Automatically Generating Malware Analysis Reports Using Sandbox Logs

Bo SUN  Akinori FUJINO  Tatsuya MORI  Tao BAN  Takeshi TAKAHASHI  Daisuke INOUE  

IEICE TRANSACTIONS on Information and Systems   Vol.E101-D   No.11   pp.2622-2632
Publication Date: 2018/11/01
Publicized: 2018/08/22
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2017ICP0011
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Network Security
sandbox logs,  malware analysis,  automated report generating,  natural language processing,  

Full Text: PDF(934.9KB)>>
Buy this Article

Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a sandbox. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the sandbox logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on sandbox logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the sandbox logs; the detection rates are up to 96.74%, 100%, and 74.87% on the sandbox logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of sandbox logs.