Kent E. Griffin
Symantec
recent advances in intrusion detection | 2009
Kent E. Griffin; Scott Schneider; Xin Hu; Tzi-cker Chiueh
Scanning files for signatures is a proven technology, but exponential growth in unique malware programs has caused an explosion in signature database sizes. One solution to this problem is to use string signatures , each of which is a contiguous byte sequence that potentially can match many variants of a malware family. However, it is not clear how to automatically generate these string signatures with a sufficiently low false positive rate. Hancock is the first string signature generation system that takes on this challenge on a large scale. To minimize the false positive rate, Hancock features a scalable model that estimates the occurrence probability of arbitrary byte sequences in goodware programs, a set of library code identification techniques, and diversity-based heuristics that ensure the contexts in which a signature is embedded in containing malware files are similar to one another. With these techniques combined, Hancock is able to automatically generate string signatures with a false positive rate below 0.1%.
Archive | 2006
Carey Nachenberg; Kent E. Griffin
Archive | 2008
Scott Schneider; Kent E. Griffin
Archive | 2008
Carey Nachenberg; Kent E. Griffin
usenix annual technical conference | 2013
Xin Hu; Sandeep Bhatkar; Kent E. Griffin; Kang G. Shin
Archive | 2008
Carey Nachenberg; Kent E. Griffin
Archive | 2007
Darren M. Sanders; Carey Nachenberg; Kent E. Griffin
Archive | 2008
Kent E. Griffin; Tzi-cker Chiueh; Scott Schneider; Xin Hu
Archive | 2009
Kent E. Griffin; Tzi-cker Chiueh; Scott Schneider
Archive | 2009
Tzi-cker Chiueh; Kent E. Griffin; Scott Schneider; Xin Hu
