Using an expert system to provide automated malware analysis for non-experts (or using machines to provide meaningful analysis for humans)

Hermineh Tchagatzbanian Microsoft
Heather Goudey Microsoft

Meaningfully describing the behaviour of malware that may be detected by a scanner is an integral part of any anti-virus solution. In order to offer a complete solution, anti-virus companies need to provide detailed and accurate analysis that describes the malware's behaviour, any relevant system changes that may have occurred and the implications of that behaviour on the future confidentiality and integrity of the user's data and resources.

Analysing malware and its behaviour can be an expensive process. Depending on the complexity of the malware involved, producing an accurate analysis can take days if not weeks of an analyst's time. Also, not only are the skills required to reverse engineer malware accurately and meaningfully the product of years of specialization and extensive expertise, but it is these same skills that are also required to add detections for malware to the scanner, creating a significant opportunity cost. Besides performing the analysis, presenting this information in a way that is meaningful to users is another set of skills and expertise entirely.

This paper describes a system that generates automated malware analysis for humans. This automated analysis is largely based on monitoring malware behaviour exhibited while running the malware in a monitored environment. The system has a knowledgebase of malware behaviours that it utilizes in order to describe malware meaningfully for a user. The system is also capable of handling multiple files in order to generate more accurate and comprehensive analysis. The generated descriptions are intended to, as closely as possible, approximate human-produced analyses and provide meaningful information to affected users. As such, this system varies significantly from other automated analysis systems currently available.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 22 comments

AusCert2014

Malware Prevalence
Adware-misc |##########|
Java-Exploit |########|
Autorun |#####|
BHO/Toolbar-misc |####|
Conficker/Downadup |###|
 View this month's full report

Virus Bulletin currently has 231,277 registered users.