F-Sign: Automatic, Function-Based Signature Generation for Malware

Shabtai, Assaf; Menahem, Eitan; Elovici, Yuval

doi:10.1109/tsmcc.2010.2068544

Cited by 35 publications

(11 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Once this is done, the final candidate for generation of the unique signature is selected using one of the 2 methods; intelligent candidate selection using entropy score or random selection. Candidate with the highest entropy have large amounts of information, thus they are best suited to generate signatures [6].…”

Section: Signaturementioning

confidence: 99%

“…After detection of anomalous episodes, signatures need to be generated, which can be stored in the attack signature database for further use. F-Sign [6] which is an automatic attack signature generation mechanism complements to generate signatures specific and sensitive in nature. The scholarly material regarding these procedures is studied, analyzed and evaluated to gain detailed information about the same.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Comparative Evaluation of Algorithm based Approach for Intrusion Detection using a Hybrid Model

Mahadik¹,

Parsekar²,

Choudhary³

et al. 2015

IJCA

View full text Add to dashboard Cite

Adequate system security is the first step towards data integrity and protection, however even with the most advanced protection, modern computer and communication infrastructures are susceptible to various types of attacks. With traditional signature based systems losing proficiency, the Hybrid Intrusion Detection System (HIDS) approach proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining over network traffic and signature generation. This paper will focus on analyzing different anomaly detection techniques used to detect zero day attacks and an automatic attack signature generation mechanism that can be complemented with the former. This will serve to be an elemental analysis of a few techniques, their working, and their pros and cons put together in a concise form.

show abstract

Section: Signaturementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Comparative Evaluation of Algorithm based Approach for Intrusion Detection using a Hybrid Model

Mahadik¹,

Parsekar²,

Choudhary³

et al. 2015

IJCA

View full text Add to dashboard Cite

show abstract

“…We also assume that these transmissions are not encrypted or archived. In these cases, efficient generation of short signatures [Shabtai et al 2010] allows to prevent malicious software from being transmitted even if only part of the transmission is intercepted by the filtering devices. Computers may have anti-virus software.…”

Section: Modeling Assumptionsmentioning

confidence: 99%

“…Route stability [Schwartz et al 2010] and the fact that small enough signatures are sufficient to prevent a malicious file from being transmitted through the network [Shabtai et al 2010], enable PIDPS to implement a very shallow transport layer. It receives the identifier of an attack or a legitimate traffic from the application layer and wraps it in a single message along with the data size label.…”

Section: Network Topologymentioning

confidence: 99%

A Decision Support System for Placement of Intrusion Detection and Prevention Devices in Large-Scale Networks

Puzis

Tubi

Elovici

et al. 2011

ACM Trans. Model. Comput. Simul.

Self Cite

View full text Add to dashboard Cite

This article describes an innovative Decision Support System (DSS) for Placement of Intrusion Detection and Prevention Systems (PIDPS) in large-scale communication networks. PIDPS is intended to support network security personnel in optimizing the placement and configuration of malware filtering and monitoring devices within Network Service Providers' (NSP) infrastructure, and enterprise communication networks. PIDPS meshes innovative and state-of-the-art mechanisms borrowed from the domains of graph theory, epidemic modeling, and network simulation. Scalable network exploitation models enable to define the communication patterns induced by network users (thereby establishing a virtual overlay network), and parallel attack models enable a PIDPS user to define various interdependent network attacks such as: Internet worms, Trojans horses, Denial of Service (DoS) attacks, and others. PIDPS incorporates a set of deployment strategies (employing graph-theoretic centrality measures) in order to facilitate intelligent placement of filtering and monitoring devices; as well as a dedicated network simulator in order to evaluate the various deployments. Experiments with PIDPS indicate that incorporating knowledge on the overlay network (network exploitation patterns) into the placement and configuration of malware filtering and monitoring devices substantially improves the effectiveness of intrusion detection and prevention systems in NSP and enterprise networks. ACM Reference Format:Puzis, R., Tubi, M., Elovici, Y., Glezer, C., and Dolev, S. 2011. A decision support system for placement of intrusion detection and prevention devices in large-scale networks. ACM Trans. Model. Comput. Simul.

show abstract

“…The method based on static analysis generally uses software to disassemble malware files without their execution, and adopts byte-level [3] [4], function-call graph [5] [6], instruction operation codes sequence [7] [8] or string feature [9] to extract signature, which represents structure and function of malware. In the paper [4], malwares are analyzed using two approaches: disassembly, utilizing IDA-Pro, and the application of a dedicated state machine in order to obtain the set of functions comprising the executables based on byte-level. Shanhu Shang [5] uses a novel algorithm to construct the function-call graph from the assembly instructions, and proposes an effective graph matching method based on vertexes to compute similarity between two binaries.…”

Section: Introductionmentioning

confidence: 99%

A Malware Variant Detection Method Based on Byte Randomness Test

Qi¹,

Xu²,

Zheng³

2013

JCP

View full text Add to dashboard Cite

Malware variants, referring to the different members in the same malware family, are generally produced by simply modifying the existing malwares in order to avoid being detected by the traditional signaturebased methods. The mass of malware variants has brought great difficulties to detect malicious code. In this paper, a malware variants detection method based on byte randomness tests is proposed. The bytes distribution value of the instruction sequences obtained from randomness tests , named as the byte randomness profiles, can preserves enough local detail about program, so it can be used as feature vector to represent malware in a distinctive manner. Moreover, the sum of squares distance (SSD) and the cosine similarity (COS) are used to measure the distinctiveness between two malwares. Experimental results show that the proposed method provides a fast and effective way to detect variants of known malware families.

show abstract

F-Sign: Automatic, Function-Based Signature Generation for Malware

Cited by 35 publications

References 27 publications

Comparative Evaluation of Algorithm based Approach for Intrusion Detection using a Hybrid Model

Comparative Evaluation of Algorithm based Approach for Intrusion Detection using a Hybrid Model

A Decision Support System for Placement of Intrusion Detection and Prevention Devices in Large-Scale Networks

A Malware Variant Detection Method Based on Byte Randomness Test

Contact Info

Product

Resources

About