Semi-automated verdicts assignment for potentially malicious programs

摘要

Deciding if a given program is malicious or not is a recurring problem in anti-malware research, giving the fact that it is generally undecidable. Although field experts are able to perform correct classifications, the amount of both clean and malicious samples that appear every day is too high for relying only on manual analysis. In practice, the files collections are clustered and intensive analysis is performed only on a couple of representatives for each cluster. Some insights about each file can also be provided by automated analysis tools but they are less reliable than human experts. Based on the assumption that similar programs are likely to share the same verdict, we propose an algorithm for verdicts inference that is able to auto-correct wrong verdicts or request further manual analysis if auto-correction is not possible. The algorithm considers all the available sources of information together with their reliability and assigns verdicts to all the samples in the cluster. The system was tested on a collection of more than 200000 clusters built using the single linkage approach on a collection of over 20 million samples.