MAGIC: Malware behaviour analysis and impact quantification through signature co-occurrence and regression

Abstract

Malware poses risks by compromising both data integrity and system security. Proactive defense efforts have led to the adoption of malware scoring, allowing analysts to assess the severity and develop countermeasures. These scores indicate the degree of malware maliciousness based on triggered signatures. However, current scoring methods do not precisely depict the true extent of malware's maliciousness. This inaccuracy is attributed to an inadequate assessment of the impact of behaviour corresponding to signatures on both system and network resources. To address this limitation, the paper proposes a novel scoring approach that accurately quantifies the impact of signatures triggered by malware through co-occurrence analysis. The method assesses the ensemble behaviour of signatures across two phases. In the first phase of signature scoring, an impact score quantification algorithm initializes each signature to predefined severity score bands based on the studied severity and frequency. The second phase refines initial scores iteratively, considering mutual information among signatures co-occurring in the malware's execution. Experimental results validate the proposed method's ability to accurately reflect signature maliciousness. This novel scoring method enhances malware analysis platforms in generating more precise scores compared to traditional methods, thereby improving resilience against evolving malware threats in the dynamic cybersecurity landscape.