AVClass2: Massive Malware Tag Extraction from AV Labels
This work addresses the need for efficient malware categorization and indexing in large-scale repositories, representing an incremental improvement over existing tools like AVClass and Euphony.
The authors tackled the problem of extracting diverse tags from antivirus labels to categorize malware samples, presenting AVClass2 which automatically identifies and organizes tags from 42 million samples to enable advanced searches and maintain an updated knowledge base.
Tags can be used by malware repositories and analysis services to enable searches for samples of interest across different dimensions. Automatically extracting tags from AV labels is an efficient approach to categorize and index massive amounts of samples. Recent tools like AVClass and Euphony have demonstrated that, despite their noisy nature, it is possible to extract family names from AV labels. However, beyond the family name, AV labels contain much valuable information such as malware classes, file properties, and behaviors. This work presents AVClass2, an automatic malware tagging tool that given the AV labels for a potentially massive number of samples, extracts clean tags that categorize the samples. AVClass2 uses, and helps building, an open taxonomy that organizes concepts in AV labels, but is not constrained to a predefined set of tags. To keep itself updated as AV vendors introduce new tags, it provides an update module that automatically identifies new taxonomy entries, as well as tagging and expansion rules that capture relations between tags. We have evaluated AVClass2 on 42M and showed how it enables advanced malware searches and to maintain an updated knowledge base of malware concepts in AV labels.