A Method For Malware Knowledge Extraction Based On MAEC Ontology

Nowadays,in order to effectively deal with a wide range of malicious activities,various malware analysis and detection methods have been continuously proposed,which has also led to more diverse ways to capture and describe the higher-level characteristics of malware.Due to the use of custom description standards,the reports generated by different malware analysis tools lack consistency,compatibility,and interoperability.Therefore,interpreting and correlating information from various sources has become an increasingly difficult task.Based on this,MITRE proposed a standardized language MAEC for sharing structured information of malware.MAEC widely supports capturing static and dynamic malware analysis results,which can be used as the standard output format of various analysis tools.However,the current malware analysis sandbox generally lacks the ability to output high-level semantic tags of malware.The actual output of the MAEC report contains a large amount of low-level entity data,and there is almost no high-level semantic information describing the characteristics of malware.For example,the capability attributes and behavior attributes of malware are rarely output in the MAEC report.Therefore,this paper studies a malware knowledge extraction method based on MAEC ontology,establishes a malware ontology model based on MAEC standards,integrates sandbox-based malware automatic analysis reports with ontological reasoning.Then,extract data that meets the requirements of MAEC ontology description from analysis reports from different sources.Finally,the reasoning engine is used to load the reasoning rule library based on the SWRL language,and the hidden ontology knowledge of malware behavior,capabilities,means of attack and so on is extracted from the underlying operating data.The main contributions of this article are as follows:1.Based on the MAEC standard and OWL language to model and analyze the characteristics of malware,the MAEC ontology for describing the knowledge and characteristics of malicious software is constructed,and it accesses and uses CAPEC, ATT&CK and other models of the MITRE organization.2.Automatically extract inference rules from multiple sources such as the Cuckoo signature database,ATT&CK technology matrix,etc.,to infer the implicit knowledge in the ontology data.After integration,an extensible and portable rule library is formed, and the MAEC standard vocabulary is expanded at the same time.3.The paper proposes a malware knowledge extraction method based on MAEC ontology,designs and implements a prototype system,which can automatically extract the dynamic operations,behaviors,capabilities,and other malware knowledge from the analysis report outputted by the malware analysis sandbox.