Malware Task Identification: A Data Driven Approach

TL;DR

This paper introduces an automated, data-driven method for identifying malware tasks that outperforms existing techniques, even under challenging conditions like data mismatch and packing, with high accuracy.

Contribution

The paper presents a novel automated approach for malware task identification that surpasses current state-of-the-art methods in accuracy and robustness.

Findings

Outperforms current state-of-the-art malware task identification tools.

Achieves an unbiased F1 score of over 0.9 in various challenging scenarios.

Effective even with limited and diverse training data.

Abstract

Identifying the tasks a given piece of malware was designed to perform (e.g. logging keystrokes, recording video, establishing remote access, etc.) is a difficult and time-consuming operation that is largely human-driven in practice. In this paper, we present an automated method to identify malware tasks. Using two different malware collections, we explore various circumstances for each - including cases where the training data differs significantly from test; where the malware being evaluated employs packing to thwart analytical techniques; and conditions with sparse training data. We find that this approach consistently out-performs the current state-of-the art software for malware task identification as well as standard machine learning approaches - often achieving an unbiased F1 score of over 0.9. In the near future, we look to deploy our approach for use by analysts in an operational cyber-security environment.