Introduction

Hatching has integrated Cuckoo Sandbox as the first Arbiter of PolySwarms threat intelligence marketplace. This blog post is the first in a series of posts and will touch on basic function of an Arbiter, why PolySwarm selected Cuckoo Sandbox as the first Arbiter, how this process works, and finally, what we see as the main benefit of being an Arbiter.

What is an Arbiter?

Literally, an Arbiter is somebody who is tasked with making difficult decisions in light of conflicting interests. In the case of the PolySwarm threat intelligence marketplace, that means judging the potential malicious intent of file samples: a sort of cat and mouse game between security analysts and malware authors. In the end, the verdict of the Arbiters will form what is called the Ground Truth, a final decision on the intent of a sample.

In order to make a valid judgment an Arbiter must utilize the analytical resources it has at its disposal and collect evidence regarding the behavior and intent of a sample. Over time, the accuracy of verdicts for more difficult samples can be improved by learning from judgments made by other Arbiters and domain experts and by responding to emerging threats.

How did we become the first Arbiter?

PolySwarm picked Hatching as the first Arbiter for the threat intelligence marketplace because Hatching has been the driving force behind Cuckoo Sandbox over the past few years, the world’s leading open source malware analysis system. The open source nature of Cuckoo Sandbox aligns with the transparent, collaborative spirit that underlies cryptocurrencies, and allows anyone to audit and improve the code. Additionally, through its open source nature, Cuckoo Sandbox is used by many researchers and organizations around the world.

As Steve Bassi, CEO of PolySwarm, points out:

Cuckoo Sandbox takes an innovative, dynamic approach to malware detection. We’re thrilled to have Jurriaan’s team on board as PolySwarm’s first Arbiter. Partnerships with marquee teams such as Hatching’s are crucial to PolySwarm’s disruption of the threat intelligence ecosystem.

Steve Bassi, Polyswarm CEO

We strongly believe in the community driven approach that PolySwarm is taking to revolutionize the antivirus industry. Therefore, we are honored that PolySwarm has chosen us as their first Arbiter.

How does it work?

Arbiters listen for bounties placed on the PolySwarm network. It fetches file samples (artifacts) that belong to the bounty and dispatches them to the analysis backends. In some cases, for example when experiencing high volumes, there might be a limited period of time in which a vote has to be cast. The duration of the analysis and subsequent processing may be limited as well. Our Arbiter allows multiple backends to be consulted and is able to vote even if not all analyses can be performed in time.

In rare cases, voting does not result in a satisfactory result, for example if the verdicts/scores produced by the analytical backends are not conclusive, manual voting may be required. Manual voting requires a human operator to make the final call. The operator has access to a dashboard from which they can view the detailed analysis reports. This report helps the operator to improve on the verdict/scoring, while offering feedback to the marketplace on improving their scoring at the same time

Once the voting window closes and the verdicts are revealed, the Arbiter may use different sources of information for the final Ground Truth. The way we’ve set this up is by determining our own “vote” - through the various analysis backends - and using that as a basis for the ground truth. If it is determined that there’s a large gap between our conclusion and that of the network, the Arbiter may devote additional effort to verify claims made by Micro-engines and Security Experts before pushing out the final Ground Truth, based on which the different players in the platform are paid.

What is the benefit of being an Arbiter?

Apart from the usual business benefits, the real benefit of being an Arbiter is actually quite simple: we get to analyze lots and lots of samples.

Analyzing all these samples allows us to improve the analysis capabilities of Cuckoo Sandbox by continuously learning from all the analyses we perform. To us, this offers a major R&D advantage as we get the opportunity to continuously test and develop our system in a real-world environment.

For example, when supporting clients that operate a Cuckoo Sandbox environment, we aren’t always able to use the results of their analyses to further improve Cuckoo Sandbox for the community. But as an Arbiter for PolySwarm, we have a constant stream of new malware intelligence to work with. This is of great importance for the development and ultimately the future of Cuckoo Sandbox.

Conclusion

Becoming PolySwarm’s first Arbiter has been of significance to us, as it provides us with the opportunity to contribute to a new paradigm in threat protection coverage while at the same time continuously developing the analysis capabilities of Cuckoo Sandbox.

We encourage others to join PolySwarm in their endeavor to revolutionize the antivirus market, as more arbiters means more analyses. We are looking forward to comparing analyses results, to learn learning from other arbiters and to improve the overall results as this all contributes to increasing general security while lowering the cost required to do so.