Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I

Research Article

Automatic Generation of Malware Threat Intelligence from Unstructured Malware Traces

Download
226 downloads
  • @INPROCEEDINGS{10.1007/978-3-030-90019-9_3,
        author={Yuheng Wei and Futai Zou},
        title={Automatic Generation of Malware Threat Intelligence from Unstructured Malware Traces},
        proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part I},
        proceedings_a={SECURECOMM},
        year={2021},
        month={11},
        keywords={Malware Threat intelligence Indicators of compromise},
        doi={10.1007/978-3-030-90019-9_3}
    }
    
  • Yuheng Wei
    Futai Zou
    Year: 2021
    Automatic Generation of Malware Threat Intelligence from Unstructured Malware Traces
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-030-90019-9_3
Yuheng Wei1, Futai Zou1
  • 1: Shanghai Jiao Tong University

Abstract

Sharing plenty and accurate structured Cyber Threat Intelligence (CTI) will play a pivotal role in adapting to rapidly evolving cyber attacks and malware. However, the traditional CTI generation methods are extremely time and labor-consuming. The recent work focuses on extracting CTI from well structured Open Source Intelligence (OSINT). However, many challenges are still to generate CTI and Indicators of Compromise(IoC) from non-human-written malware traces. This work introduces a method to automatically generate concise, accurate and understandable CTI from unstructured malware traces. For a specific class of malware, we first construct the IoC expressions set from malware traces. Furthermore, we combine the generated IoC expressions and other meaningful information in malware traces to organize the threat intelligence which meets open standards such as Structured Threat Information Expression (STIX). We evaluate our algorithm on real-world dataset. The experimental results show that our method achieves a high average recall rate of 89.4% on the dataset and successfully generates STIX reports for every class of malware, which means our methodology is practical enough to automatically generate effective IoC and CTI.