Partial Outsourcing of Malware Dynamic Analysis Without Disclosing File Contents.

Dynamic analysis is one of the methods to analyze malware. However, if the file to be analyzed contains confidential information, disclosing it to the analyst outside the organization is undesirable. Previous works proposed classifying malware while preserving privacy or outsourcing dynamic analysis, but it is challenging to outsource dynamic analysis without disclosing file contents. The proposed method builds the Local Environment for users and the Remote Environment for analysts outside the organization. We proposed partial outsourcing, which opens a file in the Local Environment, reproduces its behavior in the Remote Environment, and conducts dynamic analysis based on this information. The Local Environment hooks an API call and retrieves information on the function name and arguments. Then, the Local Environment sends the information to the Remote Environment to reproduce file behavior. Our method could reproduce most operations on files and registries but could not reproduce some operations on files.