|Student Name:||Capt Jonathan Bristow|
|Thesis:||Learning Enterprise Malware Triage from Automatic Dynamic Analysis|
|Location:||Bldg 642, Rm 219B (CCR Conference Room)|
|Date & Time:||02/21/2013 at 1100|
|Abstract:|| Adversaries employ malware against victims of cyber espionage with the intent of gaining unauthorized access to information. To that end, malware authors intentionally attempt to evade defensive countermeasures based on static methods. This thesis analyzes a behavioral analysis methodology for malware triage that applies at the enterprise scale. The malware instruction set (MIST) format encodes application programming interface (API) calls from behavior reports to reduce the size of behavior representations and breaks each action into levels [Trinius 2011]. This thesis analyzes experiments on 64 combinations of factor levels that test two MIST levels, sequences of instructions of lengths from 1 - 16, and the effect of normalizing feature vectors. The results indicate that MIST level 2 argument information and behavior sequences of lengths from 11 - 14 build more accurate executable classification models, and that normalization does not provide a benefit with this data set. Furthermore, this methodology contributes to strategic cyber situation awareness by combining with faster malware detection methods, such as static analysis to change the game of malware triage in favor of cyber defense.