Malicious applications are usually comprehended through two major techniques, namely static and dynamic analyses. Through static analysis, a given malicious program is parsed, and some representative artifacts (e.g., control-flow graphs) are produced without any execution; whereas, the given malicious application needs to be executed when conducting dynamic analysis. These two mainstream techniques for analyzing the given software are effective in detecting certain classes of malware. More specifically, through static analysis, the patterns and signature of the malware are exposed, helping in detecting any known malicious payload hidden in or injected into the code. On the other hand, behavioral and run-time execution patterns of software are explored through dynamic analysis. To ease the analysis process, a third analysis approach, known as the visual representation of the artifacts created by both static and dynamic analysis tools, would also be a supplementary asset for malware experts. This paper introduces MalView, an interactive visualization platform, for malware analysis by which pattern matching techniques on both signature-based and behavioral analysis artifacts can be utilized to 1) classify malware, 2) identify the intention and location of the malicious payload in the artifacts, 3) analyze unknown malware (i.e., zero-day malware) by recognizing any unusual signature or behavior, and 4) explore the time dependencies and thus the system components affected or tampered by the underlying malware. The results of several case studies conducted in this work show that MalView offers more features and information compared to some other visualization tools, facilitating the malware analysis process.
National Science Foundation
dynamic analysis, Malware analysis, malware visualization system, visual analytics
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Huyen N. Nguyen, Faranak Abri, Vung Pham, Moitrayee Chatterjee, Akbar Siami Namin, and Tommy Dang. "MalView: Interactive Visual Analytics for Comprehending Malware Behavior" IEEE Access (2022): 99909-99930. https://doi.org/10.1109/ACCESS.2022.3207782