| Scheirer et al. [36] | Polymorphic worms | Syntactic and Semantic | Detection of many polymorphic worms and uses intrusion detection techniques such as sliding window schemes and instruction semantics. |
| Wurzinger et al. [37] | Botnets | Semantic | Detects botnets that are under the influence of botmaster (malicious body) using network signatures by examining the response from a compromised host to a received command and by generating detection models. |
| Botzilla [38] | Malware binaries | Semantic | Produces signatures for the malicious activities (traffic) created by a malware binary executed several times within a controlled domain. |
| Zhao et al. [39] | General malware datasets | Semantic | Generates signatures through an inverse transcoding method by converting the malware sequential information, such as system call sequences, propagation dataflow, etc. into amino acid sequences and then aligning them using multiple sequence alignment tool. |
| ProVex [40] | Botnets | Semantic | Generates signatures to detect botnets that use encrypted command and control (C & C) systems after being given the keys and decryption routine employed by the malware be derived using binary code reuse strategy. |
| FIRMA [41] | Botnets | Semantic | Detects C & C systems but does not produce signatures for those. |
| Ki et al. [42] | Worms, Trojans, etc. | Semantic | Generates sequences that are typical API call sequence motifs of malicious activities belonging to several malware samples and employed multiple sequence alignment tool to align those malware samples to extract signatures. |
| MalGene [43] | Evasive malware samples | Semantic | Uses sequence alignment techniques on two sequences of system call events belonging to two different analysis environments: one environment in which the malware evades the AVS, and the other in which it exhibits the malicious activities. These events are used to construct an “evasion signature” using sequence alignment. |