F-Sign: Automatic, Function-Based Signature Generation for Malware

In this research, we present a new method, termed F-Sign, for automatic extraction of unique signatures from malware files. F-Sign is primarily intended for high-speed network traffic filtering devices that are based on deep-packet inspection. Malicious executables are analyzed using two approaches: disassembly, utilizing IDA-Pro, and the application of a dedicated state machine in order to obtain the set of functions comprising the executables. The signature extraction process is based on a comparison with a common function repository. By eliminating functions appearing in the common function repository from the signature candidate list, F-Sign can minimize the risk of false-positive detection errors. To minimize false-positive rates even further, F-Sign proposes intelligent candidate selection using an entropy score to generate signatures. Evaluation of F-Sign was conducted under various conditions. The findings suggest that the proposed method can be used for automatically generating signatures that are both specific and sensitive.