Title: Narrowing the Gap between Research and Practice through the Understanding of Malware Analysis Workflows

Date: Friday, December 8th, 2023

Time: 2:00 PM -- 3:00 PM EDT

Location (in-person): CODA C1308 Cabbagetown

Zoom: https://gatech.zoom.us/j/95659858754

Committee:

Dr. Mustaque Ahamad (Advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Fabian Monrose, School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Frank Li, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Douglas Blough, School of Electrical and Computer Engineering, Georgia Institute of Technology

Abstract:

Malicious software or malware presents a serious cybersecurity challenge,  threatening individuals, organizations, and nation-states. To combat and prevent further attacks launched with malware, it is essential to understand the malware’s intent and impact on targeted systems. This process is usually referred to as malware analysis. Over the years, there have been significant research advances in automating the process of malware analysis. Despite these advances, human analysts still play an indispensable role in keeping defenses against malware current and effective. Unfortunately, important parts of the manual analysis process used by analysts in practice remain unexplored. To help address this gap, this thesis focuses on understanding a human-centric approach to malware analysis.

In this proposal, I will begin by presenting the findings from a user study with 21 malware analysts in practice. This study allowed us to define a taxonomy of malware analysts' objectives, identify five common analysis workflows, and highlight common challenges faced by these analysts. Next, I will present the results of a comparative analysis that contrasts the findings from a systematic mapping of malware evasion countermeasures and insights gained from a user study on malware evasion. This comparison reveals several gaps between the real challenges faced by malware experts dealing with evasive malware and the focus of research solutions. Moreover, it highlights future research directions that can help analysts overcome challenging evasion techniques. Lastly, I will propose my remaining work which aims to help analysts overcome some of the identified challenges that arise due to evasion tactics, with a human-in-the-loop approach. Its goal will be to use sandbox systems to provide information that analysts can use in malware analysis.