Skip to Main Content
When a new malware is found, anti-virus companies generate a signature for the malware. However, the malware analysis and signature generation are a time consuming process, because malwares utilize the sophisticated anti-reversing and obfuscation techniques. Therefore, it is very difficult to generate the signatures quickly enough to protect the malwares at the beginning of their propagations. In order to overcome this situation, a simple signature should be extracted automatically as soon as possible before the fully examined signature is generated. For automatic signature generation, the signature extraction position in the malwares also could be decided automatically and the extracted signatures should have low false positives. However, the relavant researches on the optimal position for automatic malware signature extraction are not enough yet. In this paper, we have investigated a method of searching the optimal area in a PE file for an automated malware signature generation. We show the results and the extracted signature's performance from the selected area with the real malwares. The area searching is done with the entropy and variance values because they can be used as a measurement of the randomness and uncertainty for each byte stream in malwares.
Date of Conference: 25-28 May 2009