Sandbox Sample Classification Using Behavioral Indicators of Compromise
This work addresses malware detection for cybersecurity practitioners, but it appears incremental as it builds on existing methods like Logistic Regression and Naive Bayes with a Monte Carlo-inspired approach.
The paper tackles the problem of classifying sandbox samples as malicious or benign using Behavioral Indicators of Compromise (BICs) extracted from system function calls in a virtual environment, achieving numerical results based on data from ThreatGRID and ReversingLabs.
Behavioral Indicators of Compromise are associated with various automated methods used to extract the sample behavior by observing the system function calls performed in a virtual execution environment. Thus, every sample is described by a set of BICs triggered by the sample behavior in the sandbox environment. Here we discuss a Machine Learning approach to the classification of the sandbox samples as MALICIOUS or BENIGN, based on the list of triggered BICs. Besides the more traditional methods like Logistic Regression and Naive Bayes Classification we also discuss a different approach inspired by the statistical Monte Carlo methods. The numerical results are illustrated using ThreatGRID and ReversingLabs data.