Using an expert system to provide automated malware analysis for non-experts (or using machines to provide meaningful analysis for humans)

Hermineh Tchagatzbanian Microsoft
Heather Goudey Microsoft

  download slides (PDF)

Meaningfully describing the behaviour of malware that may be detected by a scanner is an integral part of any anti-virus solution. In order to offer a complete solution, anti-virus companies need to provide detailed and accurate analysis that describes the malware's behaviour, any relevant system changes that may have occurred and the implications of that behaviour on the future confidentiality and integrity of the user's data and resources.

Analysing malware and its behaviour can be an expensive process. Depending on the complexity of the malware involved, producing an accurate analysis can take days if not weeks of an analyst's time. Also, not only are the skills required to reverse engineer malware accurately and meaningfully the product of years of specialization and extensive expertise, but it is these same skills that are also required to add detections for malware to the scanner, creating a significant opportunity cost. Besides performing the analysis, presenting this information in a way that is meaningful to users is another set of skills and expertise entirely.

This paper describes a system that generates automated malware analysis for humans. This automated analysis is largely based on monitoring malware behaviour exhibited while running the malware in a monitored environment. The system has a knowledgebase of malware behaviours that it utilizes in order to describe malware meaningfully for a user. The system is also capable of handling multiple files in order to generate more accurate and comprehensive analysis. The generated descriptions are intended to, as closely as possible, approximate human-produced analyses and provide meaningful information to affected users. As such, this system varies significantly from other automated analysis systems currently available.

VB Conferences

VB2016 (Denver)

VB2015 (Prague)

VB2014 (Seattle)

VB2013 (Berlin)

VB2012 (Dallas)

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘VB is the best technical conference I have ever attended.’