09. – 14. Juli 2017, Dagstuhl Seminar 17281

Malware Analysis: From Large-Scale Data Triage to Targeted Attack Recognition


Saumya K. Debray (University of Arizona – Tucson, US)
Thomas Dullien (Google Switzerland – Zürich, CH)
Arun Lakhotia (University of Louisiana – Lafayette, US)
Sarah Zennou (Airbus Group – Suresnes, FR)

Auskunft zu diesem Dagstuhl Seminar erteilen

Susanne Bach-Bernhard zu administrativen Fragen

Andreas Dolzmann zu wissenschaftlichen Fragen


Gemeinsame Dokumente


This Dagstuhl Seminar on "Malware analysis: from large-scale data triage to targeted attack recognition" addresses the specificities of the analysis of malware samples. It unites people from multiple backgrounds such as code verification, forensics, and machine learning with both industrial and academic point of view. The seminar is motivated by the earlier Dagstuhl Seminar 14241 where three major challenges specific to malware analysis (compared to other executable analysis) were highlighted: the ability to handle obfuscated code, the scalability of analyses both in size of executables and volume of data, and the capacity of analyses to retrieve information both on the behavior of the malware sample and its origin. For the second challenge machine learning was suggested as a promising technique.


Malware authors are becoming more and more sophisticated in making analysis difficult by implementing layered static/dynamic anti-analysis techniques. At the same time, the amount of daily received malware precludes them from being deeply analysed.

Hence, the challenges posed by code obfuscation and anti-analysis defenses come from the combination of the desire for quick and cheap mechanisms for triage (see challenge machine learning and scale) in order to handle a large number and variety of malware samples, on the one hand, and the high cost of penetrating multiple layers of obfuscations, on the other hand. Techniques for detecting and reasoning about obfuscated code, including symbolic and concolic analysis techniques, detection and neutralization of obfuscation and other anti-analysis measures, and efficiency and scalability considerations, are therefore especially relevant to this seminar.

Machine Learning

Malware continues to grow exponentially, with new malware numbers reaching 100s of thousands per month. It is no longer feasible to analyze new malware manually or perform point-analysis of individual malware. More scalable methods are needed to individually or collectively analyze malware. Machine Learning (ML) offers a viable, and as-yet under explored, method to manage the scale. ML may be used across the entire spectrum of tasks involved in handling malware: triage, signature generation, detection, mitigation, and incidence response. ML may also introduce new methods of countering malware threat, such as, creation of automated, self-learning classifiers that can predictively detect unseen malware.

Machine learning techniques need a corpus of well labelled data to estimate the model they implement. As such a corpus is not available for malware samples advances are needed in the interplay of feature space, model construction, performance estimation, and such, taking into account the specific adversarial context created by malware.

Information Retrieval

Compared to other executables, the expected behavior of malware samples is not known a priori. Hence, the first question one has to deal with is "What does this malware do?". Secondly, one asks "Who is the enemy?" - a question about the origin of the malware. A part of the answer may be found in the executable itself. The other part may be deduced from previous malware attacks and hence has a tight link with the Machine learning challenge: (i) Triage would enable to answer how (and if) a malware campaign is related to a previous one; (ii) industrial participants of the seminar should be asked what kind of features are relevant for malware recognition and which could serve as malware footprint for triage. This feature extraction has to be done in the context of obfuscation and hence can serve as guideline for de-obfuscation, see challenge Obfuscation.

  Creative Commons BY 3.0 DE
  Saumya K. Debray, Thomas Dullien, Arun Lakhotia, and Sarah Zennou

Dagstuhl Seminar Series


  • Security / Cryptology
  • Semantics / Formal Methods
  • Verification / Logic


  • Malware
  • Reverse engineering
  • Executable analysis
  • Obfuscation
  • Machine learning
  • Big data


Bücher der Teilnehmer 

Buchausstellung im Erdgeschoss der Bibliothek

(nur in der Veranstaltungswoche).


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von
Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.