Evaluate grouping malware by connected files

idaholab / cape2stix

This software allows for the conversion, extraction, and transformation of malware behavior data from "Malware Configuration And Payload Extraction" (CAPEv2) sandbox reports, to Structured Threat Information eXpression (STIX). This allows for further analysis to be performed, sharing of threat data, and transit to a graph database.

BSD 3-Clause "New" or "Revised" License

6 stars 2 forks source link

Evaluate grouping malware by connected files #11

Open Fhree99 opened 1 year ago

Fhree99 commented 1 year ago

[ ] Evaluate approaches for clustering or otherwise grouping malware based on a subset of files that it modified, reads, or deletes. Also think of this from the perspective of grouping files that occur in the same runs. The goal is to be able to identity similar malware, which similarity will likely derive from file type, interpreter used, or file access patterns.