A new research paper from Invincea Labs on CrowdSource, led by Associate Research Director Josh Saxe, has been accepted for publication in MALWARE 2014. Josh Saxe will give a presentation at the conference October 28-30. Funded by DARPA’s Cyber Fast Track, CrowdSource advances automated malware analysis by leveraging web technical documents, such as Stack Overflow, to predict capabilities in malware. This approach harnesses the web “crowd” and thereby has a much broader set of knowledge than a single malware reverse engineer.
Below is the abstract for the paper:
In this paper we introduce CrowdSource, a statistical natural language processing system designed to make rapid inferences about malware functionality based on printable character strings extracted from malware binaries. CrowdSource “learns” a mapping between low-level language and high-level software functionality by leveraging millions of web technical documents from StackExchange, a popular network of technical question and answer sites, using this mapping to infer malware capabilities. This paper describes our approach and provides an evaluation of its accuracy and performance, demonstrating that it can detect at least 14 high-level malware capabilities in unpacked malware binaries with an average per-capability f-score of 0.86 and at a rate of tens of thousands of binaries per day on commodity hardware.
Saxe J, Turner R, and Blokhin K (2014), “CrowdSource: Automated inference of high level malware functionality from low-level symbols using a crowd trained machine learning model”, Malicious and Unwanted Software: The Americas (MALWARE) 2014.