DEEPCAPA is an advanced framework for automatic malware post-detection, designed to identify malicious capabilities in Windows malware by mapping them to MITRE ATT&CK Techniques. Developed by Saastha Vasan, DEEPCAPA provides the following key functionalities:
- Loading of Process Memory Snapshots: Efficiently loads memory snapshots into a disassembler (IDA) and extracts control flow graphs (CFGs).
- API Call Sequence Extraction: Processes extracted CFGs from different snapshots, generates a unified CFG, and simulates program execution via random walks to extract API call sequences.
- Neural Network Pipeline: Utilizes a neural network pipeline to process the extracted API call sequences and map them to potentially malicious MITRE ATT&CK techniques.
Clone the repository and navigate into the project directory:
git clone https://github.com/ucsb-seclab/DeepCapa && cd DeepCapaSet up a dedicated environment for DEEPCAPA with the required dependencies:
conda create -n deepcapa python=3.10 ipython
pip install -r requirements.txtTo run the neural network model, you need to install PyTorch. Follow the official instructions or use the provided command:
conda install pytorch torchvision torchaudio pytorch-cuda=11.8 -c pytorch -c nvidiaThe api_extraction directory includes scripts for:
- Loading memory snapshots into IDA.
- Extracting API call sequences from CFGs of multiple process memory snapshots.
The neural_network directory houses scripts necessary for:
- Pretraining DEEPCAPA models.
- Fine-tuning the models to improve detection capabilities.
If you use DEEPCAPA in your research or projects, please cite it as follows:
@inproceedings{vasan2024deepcapa,
title = {{DeepCapa: Identifying Malicious Capability in Windows Malware}},
author = {Vasan, Saastha and Aghakhani, Hojjat and Ortolani, Stefano and Vasilenko, Roman and Grishchenko, Ilya and Kruegel, Christopher and Vigna, Giovanni},
year = {2024},
booktitle = {{Annual Computer Security Applications Conference (ACSAC)}},
organization = {IEEE}
}