Using an expert system to provide automated malware analysis for non-experts (or using machines to provide meaningful analysis for humans)
Hermineh Tchagatzbanian Microsoft
Heather Goudey Microsoft
Meaningfully describing the behaviour of malware that may be detected by a scanner is an integral part of any anti-virus
solution. In order to offer a complete solution, anti-virus companies need to provide detailed and accurate analysis that
describes the malware's behaviour, any relevant system changes that may have occurred and the implications of that behaviour
on the future confidentiality and integrity of the user's data and resources.
Analysing malware and its behaviour can be an expensive process. Depending on the complexity of the malware involved,
producing an accurate analysis can take days if not weeks of an analyst's time. Also, not only are the skills required to
reverse engineer malware accurately and meaningfully the product of years of specialization and extensive expertise, but
it is these same skills that are also required to add detections for malware to the scanner, creating a significant
opportunity cost. Besides performing the analysis, presenting this information in a way that is meaningful to users is
another set of skills and expertise entirely.
This paper describes a system that generates automated malware analysis for humans. This automated analysis is largely
based on monitoring malware behaviour exhibited while running the malware in a monitored environment. The system has a
knowledgebase of malware behaviours that it utilizes in order to describe malware meaningfully for a user. The system is
also capable of handling multiple files in order to generate more accurate and comprehensive analysis. The generated
descriptions are intended to, as closely as possible, approximate human-produced analyses and provide meaningful
information to affected users. As such, this system varies significantly from other automated analysis systems currently
available.
del.icio.us 
digg this
