ClarAVy: A Tool for Scalable and Accurate Malware Family Labeling

TL;DR

ClarAVy is a scalable, accurate malware family labeling tool that leverages a Bayesian approach to improve over existing methods, effectively handling large datasets and reducing errors in family attribution.

Contribution

The paper introduces ClarAVy, a novel malware labeling tool that addresses key shortcomings of existing methods through a Bayesian aggregation strategy, enhancing accuracy and scalability.

Findings

Achieves 8-12% higher accuracy than prior tools

Successfully labels approximately 40 million malicious files

Effectively resolves family aliasing and detection parsing issues

Abstract

Determining the family to which a malicious file belongs is an essential component of cyberattack investigation, attribution, and remediation. Performing this task manually is time consuming and requires expert knowledge. Automated tools using that label malware using antivirus detections lack accuracy and/or scalability, making them insufficient for real-world applications. Three pervasive shortcomings in these tools are responsible: (1) incorrect parsing of antivirus detections, (2) errors during family alias resolution, and (3) an inappropriate antivirus aggregation strategy. To address each of these, we created our own malware family labeling tool called ClarAVy. ClarAVy utilizes a Variational Bayesian approach to aggregate detections from a collection of antivirus products into accurate family labels. Our tool scales to enormous malware datasets, and we evaluated it by labeling $\approx$40 million malicious files. ClarAVy has 8 and 12 percentage points higher accuracy than the prior leading tool in labeling the MOTIF and MalPedia datasets, respectively.