Journal in Computer Virology

, Volume 6, Issue 2, pp 91–103 | Cite as

Auto-Sign: an automatic signature generator for high-speed malware filtering devices

  • Gil Tahan
  • Chanan Glezer
  • Yuval Elovici
  • Lior Rokach
Original Paper


This research proposes a novel automatic method (termed Auto-Sign) for extracting unique signatures of malware executables to be used by high-speed malware filtering devices based on deep-packet inspection and operating in real-time. Contrary to extant string and token-based signature generation methods, we implemented Auto-Sign an automatic signature generation method that can be used on large-size malware by disregarding signature candidates which appear in benign executables. Results from experimental evaluation of the proposed method suggest that picking a collection of executables which closely represents commonly used code, plays a key role in achieving highly specific signatures which yield low false positives.


Signature Candidate Malicious Code Common Code Automatic Signature Common Segment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)Google Scholar
  2. 2.
    Szor P.: The Art of Computer Virus Research and Defense. Addison–Wesley, Reading (2005)Google Scholar
  3. 3.
    Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm Signature detection. In: Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, CA, August (2004)Google Scholar
  4. 4.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Recent Advance in Intrusion Detection (RAID), September (2004)Google Scholar
  5. 5.
    Singh, S., Eitan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: 6th Symposium on Operating Systems Design and Implementation (OSDI), December (2004)Google Scholar
  6. 6.
    Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semantics-aware signatures. In: 14th USENIX Security Symposium. Baltimore, Maryland, August (2005)Google Scholar
  7. 7.
    Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy. Oakland, California, May (2005)Google Scholar
  8. 8.
    Kreibich C., Crowcroft J.: Honeycomb: creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev. 34(1), 51–56 (2004)CrossRefGoogle Scholar
  9. 9.
    Provos, N.: A virtual honeypot framework. CITI Technical Report 03-1, Center for Information Technology Integration, University of Michigan, Ann Arbor, Michigan, USA, October (2003)Google Scholar
  10. 10.
    Tang, Y., Chen, S.: Defending against Internet worms: a signature-based approach. In: Proceedings of IEEE INFOCOM’05, Miami, Florida, USA, May (2005)Google Scholar
  11. 11.
    Filiol E.: Malware pattern scanning schemes secure against black-box analysis. J. Comput. Virol. 2(1), 35–50 (2006)CrossRefGoogle Scholar
  12. 12.
    Morin B., Mé L.: Intrusion detection and virology: an analysis of differences, similarities and complementariness. J. Comput. Virol. 3(1), 39–49 (2007)CrossRefGoogle Scholar
  13. 13.
    Elovici, Y., Shabtai, A., Moskovitch, R., Tahan, G., Glezer, C.: Applying Machine Learning Techniques for Detection of Malicious Code in Network Traffic. In: The 30th Annual German Conference on Artificial Intelligence (KI-2007), Lecture Notes in Computer Science, vol. 4667, pp. 44–50. Springer, Osnabrück (2007)Google Scholar
  14. 14.
    Filiol E., Josse S.: A statistical model for viral detection undecidability. J. Comput. Virol. 3(2), 65–74 (2007)CrossRefGoogle Scholar
  15. 15.
    Filiol, E., Raynal, F.: Malicioux, Malicious Cryptography ... Reloaded and also Malicious Statistics. CanSecWest 2008 Vancouver, pp. 26–28 Mars (2008)Google Scholar
  16. 16.
    Cormen T.H., Leiserson C.E., Rivest R.L., Stein C.: Introduction to Algorithms. MIT Press, London (2001)zbMATHGoogle Scholar
  17. 17.
    Lawrence C.E., Reilly A.A.: An expectation maximization (EM) algorithm for the identification and characterization of common sites in unaligned biopolymer sequences. Proteins Struct. Funct. Genet. 7, 41–51 (1990)CrossRefGoogle Scholar
  18. 18.
    Lawrence C.E., Altschul S.F., Boguski M.S., Liu J.S., Neuwald A.F., Wootton J.C.: Detecting subtle sequence signals: a Gibbs sampling strategy for multiple alignment. Science 262, 208–214 (1993)CrossRefGoogle Scholar
  19. 19.
    Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy (S&P’05), pp. 226–241 (2005)Google Scholar
  20. 20.
    Hirschberg D.S.: Algorithms for the longest common subsequence problem. J. ACM 244, 664–675 (1977)CrossRefMathSciNetGoogle Scholar
  21. 21.
    DefensePro, Radware.
  22. 22.
    Abou-Assaleh, T., Cercone, N., Kešelj, V., Sweidan, R.: NGram Based Detection of New Malicious Code. In: 28th Annual International Computer Software and Applications Conference Workshops and Fast Abstracts (COMPSAC’04), pp. 41–42 (2004)Google Scholar
  23. 23.
    Goldberg L.A., Goldberg, P.W., Phillips, C.A., Sorkin, G.: Constructing Computer virus phylogenies. J. Algorithms 26(1), pp. 188–208Google Scholar
  24. 24.
    Karim, M.E., Walenstein, A., Lakhotia, A.: Malware Phylogeny Using Maximal πPatterns. In: EICAR 2005 Conference: Best Paper Proceedings, pp. 167–174 (2005)Google Scholar
  25. 25.
    Le Cam L.: An approximation theorem for Poisson binomial distribution. Pac. J. Math. 10, 1181–1197 (1960)zbMATHMathSciNetGoogle Scholar
  26. 26.
    Lai C.D., Wood G.R., Qiao C.G.: The mean of the inverse of a punctured normal distribution and its application. Biom. J. 46(4), 420–429 (2004)CrossRefMathSciNetGoogle Scholar
  27. 27.
    Rokach L.: Collective-agreement-based pruning of ensembles. Comput. Stat. Data Anal. 53(4), 1015–1026 (2009)zbMATHCrossRefGoogle Scholar
  28. 28.
    Menahem E., Shabtai A., Rokach L., Elovici Y.: Improving malware detection by applying multi-inducer ensemble. Comput. Stat. Data Anal. 53(4), 1483–1494 (2009)zbMATHCrossRefGoogle Scholar
  29. 29.
    Moskovitch R., Elovici Y., Rokach L.: Detection of unknown computer worms based on behavioral classification of the host. Comput. Stat. Data Anal. 52(9), 4544–4566 (2008)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Rieck K., Laskov P.: Language models for detection of unknown attacks in network traffic. J. Comput. Virol. 2(4), 243–256 (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France 2009

Authors and Affiliations

  • Gil Tahan
    • 1
  • Chanan Glezer
    • 1
  • Yuval Elovici
    • 1
  • Lior Rokach
    • 1
  1. 1.Deutsche Telekom Laboratory at Ben Gurion UniversityBeershebaIsrael

Personalised recommendations