July 9 – 14 , 2017, Dagstuhl Seminar 17281

Malware Analysis: From Large-Scale Data Triage to Targeted Attack Recognition


Saumya K. Debray (University of Arizona – Tucson, US)
Thomas Dullien (Google Switzerland – Zürich, CH)
Arun Lakhotia (University of Louisiana – Lafayette, US)
Sarah Zennou (Airbus Group – Suresnes, FR)

For support, please contact

Dagstuhl Service Team


List of Participants
Shared Documents


This Dagstuhl Seminar on "Malware analysis: from large-scale data triage to targeted attack recognition" addresses the specificities of the analysis of malware samples. It unites people from multiple backgrounds such as code verification, forensics, and machine learning with both industrial and academic point of view. The seminar is motivated by the earlier Dagstuhl Seminar 14241 where three major challenges specific to malware analysis (compared to other executable analysis) were highlighted: the ability to handle obfuscated code, the scalability of analyses both in size of executables and volume of data, and the capacity of analyses to retrieve information both on the behavior of the malware sample and its origin. For the second challenge machine learning was suggested as a promising technique.


Malware authors are becoming more and more sophisticated in making analysis difficult by implementing layered static/dynamic anti-analysis techniques. At the same time, the amount of daily received malware precludes them from being deeply analysed.

Hence, the challenges posed by code obfuscation and anti-analysis defenses come from the combination of the desire for quick and cheap mechanisms for triage (see challenge machine learning and scale) in order to handle a large number and variety of malware samples, on the one hand, and the high cost of penetrating multiple layers of obfuscations, on the other hand. Techniques for detecting and reasoning about obfuscated code, including symbolic and concolic analysis techniques, detection and neutralization of obfuscation and other anti-analysis measures, and efficiency and scalability considerations, are therefore especially relevant to this seminar.

Machine Learning

Malware continues to grow exponentially, with new malware numbers reaching 100s of thousands per month. It is no longer feasible to analyze new malware manually or perform point-analysis of individual malware. More scalable methods are needed to individually or collectively analyze malware. Machine Learning (ML) offers a viable, and as-yet under explored, method to manage the scale. ML may be used across the entire spectrum of tasks involved in handling malware: triage, signature generation, detection, mitigation, and incidence response. ML may also introduce new methods of countering malware threat, such as, creation of automated, self-learning classifiers that can predictively detect unseen malware.

Machine learning techniques need a corpus of well labelled data to estimate the model they implement. As such a corpus is not available for malware samples advances are needed in the interplay of feature space, model construction, performance estimation, and such, taking into account the specific adversarial context created by malware.

Information Retrieval

Compared to other executables, the expected behavior of malware samples is not known a priori. Hence, the first question one has to deal with is "What does this malware do?". Secondly, one asks "Who is the enemy?" - a question about the origin of the malware. A part of the answer may be found in the executable itself. The other part may be deduced from previous malware attacks and hence has a tight link with the Machine learning challenge: (i) Triage would enable to answer how (and if) a malware campaign is related to a previous one; (ii) industrial participants of the seminar should be asked what kind of features are relevant for malware recognition and which could serve as malware footprint for triage. This feature extraction has to be done in the context of obfuscation and hence can serve as guideline for de-obfuscation, see challenge Obfuscation.

  Creative Commons BY 3.0 DE
  Saumya K. Debray, Thomas Dullien, Arun Lakhotia, and Sarah Zennou

Dagstuhl Seminar Series


  • Security / Cryptology
  • Semantics / Formal Methods
  • Verification / Logic


  • Malware
  • Reverse engineering
  • Executable analysis
  • Obfuscation
  • Machine learning
  • Big data

Book exhibition

Books from the participants of the current Seminar 

Book exhibition in the library, ground floor, during the seminar week.


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.

NSF young researcher support