Malware Authorship Attribution

Attributing a piece of malware to its creator or user is a difficult problem. It relies upon the ability to disassemble binaries efficiently to gather sufficient features to de-anonymise the author(s). In the modern world of cyber warfare and cyber criminals, public attribution is being used to ensure justice, apply political pressure and enforce sanctions to deter cyber attacks. However, attribution requires a lot of concrete evidence which is often a complex and time-consuming manual task. It often takes at least a year to publicly attribute, if not longer. This is due to attackers using several techniques (e.g. obfuscation) to hide their identity and prevent others understanding their goal(s). Even though attackers go to extreme lengths to hide their identity, there are often unique traces (their “signature”) which we can find to link them to other pieces of malware. Unique author styles have been identified in source code, yet there remains a lot of research to identify the same styles in compiled source code. There exists a big demand for automating malware author attribution due to the continued increase in attacks and an insufficient number of analysts to match the malware analysis demand.