Automated Pattern Inference Based on Repeatedly Observed Malware Artifacts

Threat Intelligence comprises the concept of Indicators of Compromise, which are commonly used similar to classical intrusion detection signatures. However, data quality is often of limited quality with regard to this use case. The quality of these Indicators of Compromise can be increased by deriving patterns form repeated observations. A method is introduced which is capable to derive patterns from these observations automatically. Employing automatically derived pattern increases detection quality significantly. Moreover, it lead to the discovery of a previously unfamiliar type of patterns; inter-observable patterns, which capture relationships between patterns. An approach to address them in a fully STIX™ compliant fashion is proposed.