Automatically generating malware analysis reports using sandbox logs

Bo Sun, Akinori Fujino, Tatsuya Mori, Tao Ban, Takeshi Takahashi, Daisuke Inoue

    Research output: Contribution to journalArticle

    1 Citation (Scopus)

    Abstract

    Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a sandbox. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the sandbox logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on sandbox logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the sandbox logs; the detection rates are up to 96.74%, 100%, and 74.87% on the sandbox logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of sandbox logs.

    Original languageEnglish
    Pages (from-to)2622-2632
    Number of pages11
    JournalIEICE Transactions on Information and Systems
    VolumeE101D
    Issue number11
    DOIs
    Publication statusPublished - 2018 Nov 1

    Keywords

    • Automated report generating
    • Malware analysis
    • Natural language processing
    • Sandbox logs

    ASJC Scopus subject areas

    • Software
    • Hardware and Architecture
    • Computer Vision and Pattern Recognition
    • Electrical and Electronic Engineering
    • Artificial Intelligence

    Fingerprint Dive into the research topics of 'Automatically generating malware analysis reports using sandbox logs'. Together they form a unique fingerprint.

  • Cite this