09. – 14. Juli 2017, Dagstuhl Seminar 17281
Malware Analysis: From Large-Scale Data Triage to Targeted Attack Recognition
Auskunft zu diesem Dagstuhl Seminar erteilen
Susanne Bach-Bernhard zu administrativen Fragen
Andreas Dolzmann zu wissenschaftlichen Fragen
Programm des Dagstuhl Seminars (Hochladen)
(Zum Einloggen bitte Seminarnummer und Zugangscode verwenden)
This Dagstuhl Seminar on "Malware analysis: from large-scale data triage to targeted attack recognition" addresses the specificities of the analysis of malware samples. It unites people from multiple backgrounds such as code verification, forensics, and machine learning with both industrial and academic point of view. The seminar is motivated by the earlier Dagstuhl Seminar 14241 where three major challenges specific to malware analysis (compared to other executable analysis) were highlighted: the ability to handle obfuscated code, the scalability of analyses both in size of executables and volume of data, and the capacity of analyses to retrieve information both on the behavior of the malware sample and its origin. For the second challenge machine learning was suggested as a promising technique.
Malware authors are becoming more and more sophisticated in making analysis difficult by implementing layered static/dynamic anti-analysis techniques. At the same time, the amount of daily received malware precludes them from being deeply analysed.
Hence, the challenges posed by code obfuscation and anti-analysis defenses come from the combination of the desire for quick and cheap mechanisms for triage (see challenge machine learning and scale) in order to handle a large number and variety of malware samples, on the one hand, and the high cost of penetrating multiple layers of obfuscations, on the other hand. Techniques for detecting and reasoning about obfuscated code, including symbolic and concolic analysis techniques, detection and neutralization of obfuscation and other anti-analysis measures, and efficiency and scalability considerations, are therefore especially relevant to this seminar.
Malware continues to grow exponentially, with new malware numbers reaching 100s of thousands per month. It is no longer feasible to analyze new malware manually or perform point-analysis of individual malware. More scalable methods are needed to individually or collectively analyze malware. Machine Learning (ML) offers a viable, and as-yet under explored, method to manage the scale. ML may be used across the entire spectrum of tasks involved in handling malware: triage, signature generation, detection, mitigation, and incidence response. ML may also introduce new methods of countering malware threat, such as, creation of automated, self-learning classifiers that can predictively detect unseen malware.
Machine learning techniques need a corpus of well labelled data to estimate the model they implement. As such a corpus is not available for malware samples advances are needed in the interplay of feature space, model construction, performance estimation, and such, taking into account the specific adversarial context created by malware.
Compared to other executables, the expected behavior of malware samples is not known a priori. Hence, the first question one has to deal with is "What does this malware do?". Secondly, one asks "Who is the enemy?" - a question about the origin of the malware. A part of the answer may be found in the executable itself. The other part may be deduced from previous malware attacks and hence has a tight link with the Machine learning challenge: (i) Triage would enable to answer how (and if) a malware campaign is related to a previous one; (ii) industrial participants of the seminar should be asked what kind of features are relevant for malware recognition and which could serve as malware footprint for triage. This feature extraction has to be done in the context of obfuscation and hence can serve as guideline for de-obfuscation, see challenge Obfuscation.
Creative Commons BY 3.0 DE
Saumya K. Debray and Thomas Dullien and Arun Lakhotia and Sarah Zennou
Dagstuhl Seminar Series
- 14241: "Challenges in Analysing Executables: Scalability, Self-Modifying Code and Synergy" (2014)
- 12051: "Analysis of Executables: Benefits and Challenges" (2012)
- Security / Cryptology
- Semantics / Formal Methods
- Verification / Logic
- Reverse engineering
- Executable analysis
- Machine learning
- Big data