Impose Cost on the Adversary!

Malware Economics and its Implication to Anti-Malware Situational Awareness

Arun Lakhotia, University of Louisiana at Lafayette
Charles Ledoux, Cythereal, Inc
Vivek Notani, Cythereal, Inc.


Malware, like any other software, is developed iteratively and improved in incremental versions over a long period of time. Malware economics requires amortizing the cost of malware development over several attacks. Thus, the malware code persists through many incremental versions of the malware-albeit in a transformed and obfuscated state-while the classic indicators of attack, e.g., domain names, file names, and IP addresses, are parameterized and often change with each new version. Recent breakthroughs in automated malware analysis and code debofuscation make it possible to overcome the challenges imposed by code obfuscation and create new anti-malware tools that use the malware code itself as an immutable indicator in anti-malware defense. The resulting technologies can be used to provide situational awareness of the dynamic threat profile of an organization. A persistent adversary that intends to penetrate a particular organization will send morphed variants of the same malware to a large number of people in an organization. Such an attack campaign may be executed over weeks or months. By correlating malware generated from the same code base, one can detect such persistent campaigns against an organization using the malware blocked by an anti-virus. Results from the field demonstrate that this approach has promise in detecting targeted attacks while the attacks are in progress thus giving the defenders’ enough time to take preventive actions.

Full Citation: Lakhotia, Arun, Vivek Notani, and Charles LeDoux. “Malware economics and its implication to anti-malware situational awareness.” In 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), pp. 1-8. IEEE, 2018.

Link to Research Paper: