Location

Coda C0915 Atlantic

Title:  Understanding Malware Analysis Workflows To Narrow the Gap Between Research and Practice

Date/Time: Thursday, November 21, 2024, 3:30-5:30 pm

Location (in-person): Coda C0915 Atlantic

Zoom Link: https://gatech.zoom.us/j/92369263856

 

Miuyin Yong Wong

Ph.D. Candidate in Computer Science

School of Cybersecurity and Privacy

Georgia Institute of Technology

 

Committee:

Dr. Mustaque Ahamad (Advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Fabian Monrose, School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Frank Li, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Douglas Blough, School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Elissa Redmiles, Department of Computer Science, Georgetown University

 

Abstract: 

Malicious software or malware presents a serious cybersecurity challenge, threatening individuals, organizations, and nation-states. To combat and prevent attacks launched with malware, it is essential to understand the malware’s intent and its impact on targeted systems. This process is usually referred to as malware analysis. Over the years, there have been significant research advances in automating the process of malware analysis. Despite these advances, human analysts still play an indispensable role in keeping defenses against malware current and effective. Unfortunately, important parts of the manual analysis process used by analysts in practice remain unexplored.

To help address this gap, this thesis explores human-centric approach to malware analysis. In this thesis, I begin by presenting the findings from two user studies with malware analysts in practice. These studies allowed us to define a taxonomy of malware analysts’ objectives, identify analysis workflows, and highlight common challenges faced by these analysts. Next, I present the results of a comparative analysis that contrasts the findings from a systematic mapping of malware evasion countermeasures and insights gained from a user study on malware evasion. This comparison reveals several misalignments between the real challenges faced by malware experts dealing with evasive malware and the focus of research solutions. Moreover, it highlights future research directions that can help analysts overcome challenging evasion techniques. Lastly, I explore the effectiveness of Large Language Models (LLMs) as a human-centered tool to help analysts overcome some of the identified challenges that arise due to evasion tactics.