F-sign: Automatic, function-based signature generation for malware

Asaf Shabtai, Eitan Menahem, Yuval Elovici

Research output: Contribution to journalArticlepeer-review

26 Scopus citations

Abstract

In this research, we present a new method, termed F-Sign, for automatic extraction of unique signatures from malware files. F-Sign is primarily intended for high-speed network traffic filtering devices that are based on deep-packet inspection. Malicious executables are analyzed using two approaches: disassembly, utilizing IDA-Pro, and the application of a dedicated state machine in order to obtain the set of functions comprising the executables. The signature extraction process is based on a comparison with a common function repository. By eliminating functions appearing in the common function repository from the signature candidate list, F-Sign can minimize the risk of false-positive detection errors. To minimize false-positive rates even further, F-Sign proposes intelligent candidate selection using an entropy score to generate signatures. Evaluation of F-Sign was conducted under various conditions. The findings suggest that the proposed method can be used for automatically generating signatures that are both specific and sensitive.

Original languageEnglish
Article number5585792
Pages (from-to)494-508
Number of pages15
JournalIEEE Transactions on Systems, Man and Cybernetics Part C: Applications and Reviews
Volume41
Issue number4
DOIs
StatePublished - 1 Jan 2011

Keywords

  • Automatic signature generation (ASG)
  • malware
  • malware filtering

Fingerprint

Dive into the research topics of 'F-sign: Automatic, function-based signature generation for malware'. Together they form a unique fingerprint.

Cite this