Automated code signature generation for windows .net binaries

What is claimed is: 1 . A system for generating a signature for a Windows NET binary, comprising: one or more processors; and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions that: parse the Windows NET binary to identify a plurality of methods implemented by the Windows NET binary; disassemble each of the plurality of methods into intermediate language code; transform the intermediate language code for each method into a unified representation, including replacing one or more operands with wildcards to obtain data-independent transformation results; generate a plurality of intermediate hashes respectively corresponding to the data-independent transformation results for the plurality of methods; concatenate the plurality of intermediate hashes into a concatenated hash; generate a file signature by applying a hashing technique to the concatenated hash; classify a sample using the file signature based on the code to determine whether the sample is malicious or benign; and cause a security policy to be enforced at a security entity in accordance with the classification. 2 . The system of claim 1 , wherein the code corresponds to a Windows.NET binary. 3 . The system of claim 1 , wherein the hashing technique is an MD5 hash function. 4 . The system of claim 1 , wherein the hashing technique is an SSDeep hash function. 5 . The system of claim 1 , wherein the hashing technique is a TLSH hash function. 6 . The system of claim 1 , wherein classifying the sample using the file signature based on the code comprises: determining that the sample is a malicious sample based at least in part on the file signature. 7 . The system of claim 1 , wherein classifying the sample using the file signature based on the code comprises: determining that the sample is a benign sample based at least in part on the file signature. 8 . The system of claim 1 , wherein the one or more processors are further configured to: handle the sample based at least in part on a sample classification. 9 . The system of claim 8 , wherein the sample is handled based at least in part on the security policy. 10 . The system of claim 8 , wherein handling the sample comprises performing an active measure in response to determining that the sample corresponds to a malicious sample. 11 . The system of claim 1 , wherein the one or more processors are further configured to: generate a Yara rule to identify a known malware function method based on the one or more intermediate transformation results. 12 . The system of claim 1 , wherein the file signature is used in connection with one or more of malware learning, malware detection, and malware clustering. 13 . The system of claim 1 , wherein a set of signatures for a set of files are clustered in response to determining that the signatures have a similarity score higher than a predefined similarity threshold. 14 . The system of claim 13 , wherein the predefined similarity threshold is greater than 95 percent. 15 . The system of claim 1 , wherein a set of signatures for trusted or benign code samples is clustered in connection with generating a white list of code. 16 . The system of claim 1 , wherein the sample is determined to be malware based on the file signature matching a signature for a known malware. 17 . The system of claim 1 , wherein the sample is deemed to be benign code based on the file signature matching a signature for known benign code. 18 . The system of claim 1 , wherein causing the security policy to be enforced at the security entity comprises preventing execution of the Windows.NET binary in response to the classification indicating the sample is malicious. 19 . The system of claim 1 , wherein the plurality of methods are identified based on parsing metadata of a Common Language Runtime (CLR) header of the Windows.NET binary. 20 . The system of claim 1 , wherein replacing one or more operands with wildcards comprises replacing constant values and memory addresses with a predetermined wildcard symbol while retaining operation codes. 21 . The system of claim 1 , wherein the file signature is stored in a signature database and used for at least one of: (i) generating a whitelist of trusted .NET methods, or (ii) preventing execution of a .NET binary determined to be malicious. 22 . A method for generating a signature for a Windows.NET binary, comprising: parsing the Windows.NET binary to identify a plurality of methods implemented by the Windows.NET binary; disassembling each of the plurality of methods into intermediate language code; transforming the intermediate language code for each method into a unified representation, including replacing one or more operands with wildcards to obtain data-independent transformation results; generating a plurality of intermediate hashes respectively corresponding to the data-independent transformation results for the plurality of methods; concatenating the plurality of intermediate hashes into a concatenated hash; generating a file signature by applying a hashing technique to the concatenated hash; classifying a sample using the file signature to determine whether the sample is malicious or benign; and causing a security policy to be enforced at a security entity in accordance with the classification. 23 . A computer program product comprising a non-transitory computer readable medium for generating a signature for a Windows.NET binary, and the computer program product comprising computer instructions that when executed by one or more computer processors, cause the one or more computer processors to perform operations comprising: parsing the Windows.NET binary to identify a plurality of methods implemented by the Windows.NET binary; disassembling each of the plurality of methods into intermediate language code; transforming the intermediate language code for each method into a unified representation, including replacing one or more operands with wildcards to obtain data-independent transformation results; generating a plurality of intermediate hashes respectively corresponding to the data-independent transformation results for the plurality of methods; concatenating the plurality of intermediate hashes into a concatenated hash; generating a file signature by applying a hashing technique to the concatenated hash; classifying a sample using the file signature based on the code to determine whether the sample is malicious or benign; and causing a security policy to be enforced at a security entity in accordance with the classification.