.: The grand challenge in metamorphic analysis. In: International Conference on Information Systems, Technology and Management, pp. 439\u2013444, Springer, Berlin (2012)","DOI":"10.1007\/978-3-642-29166-1_42"},{"issue":"1","key":"377_CR10","doi-asserted-by":"publisher","first-page":"47","DOI":"10.1016\/S0019-9958(80)90131-X","volume":"44","author":"HA Maurer","year":"1980","unstructured":"Maurer, H.A., Salomaa, A., Wood, D.: Pure grammars. Inf. Control 44(1), 47\u201372 (1980)","journal-title":"Inf. Control"},{"key":"377_CR11","unstructured":"D\u2019Silva, V.: Widening for automata. Diploma Thesis, Institut Fur Informatick, Universitat Zurich (2006)"},{"key":"377_CR12","doi-asserted-by":"publisher","first-page":"74","DOI":"10.1016\/j.tcs.2015.02.024","volume":"577","author":"M Dalla Preda","year":"2015","unstructured":"Dalla Preda, M., Giacobazzi, R., Debray, S.K.: Unveiling metamorphism by abstract interpretation of code properties. Theor. Comput. Sci. 577, 74\u201397 (2015)","journal-title":"Theor. Comput. Sci."},{"key":"377_CR13","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781139194655","volume-title":"Grammatical Inference: Learning Automata and Grammars","author":"C De la Higuera","year":"2010","unstructured":"De la Higuera, C.: Grammatical Inference: Learning Automata and Grammars. Cambridge University Press, Cambridge (2010)"},{"issue":"3","key":"377_CR14","first-page":"469","volume":"14","author":"T Koshiba","year":"2000","unstructured":"Koshiba, T., M\u00e4kinen, E., Takada, Y.: Inferring pure context-free languages from positive data. Acta Cybernetica 14(3), 469\u2013477 (2000)","journal-title":"Acta Cybernetica"},{"key":"377_CR15","unstructured":"Degenbaev, U.: Formal specification of the x86 instruction set architecture (2012)"},{"key":"377_CR16","unstructured":"Bergeron,J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static detection of malicious code in executable programs. In: Symposium on Requirements Engineering for Information Security (2001)"},{"key":"377_CR17","unstructured":"Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, pp. 169\u2013186 (2003)"},{"key":"377_CR18","unstructured":"Singh, P., Lakhotia, A.: Static verification of worm and virus behaviour in binary executables using model checking. In: Proceedings of the 4th IEEE Information Assurance Workshop (2003)"},{"key":"377_CR19","doi-asserted-by":"crossref","unstructured":"Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Proceedings of the 2nd International Conference on Intrusion and Malware Detection and Vulnerability Assessment (DIMVA\u201905), vol. 3548 of LNCS, pp. 174\u2013187 (2005)","DOI":"10.1007\/11506881_11"},{"key":"377_CR20","doi-asserted-by":"crossref","unstructured":"Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the IEEE Symposium on Security and Privacy (S&P\u201905), pp. 32\u201346 (2005)","DOI":"10.1109\/SP.2005.20"},{"issue":"4","key":"377_CR21","doi-asserted-by":"publisher","first-page":"307","DOI":"10.1007\/s11416-008-0081-5","volume":"4","author":"A Walenstein","year":"2008","unstructured":"Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: Constructing malware normalizers using term rewriting. J. Comput. Virol. 4(4), 307\u2013322 (2008)","journal-title":"J. Comput. Virol."},{"issue":"4","key":"377_CR22","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/s11416-013-0185-4","volume":"9","author":"D Baysa","year":"2013","unstructured":"Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179\u2013192 (2013)","journal-title":"J. Comput. Virol. Hacking Tech."},{"key":"377_CR23","doi-asserted-by":"crossref","unstructured":"Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware. Int. J. Secure. Network. 10(2), 124\u2013136 (2015)","DOI":"10.1504\/IJSN.2015.070426"},{"issue":"3","key":"377_CR24","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/s11416-006-0028-7","volume":"2","author":"W Wong","year":"2006","unstructured":"Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211\u2013229 (2006)","journal-title":"J. Comput. Virol."