Invincea Labs’s research engineers published two papers in this year’s proceedings of Visualization for Cyber Security (VizSec). The papers describe research that the authors and their teammates performed on DARPA’s Cyber Genome program for performing malware analysis at scale.
In the first paper, Robert Gove and his coauthors describe their work on the Similarity Evidence Explorer for Malware (SEEM). SEEM is a scalable visualization for comparing sets of attributes and components between malware samples. Malware analysts often need to understand if they are analyzing a novel malware sample, or if the sample they are analyzing is a variant of an existing sample, and how the sample is different (e.g. did it add or remove components such as a keylogger). This novel visual comparison tool allows malware analysts to do just that. SEEM is integrated in Cynomix, a scalable system for performing malware triage and analysis. Cynomix is currently in beta, and users can request an account from www.cynomix.org.
The second paper describes the research performed by Alex Long and his teammates to analyze the image resources in malware binares, such as icons, background images, and UI skins. Their research extracts image resources from malware, performs a scale-invariant transformation on the images, and then computes the similarity between the set of images in one malware binary and the sets of images extracted from other malware binaries. They conducted a survey with malware analysts to gauge their interest in a tool to analyze malware image sets, and found that analysts were enthusiastic about adding an image set analysis tool to their toolsuite.
- Gove R, Saxe J, Gold S, Long A, and Bergamo G (2014), “A Scalable Visualization for Comparing Multiple Large Sets of Attributes for Malware Analysis”, VizSec 2014.
- Long A, Saxe J, Gove R (2014), “Detecting Malware Samples with Similar Image Sets”, VizSec 2014.