• DocumentCode
    1335602
  • Title

    F-Sign: Automatic, Function-Based Signature Generation for Malware

  • Author

    Shabtai, Asaf ; Menahem, Eitan ; Elovici, Yuval

  • Author_Institution
    Dept. of Inf. Syst. Eng., Ben-Gurion Univ., Beer-Sheva, Israel
  • Volume
    41
  • Issue
    4
  • fYear
    2011
  • fDate
    7/1/2011 12:00:00 AM
  • Firstpage
    494
  • Lastpage
    508
  • Abstract
    In this research, we present a new method, termed F-Sign, for automatic extraction of unique signatures from malware files. F-Sign is primarily intended for high-speed network traffic filtering devices that are based on deep-packet inspection. Malicious executables are analyzed using two approaches: disassembly, utilizing IDA-Pro, and the application of a dedicated state machine in order to obtain the set of functions comprising the executables. The signature extraction process is based on a comparison with a common function repository. By eliminating functions appearing in the common function repository from the signature candidate list, F-Sign can minimize the risk of false-positive detection errors. To minimize false-positive rates even further, F-Sign proposes intelligent candidate selection using an entropy score to generate signatures. Evaluation of F-Sign was conducted under various conditions. The findings suggest that the proposed method can be used for automatically generating signatures that are both specific and sensitive.
  • Keywords
    digital signatures; error detection; finite state machines; invasive software; F-sign; IDA-Pro; automatic extraction; automatic signature generation; common function repository; deep packet inspection; entropy score; false positive detection error; function-based signature generation; high speed network traffic filtering device; intelligent candidate selection; malware; signature candidate list; signature extraction process; state machine; Binary codes; Grippers; Libraries; Malware; Monitoring; Real time systems; Software; Automatic signature generation (ASG); malware; malware filtering;
  • fLanguage
    English
  • Journal_Title
    Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on
  • Publisher
    ieee
  • ISSN
    1094-6977
  • Type

    jour

  • DOI
    10.1109/TSMCC.2010.2068544
  • Filename
    5585792