One way to protect organizations from malware is to deploy high-speed network based intrusion detection systems on the communication lines. This approach is achieved by P-DPL. Such appliances perform deep-packet inspection in real- time and use simple signatures for detecting and removing attacks such as malware, propagating worms, denial-of-service, or remote exploitation of vulnerabilities. P-DPL is primarily intended for high- speed network traffic filtering devices that are based on deep-packet inspection. Malicious executables are analyzed using two approaches: disassembly, utilizing IDA-Pro, and the application of a dedicated state machine in order to obtain the set of functions comprising the executables. The signature extraction process is based on a comparison with a common function repository. By eliminating functions appearing in the common function repository from the signature candidate list, P-DPL can minimize the risk of false-positive detection errors. To minimize false-positive rates even further, P-DPL proposes intelligent candidate selection using an entropy score to generate signatures. 

S. B. Cho, “Incorporating soft computing techniques into a probabilistic intrusion detection system,” IEEE Trans. Syst., Man, Cybern.—Part C, vol. 32, no. 2, pp. 154–160, May 2002.

K. Rieck, T. Holz, C. Willems, P. D¨ussel, and P. Laskov, “Learning and classification of malware behavior,” in Proc. Conf. Detect. Intrusions Malware Vulnerability Assessment, Springer Press, 2008, pp. 108–125.

M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, “Automated classification and analysis of internet malware,” in Proc. 12th Int. Symp. Recent Adv. Intrusion Detect., Springer Press, 2007, pp. 178–197.

W. Lee and S. J. Stolfo, “A framework for constructing features and models for intrusion detection systems,” ACM Trans. Inf. Syst. Secur., vol. 3, no. 4, pp. 227–261, 2000

R. Moskovitch, Y. Elovici, and L. Rokach, “Detection of unknown computer worms based on behavioral classification of the host,” Comput. Stat. Data Anal., vol. 52, no. 9, pp. 4544–4566, Oct. 2008.

K. Griffin, S. Schneider, X. Hu, and T. Chiueh, 2 Dr.K.Arulanandam received PhD doctorate degree in “Automatic generation of string signatures for malware detection,” in Proc. 12th Int. Symp. Recent Adv. Intrusion Detect., Springer Press, 2009, pp. 101– 120

G. Jacob, H. Debar, and E. Filiol, “Behavioral detection ofmalware: From a survey towards an established taxonomy,” J. Comput. Virol., vol. 4, pp. 251–266, 2008.

D. Gryaznov, “Scanners of the year 2000: Heuristics,” in Proc. 5th Int.Virus Bull., 1999, pp. 225–234

A. Shabtai, D. Potashnik,Y. Fledel, R. Moskovitch, andY. Elovici, “Monitoring, analysis and filtering system for purifying network traffic of known and unknown malicious content,” Secur. Commun. Netw. [Online]. DOI:10.1002/sec.229

Y. Tang, B. Xiao, and X. Lu, “Using a bioinformatics approach to generate accurate exploit- based signatures for polymorphic worms,” Comput.Secur., vol. 28, pp. 827–842, 2009

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha, “Towards automatic generation of vulnerability-based signatures,” in Proc. IEEE Symp.Secur. Privacy, IEEE Press, 2006, pp. 2–16.

H. A. Kim and B. Karp, “Autograph: Toward automated, distributed worm signature detection,” in Proc. Usenix Secur. Symp., USENIX Association, 2004, pp. 19–35.