Abstract
There is a substantial and growing body of malware samples that evade automated analysis and detection tools. Malware may measure fingerprints (“artifacts”) of the underlying analysis tool or environment, and change their behavior when such artifacts are detected. While analysis tools can mitigate artifacts to reduce exposure, such concealment is expensive and limits scalable automated malware analysis. However, not every sample checks for every type of artifact—analysis efficiency can be improved by mitigating only those artifacts most likely to be used by a sample. Using that insight, we propose <sc>Mimosa</sc>, a system that identifies a small set of “covering” configurations that collectively and efficiently defeat most malware samples in a corpus. <sc>Mimosa</sc> identifies a set of configurations that maximize analysis throughput and detection accuracy while minimizing manual effort, enabling scalable automation for analyzing stealthy malware. We evaluate our approach against a benchmark of 1535 meticulously labeled stealthy malware samples. We further test our approach on an additional set of 1221 stealthy malware samples and successfully analyze nearly 99% of them using only 2 VM backends. <sc>Mimosa</sc> provides a practical, tunable method for efficiently deploying malware analysis resources.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 1-14 |
| Number of pages | 14 |
| Journal | IEEE Transactions on Dependable and Secure Computing |
| DOIs | |
| State | Accepted/In press - 2023 |
| Externally published | Yes |
Keywords
- artifact mitigation
- Behavioral sciences
- Costs
- covering sets
- Instruments
- Malware
- Malware analysis
- Taxonomy
- Throughput
- Virtualization
ASJC Scopus subject areas
- General Computer Science
- Electrical and Electronic Engineering