Publication Date
10-6-2025
Abstract
Incident responders face a variety of challenges when identifying malware using existing solutions, particularly when rapid tactical decisions are needed. Traditional malware detection methods are often signature-based, limiting their effectiveness to previously known threats detected by anti-virus (AV) engines. Online analysis tools introduce confidentiality risks, potentially alerting adversaries that their actions are under scrutiny. While free sandbox environments offer useful capabilities, they often require substantial setup time and hardware resources that may not be available in the field. This research leverages the Elastic Malware Benchmark for Empowering Researchers (EMBER) dataset to develop a lightweight, portable tactical decision aid that enables incident responders to rapidly determine whether a binary warrants further investigation. Furthermore, the study evaluates the efficacy of this decision aid by testing it on recent malware samples from 2022 to 2023, assessing the suitability of the 2018 EMBER dataset as a training benchmark for identifying modern threats. A GitHub repository has been created to share the resulting tactical decision aid with the broader cybersecurity community, fostering collaboration and facilitating future research.
Included in
Information Security Commons, Management Information Systems Commons, Technology and Innovation Commons