Paper ACM

Presentation pdf

EIGER: Automated IOC Generation for Accurate and Interpretable Endpoint Malware Detection

A malware signature including behavioral artifacts, namely Indicator of Compromise (IOC) plays an important role in security operations, such as endpoint detection and incident response. While building IOC enables us to detect malware efficiently and perform the incident analysis in a timely manner, it has not been fully-automated yet. To address this issue, there are two lines of promising approaches: regular expression-based signature generation and machine learning. However, each approach has a limitation in accuracy or interpretability, respectively. \par In this paper, we propose \textit{EIGER}, a method to generate interpretable, and yet accurate IOCs from given malware traces. The key idea of EIGER is \textit{enumerate-then-optimize}. That is, we \textit{enumerate} representations of potential artifacts as candidates of IOCs. Then, we \textit{optimize} the combination of these candidates to maximize the two essential properties, \ie accuracy and interpretability, towards the generation of reliable IOCs. \par Through the experiment using $162$K of malware samples collected over the five months, we evaluated the accuracy of EIGER-generated IOCs. We achieved a high True Positive Rate (TPR) of $91.98$\% and a very low False Positive Rate (FPR) of $0.97$\%. Interestingly, EIGER achieved FPR of less than $1$\% even when we use completely different dataset. Furthermore, we evaluated the interpretability of the IOCs generated by EIGER through a user study, in which we recruited $15$ of professional security analysts working at a security operation center. The results allow us to conclude that our IOCs are as interpretable as manually-generated ones. These results demonstrate that EIGER is practical and deployable to the real-world security operations.