3- The Extraction/Evaluation AlgorithmSuppose that we have just obtained a sample of a new virus imbedded in some host (infected) executable program. We wish to find a good signature for that virus: one that will appear in every instance of the virus, but is extremely unlikely to appear just by coincidence in code not containing the virus. This is accomplished in two phases. First, a set of signatures that are likely to appear in each instance of the virus is generated. Second, one or a few signatures that minimize the false-positive probability are chosen from this set.
|