Abstract: In method of identifying capabilities of a malware intrusion that has been detected by an intrusion detection system, a notification that the malware intrusion has been detected is received from the intrusion detection system. A memory image associated with the malware is then captured. The memory image is parsed and a prior execution context is reconstructed by loading a last central processing unit (CPU) state and memory state into a symbolic environment. Addresses and prototype summaries associated with the malware are extracted from the memory image from the symbolic environment. Paths that are possible for execution due to the malware based on the addresses and prototype summaries are determined. Each path is modeled and a probability of each path being executed with concrete data is assigned. Paths with a low probability of leaving a plurality of paths of interest are pruned.

Abstract: Embodiments relate to systems and methods for behavior-based automated malware analysis and classification. Aspects relate to platforms and techniques which access a set of samples of malware, and extract or capture a set of low-level behavioral artifacts produced by those samples. The low-level artifacts can be used to organize or identify a set of features, based upon which the sample can be classified and/or clustered into different labels, groups, or categories. The artifacts and/or features can be analyzed by one or more selectable algorithms, whose accuracy, efficiency, and other characteristics can be compared to one another for purposes of performing a classification or clustering task. The algorithm(s) can be selected by a user to achieve desired run times, accuracy levels, and/or other effects.

Abstract: Embodiments relate to systems and methods for behavior-based automated malware analysis and classification. Aspects relate to platforms and techniques which access a set of samples of malware, and extract or capture a set of low-level behavioral artifacts produced by those samples. The low-level artifacts can be used to organize or identify a set of features, based upon which the sample can be classified and/or clustered into different labels, groups, or categories. The artifacts and/or features can be analyzed by one or more selectable algorithms, whose accuracy, efficiency, and other characteristics can be compared to one another for purposes of performing a classification or clustering task. The algorithm(s) can be selected by a user to achieve desired run times, accuracy levels, and/or other effects.