Abstract
In this research, we present a new method, termed F-Sign, for automatic extraction of unique signatures from malware files. F-Sign is primarily intended for high-speed network traffic filtering devices that are based on deep-packet inspection. Malicious executables are analyzed using two approaches: disassembly, utilizing IDA-Pro, and the application of a dedicated state machine in order to obtain the set of functions comprising the executables. The signature extraction process is based on a comparison with a common function repository. By eliminating functions appearing in the common function repository from the signature candidate list, F-Sign can minimize the risk of false-positive detection errors. To minimize false-positive rates even further, F-Sign proposes intelligent candidate selection using an entropy score to generate signatures. Evaluation of F-Sign was conducted under various conditions. The findings suggest that the proposed method can be used for automatically generating signatures that are both specific and sensitive.
Original language | English |
---|---|
Article number | 5585792 |
Pages (from-to) | 494-508 |
Number of pages | 15 |
Journal | IEEE Transactions on Systems, Man and Cybernetics Part C: Applications and Reviews |
Volume | 41 |
Issue number | 4 |
DOIs | |
State | Published - 1 Jan 2011 |
Keywords
- Automatic signature generation (ASG)
- malware
- malware filtering
ASJC Scopus subject areas
- Control and Systems Engineering
- Software
- Information Systems
- Human-Computer Interaction
- Computer Science Applications
- Electrical and Electronic Engineering