Malware samples are created at a pace that makes it difficult for analysis to keep up. When analyzing an unknown malware sample, it is important to assess its capabilities to determine how much damage it can make to its victims, and perform prioritization decisions on which threats should be dealt with first. In a corporate environment, for example, a malware infection that is able to steal financial information is much more critical than one that is sending email spam, and should be dealt with the highest priority. In this paper we present a statistical approach able to determine causality relations between a specific trigger action (e.g., a user visiting a certain website in the browser) and a malware sample. We show that we can learn the typology of a malware sample by presenting it with a number of trigger actions commonly performed by users, and studying to which events the malware reacts. We show that our approach is able to correctly infer causality relations between information stealing malware and login events on websites, as well as between adware and websites containing advertisements.
|Number of pages||8|
|Publication status||Published - Aug 2017|
|Event||10th USENIX Workshop on Cyber Security Experimentation and Test - Vancouver, Canada|
Duration: 14 Aug 2017 → …
|Conference||10th USENIX Workshop on Cyber Security Experimentation and Test|
|Abbreviated title||CSET '17|
|Period||14/08/17 → …|