ACM Transactions on Modeling and Computer Simulation (TOMACS)
Editorial: Guest editorial: Special issue on data mining for information security
Information Sciences: an International Journal
POSTER: Detecting malware through temporal function-based features
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
| Hi-index | 0.00 |
In this research, we present a new method, termed F-Sign, for automatic extraction of unique signatures from malware files. F-Sign is primarily intended for high-speed network traffic filtering devices that are based on deep-packet inspection. Malicious executables are analyzed using two approaches: disassembly, utilizing IDA-Pro, and the application of a dedicated state machine in order to obtain the set of functions comprising the executables. The signature extraction process is based on a comparison with a common function repository. By eliminating functions appearing in the common function repository from the signature candidate list, F-Sign can minimize the risk of false-positive detection errors. To minimize false-positive rates even further, F-Sign proposes intelligent candidate selection using an entropy score to generate signatures. Evaluation of F-Sign was conducted under various conditions. The findings suggest that the proposed method can be used for automatically generating signatures that are both specific and sensitive.