Article | Pros strengths | Cons/limitations |
Analysis and Detection of Metamorphic Computer Viruses [3] [4] | Used HMM as detection and has ability to identify all malware. | Cannot classify malware to their family (HMM binary classification). |
Code Obfuscation and Virus Detection [6] | HMM has ability to identify metamorphic viruses better than commercial AV. | - |
Metamorphic Detection via Emulation [8] | Improved HMM detection using emulator to detect dead code in metamorphic malware. | - |
Towards an Undetectable Computer Virus [15] | Proves how HMM detector is effective to identify metamorphic viruses with high accuracy. | Still HMM binary classification (classify malware to family and non-family). |
Hidden Markov Models for Software Piracy Detection [14] | HMM detected piracy software with high accuracy. | Still HMM binary classification (classify malware to family and non-family). |
Dueling Hidden Markov Models for Virus Analysis [16] | Achieved good result in detecting malware developed using advanced metamorphic techniques. | No balance between false positive and false negative. High performance overheads. |
Identifying Metamorphic Virus Using n-grams and HMM [17] | Scalable for a number of HMMs (directly proportional to number of virus families). | - |
Detecting Metamorphic Virus Using Hidden Markov Model and Genetic Algorithm [7] | Enhanced HMM using genetic algorithm to detect metamorphic viruses. | Still HMM binary classification (classify malware to family and nonfamily). |
Hidden Markov Models for Malware Classification [1] | Improved malware detection by HMM using k-means clustering algorithm as a classifier. | Need to enhance the classifier. |
Detecting Encrypted Metamorphic Viruses by Hidden Markov Models [18] | Characterized each family of malware in terms of three parameters: 1) string occurrence probability; 2) specifically-located character occurrence probability; 3) the amount of virus similarities. These parameters improved accuracy of malware detection using HMM. | The detection speed of was slower than traditional HMM. Also sample data is small to test the proposed solution. |