},{"issue":"1","key":"377_CR25","doi-asserted-by":"publisher","first-page":"11","DOI":"10.1007\/s11416-013-0189-0","volume":"10","author":"G Canfora","year":"2014","unstructured":"Canfora, G., Iannaccone, A.N., Visaggio, C.A.: Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics. J. Comput. Virol. Hacking Tech. 10(1), 11\u201327 (2014)","journal-title":"J. Comput. Virol. Hacking Tech."},{"issue":"3","key":"377_CR26","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1007\/s11416-010-0148-y","volume":"7","author":"D Lin","year":"2011","unstructured":"Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201\u2013214 (2011)","journal-title":"J. Comput. Virol."},{"issue":"2","key":"377_CR27","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1007\/s11416-014-0225-8","volume":"11","author":"M Musale","year":"2015","unstructured":"Musale, M., Austin, T.H., Stamp, M.: Hunting for metamorphic javascript malware. J. Comput. Virol. Hacking Tech. 11(2), 89\u2013102 (2015)","journal-title":"J. Comput. Virol. Hacking Tech."},{"issue":"3","key":"377_CR28","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1007\/s11416-013-0184-5","volume":"9","author":"G Shanmugam","year":"2013","unstructured":"Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159\u2013170 (2013)","journal-title":"J. Comput. Virol. Hacking Tech."},{"issue":"1\u20132","key":"377_CR29","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1016\/0304-3975(83)90088-9","volume":"26","author":"W Bucher","year":"1983","unstructured":"Bucher, W., Hagauer, J.: It is decidable whether a regular language is pure context-free. Theoret. Comput. Sci. 26(1\u20132), 233\u2013241 (1983)","journal-title":"Theoret. Comput. Sci."},{"key":"377_CR30","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95\u2013109, IEEE (2012)","DOI":"10.1109\/SP.2012.16"},{"key":"377_CR31","doi-asserted-by":"crossref","unstructured":"Lakhotia, V., Dalla Preda, M., Giacobazzi, R.: Fast location of similar code fragments using semantic \u2019juice\u2019. In: 2nd Workshop on Program Protection and Reverse Engineering PPREW 2013, ACM (2013)","DOI":"10.1145\/2430553.2430558"},{"issue":"4","key":"377_CR32","doi-asserted-by":"publisher","first-page":"647","DOI":"10.1145\/321479.321488","volume":"15","author":"AV Aho","year":"1968","unstructured":"Aho, A.V.: Indexed grammars - an extension of context-free grammars. J. ACM 15(4), 647\u2013671 (1968)","journal-title":"J. ACM"},{"key":"377_CR33","doi-asserted-by":"crossref","unstructured":"Campion, M., Dalla\u00a0Preda, M., and Giacobazzi, R.: Abstract interpretation of indexed grammars. In: International Static Analysis Symposium, pp. 121\u2013139, Springer, Berlin (2019)","DOI":"10.1007\/978-3-030-32304-2_7"}],"container-title":["Journal of Computer Virology and Hacking Techniques"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-021-00377-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11416-021-00377-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-021-00377-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,9,21]],"date-time":"2021-09-21T18:17:26Z","timestamp":1632248246000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11416-021-00377-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,19]]},"references-count":33,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,9]]}},"alternative-id":["377"],"URL":"https:\/\/doi.org\/10.1007\/s11416-021-00377-z","relation":{},"ISSN":["2263-8733"],"issn-type":[{"type":"electronic","value":"2263-8733"}],"subject":[],"published":{"date-parts":[[2021,2,19]]},"assertion":[{"value":"1 September 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 January 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 February 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}