There is a growing body of malware samples that evade automated analysis and detection tools. Malware may measure fingerprints ("artifacts") of the underlying analysis tool or environment and change their behavior when artifacts are detected. While analysis tools can mitigate artifacts to reduce exposure, such concealment is expensive. However, not every sample checks for every type of artifact-analysis efficiency can be improved by mitigating only those artifacts most likely to be used by a sample. Using that insight, we propose MIMOSA, a system that identifies a small set of "covering" tool configurations that collectively defeat most malware samples with increased efficiency. MIMOSA identifies a set of tool configurations that maximize analysis throughput and detection accuracy while minimizing manual effort, enabling scalable automation to analyze stealthy malware. We evaluate our approach against a benchmark of 1535 labeled stealthy malware samples. Our approach increases analysis throughput over state of the art on over 95% of these samples. We also investigate cost-benefit tradeoffs between the fraction of successfully-analyzed samples and computing resources required. MIMOSA provides a practical, tunable method for efficiently deploying analysis resources.

中文翻译：

---

MIMOSA：减少覆盖层带来的恶意软件分析开销

越来越多的恶意软件样本逃避了自动分析和检测工具。恶意软件可能会测量基础分析工具或环境的指纹（“伪像”），并在检测到伪像时更改其行为。尽管分析工具可以减轻伪影以减少曝光，但这种隐藏很昂贵。但是，并非仅通过减轻样本中最有可能使用的那些伪像，就可以改进每种样本对每种伪像分析效率的检查。利用这种见解，我们提出了MIMOSA，一种识别少量“覆盖”工具配置的系统，该工具配置可以以更高的效率共同击败大多数恶意软件样本。MIMOSA识别出一组工具配置，这些配置可最大化分析通量和检测精度，同时最大程度地减少人工工作，实现可扩展的自动化以分析隐匿的恶意软件 我们以1535个标记为隐匿恶意软件样本的基准为基准评估了我们的方法。在超过95％的样本上，我们的方法比现有技术提高了分析通量。我们还研究了成功分析的样本所占比例与所需计算资源之间的成本－收益权衡。MIMOSA提供了一种实用的可调方法，可有效地部署分析资源。