Supporting Knowledge-assisted Rule Creation in a Behavior-based Malware Analysis Prototype

The ever increasing number of malicious software (malware) requires domain experts to shift their analysis process towards more individualized approaches to acquire more information about presently unknown malware samples. KAMAS is a knowledge-assisted visual analytics prototype for behavioral malware analysis, which allows IT-security experts to categorize and store potentially harmful system call sequences (rules) in a knowledge database. In order to meet the increasing demand for individualization of analysis processes, analysts have to be able to create individual rules. This paper is a visualization design study, which describes the design and implementation of a separate Rule Creation Area (RCA) into KAMAS and its evaluation by domain experts.It became clear that continuous integration of experts in interaction processes improves the analysis and knowledge generation mechanism of KAMAS. Additionally, the outcome of the evaluation revealed that there is a demand for adjustment and re-usage of already stored rules in the RCA.