A Knowledge-Assisted Visual Malware Analysis System: Design, Validation, and Reflection of KAMAS

TL;DR

KAMAS is a visualization system designed to assist IT-security experts in behavior-based malware analysis by providing visual analytics and knowledge externalization, validated through expert reviews and user studies.

Contribution

This paper introduces KAMAS, a novel visualization system that enhances malware analysis with knowledge externalization and tailored visual representations for security experts.

Findings

KAMAS improves malware analysis workflows.

Expert reviews validate the system's effectiveness.

User studies show increased analysis efficiency.

Abstract

IT-security experts engage in behavior-based malware analysis in order to learn about previously unknown samples of malicious software (malware) or malware families. For this, they need to find and categorize suspicious patterns from large collections of execution traces. Currently available systems do not meet the analysts' needs described as: visual access suitable for complex data structures, visual representations appropriate for IT-security experts, provide work flow-specific interaction techniques, and the ability to externalize knowledge in the form of rules to ease analysis and for sharing with colleagues. To close this gap, we designed and developed KAMAS, a knowledge-assisted visualization system for behavior-based malware analysis. KAMAS supports malware analysts with visual analytics and knowledge externalization methods for the analysis process. The paper at hand is a design study that describes the design, implementation, and evaluation of the prototype. We report on the validation of KAMAS by expert reviews, a user study with domain experts, and focus group meetings with analysts from industry. Additionally, we reflect the gained insights of the design study and discuss the advantages and disadvantages of the applied visualization methods.