查看文章

The remediation of ongoing cyber attacks relies upon timely malware analysis, which aims to uncover malicious functionalities that have not yet executed. Unfortunately, this requires repeated context switching between different tools and incurs a high cognitive load on the analyst, slowing down the investigation and giving attackers an advantage. We present Forecast, a post-detection technique to enable incident responders to automatically predict capabilities which malware have staged for execution. Forecast is based on a probabilistic model that allows Forecast to discover capabilities and also weigh each capability according to its relative likelihood of execution (ie, forecasts). Forecast leverages the execution context of the ongoing attack (from the malware's memory image) to guide a symbolic analysis of the malware's code. We performed extensive evaluations, with 6,727 real-world malware and futuristic attacks aiming to subvert Forecast, showing the accuracy and robustness in predicting malware capabilities.