Ecole d'ingénieur et centre de recherche en Sciences du numérique

A close look at a daily dataset of malware samples

Ugarte-Pedrero, Xabier; Graziano, Mariano; Balzarotti, Davide

ACM Transactions on Privacy and Security (TOPS), Vol.22 N°1, January 2019

The number of unique malware samples is growing out of control. Over the years, security companies have designed and deployed complex infrastructures to collect and analyze this overwhelming number of samples. As a result, a security company can collect more than 1M unique files per day only from its different feeds. These are automatically stored and processed to extract actionable information derived from static and dynamic analysis. However, only a tiny amount of this data is interesting for security researchers and attracts the interest of a human expert. To the best of our knowledge, nobody has systematically dissected these datasets to precisely understand what they really contain. The security community generally discards the problem because of the alleged prevalence of uninteresting samples. In this article, we guide the reader through a step-by-step analysis of the hundreds of thousands Windows executables collected in one day from these feeds. Our goal is to show how a company can employ existing state-of-the-art techniques to automatically process these samples and then perform manual experiments to understand and document what is the real content of this gigantic dataset. We present the filtering steps, and we discuss in detail how samples can be grouped together according to their behavior to support manual verification. Finally, we use the results of this measurement experiment to provide a rough estimate of both the human and computer resources that are required to get to the bottom of the catch of the day.

Document Doi Bibtex

Titre:A close look at a daily dataset of malware samples
Mots Clés:Malware, measurement, prioritization, classification
Type:Journal
Langue:English
Ville:
Date:
Département:Sécurité numérique
Eurecom ref:5794
Copyright: © ACM, 2019. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Privacy and Security (TOPS), Vol.22 N°1, January 2019 http://dx.doi.org/10.1145/3291061
Bibtex: @article{EURECOM+5794, doi = {http://dx.doi.org/10.1145/3291061}, year = {2019}, month = {01}, title = {{A} close look at a daily dataset of malware samples}, author = {{U}garte-{P}edrero, {X}abier and {G}raziano, {M}ariano and {B}alzarotti, {D}avide}, journal = {{ACM} {T}ransactions on {P}rivacy and {S}ecurity ({TOPS}), {V}ol.22 {N}°1, {J}anuary 2019}, url = {http://www.eurecom.fr/publication/5794} }
Voir aussi: