MalDICT: Benchmark Datasets on Malware Behaviors, Platforms, Exploitation, and Packers

TL;DR

This paper introduces MalDICT, a comprehensive benchmark dataset for classifying malware based on behaviors, platforms, vulnerabilities, and packers, utilizing a new AV label parser called ClarAVy to enable detailed malware analysis.

Contribution

The paper presents ClarAVy, a novel AV label parser, and releases the first large-scale benchmark datasets for malware classification across four under-explored attribute categories.

Findings

Created ClarAVy to parse 882 AV label formats.

Released nearly 5.5 million malware samples with detailed labels.

Provided the first datasets for malware platform and packer classification.

Abstract

Existing research on malware classification focuses almost exclusively on two tasks: distinguishing between malicious and benign files and classifying malware by family. However, malware can be categorized according to many other types of attributes, and the ability to identify these attributes in newly-emerging malware using machine learning could provide significant value to analysts. In particular, we have identified four tasks which are under-represented in prior work: classification by behaviors that malware exhibit, platforms that malware run on, vulnerabilities that malware exploit, and packers that malware are packed with. To obtain labels for training and evaluating ML classifiers on these tasks, we created an antivirus (AV) tagging tool called ClarAVy. ClarAVy's sophisticated AV label parser distinguishes itself from prior AV-based taggers, with the ability to accurately parse 882 different AV label formats used by 90 different AV products. We are releasing benchmark datasets for each of these four classification tasks, tagged using ClarAVy and comprising nearly 5.5 million malicious files in total. Our malware behavior dataset includes 75 distinct tags - nearly 7x more than the only prior benchmark dataset with behavioral tags. To our knowledge, we are the first to release datasets with malware platform and packer tags.