MIMOSA: Reducing Malware Analysis Overhead with Coverings
This addresses the challenge of scalable malware analysis for security practitioners by offering a tunable method to reduce overhead, though it is incremental in optimizing existing approaches.
The paper tackles the problem of malware samples evading automated analysis by detecting analysis artifacts, proposing MIMOSA to identify a small set of tool configurations that increase analysis throughput over state of the art on over 95% of 1535 stealthy malware samples.
There is a growing body of malware samples that evade automated analysis and detection tools. Malware may measure fingerprints ("artifacts") of the underlying analysis tool or environment and change their behavior when artifacts are detected. While analysis tools can mitigate artifacts to reduce exposure, such concealment is expensive. However, not every sample checks for every type of artifact-analysis efficiency can be improved by mitigating only those artifacts most likely to be used by a sample. Using that insight, we propose MIMOSA, a system that identifies a small set of "covering" tool configurations that collectively defeat most malware samples with increased efficiency. MIMOSA identifies a set of tool configurations that maximize analysis throughput and detection accuracy while minimizing manual effort, enabling scalable automation to analyze stealthy malware. We evaluate our approach against a benchmark of 1535 labeled stealthy malware samples. Our approach increases analysis throughput over state of the art on over 95% of these samples. We also investigate cost-benefit tradeoffs between the fraction of successfully-analyzed samples and computing resources required. MIMOSA provides a practical, tunable method for efficiently deploying analysis resources.