Malheur: Automatic Analysis of Malware Behavior
Malheur is a tool of automatic analysis malware behavior. Malheur has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.
MALHEUR supports four basic actions for analysis:
Malheur permits for figuring out novel lessons of malware.
- Malheur supports Extraction of prototypes: Malheur identifies a subset of prototypes representative for the full data set.
- Malheur supports Clustering of behavior: Malheur automatically identifies groups (clusters) of reports containing similar behavior.
- Malheur supports Classification of behavior: Malheur is able to assign unknown behavior to known groups of malware.
- Malheur supports Incremental analysis: Malheur can be applied incrementally for analysis of large datasets. By processing reports in chunks, the run-time can be significantly reduced. This renders the application of Malheur feasible.
Analysis of malware behavior by Malheur:
Malware binaries are collected in the wild and executed in a sandbox, where behavior of Malheur is monitored during run-time. Malheur analyzes reports for discovery and discrimination of malware classes using machine learning. Malheur can be applied to recorded behavior of various format, for example as in reports generated by CWSandbox, Anubis, Norman Sandbox and Joebox.
Actions & Options of Malheur
Malheur supported different actions for analysis of a dataset. For all actions the reports of Malheur are first mapped to a high-dimensional vector space.