MIMOSA: Reducing Malware Analysis Overhead with Coverings


There is a growing body of malware samples that evade automated analysis and detection tools. Malware may measure fingerprints (”artifacts”) of the underlying analysis tool or environment, and change their behavior when artifacts are detected. While analysis tools can mitigate artifacts to reduce exposure, such concealment is expensive. However, not every sample checks for every type of artifact—hence analysis efficiency can be improved by mitigating only those artifacts most likely to be used by a sample.

Invention Description
Researchers at Arizona State University, the University of Michigan, and West Point have developed MIMOSA, a system which identifies a small set of ”covering” tool configurations that collectively defeat most malware samples with increased efficiency. MIMOSA identifies a set of tool configurations which maximize analysis throughput and detection accuracy while minimizing manual effort, enabling scalable automation for analyzing stealthy malware. The approach was evaluated against a benchmark of 1535 labeled stealthy malware samples. Analysis throughput increased over the state-of-the-art for over 95% of these samples. MIMOSA provides a practical, tunable method for efficiently deploying analysis resources.

Potential Applications
•  Malware analysis
•  Cybersecurity
•  Artifact mitigation

Related Publication: Reducing Malware Analysis Overhead with Coverings

Homepage of Professor Stephanie Forrest

Case ID:
Last Updated:

For More Information, Contact