functracker
play

FuncTracker Discovering Shared Code (to aid malware forensics) - PowerPoint PPT Presentation

Jan 27, 2023 •315 likes •523 views

FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux University of Louisiana at Lafayette Shifting Focus of Malware Research New focus is on forensics tasks Old question: What? New questions:

  1. FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux University of Louisiana at Lafayette

  2. Shifting Focus of Malware Research ● New focus is on forensics tasks ● Old question: What? ● New questions: Who? Why?

  3. Relationships: Putting it together ● Single instance Single piece of the puzzle ● Relationships indicate fitting of pieces ● Key Relationship: Shared Code

  4. Key Relationship: Shared Code Stuxnet, Duqu, … come from the same factory or factories Stuxnet and Duqu were written on the same platform…by the same group of programmers. … linked specific portions of code

  5. Key Relationship: Shared Code Industries: ● Automotive ● Defense ● Financial ● And more... Linked attacks by similarities in code Mapped out M.O.

  6. Existing Approaches ● Clustering related malware ● Focus on whole binary comparison ○ Would miss single shared function ● Not Scalable ○ O(n^2) FuncTracker: ○ Small, non-trivial shared code ○ Scalable

  7. FuncTracker ● Granularity: Shared Functions ○ Whole binary comparison too coarse ○ Block level too noisy ● Comparison: Hash Based ○ Constant time comparison ○ Syntactic and Semantic hashes ● Exploration: Graph Based ○ Palantir intelligence platform

  8. Hashes: Heart of FuncTracker ● Represent functions by set of blocks ● Represent each block by single feature ● Sort, concatenate, cryptographic hash ● Block features determine abstraction layer ● BinJuice: Code, GenCode, Semantics, GenSemantics

  9. Blocks: Heart of Hashes ● Code ○ Boring ol’code ○ Fragile against obfuscations ● GenCode ○ Abstract out registers and constants ○ Still fragile ■ Instruction reordering ■ Semantically equivalent substitutions Code GenCode

  10. Blocks: Heart of Hashes ● Semantics ○ Effect on registers and memory ○ Symbolic interpretation ○ Algebraic simplification ○ Canonical representation Code Semantics

  11. Blocks: Heart of Hashes ● GenSemantics ○ Analogous to GenCode Semantics GenSemantics

  12. Hashes: Heart of FuncTracker

  13. FuncTracker: Exploring Relationships ● Graph representation ● Nodes: ○ Binaries ○ Blocks ○ Functions ● Attributes: ○ Blocks: BinJuice Features ○ Functions: The different hashes ● Edges: “contains” relationship

  14. FuncTracker: Exploring Relationships ● Searches: ○ Traversal ○ Shared attribute ○ Both ● Extensible ○ Time stamp ○ Geographic location ○ Author Information ○ …

  15. Example Use Case ● Search for shared behavior ● Start with ground truth

  16. Example Use Case ● Search for shared behavior ● Start with ground truth ● Perform search on shared “GenSemantics”

  17. Behavior Search Performance TP FP FN TN Binaries 17 1 2 90 Procedures 8 1 18 9889

  18. What’s next? ● Comprehensive evaluation ● Extend Hashing ○ Locality Sensitive Hashing ○ Bloom Filters

  19. Thank You! Charles LeDoux Arun Lakhotia charles@charlesledoux.com arun@louisiana.edu University of Louisiana at Lafayette University of Louisiana at Lafayette Craig Miles Vivek Notani craig@craigmil.es vivek200690@gmail.com University of Louisiana at Lafayette University of Louisiana at Lafayette Avi Pfeffer apfeffer@cra.com Charles River Analytics

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BIOPACE TRIAL BIOPACE TRIAL PRELIMINARY RESULTS RESULTS PRELIMINARY Biventricular Pacing for

BIOPACE TRIAL BIOPACE TRIAL PRELIMINARY RESULTS RESULTS PRELIMINARY Biventricular Pacing for

BIOPACE TRIAL BIOPACE TRIAL PRELIMINARY RESULTS RESULTS PRELIMINARY Biventricular Pacing for Atrio-ventricular Block to Prevent Cardiac Desynchronization BioPace Trial Investigators and Coordinators DISCLOSURE DISCLOSURE St. Jude Medical

715 views • 27 slides
Objectives 1. Define sex and gender based medicine terminology. 2. Explain sex differences in

Objectives 1. Define sex and gender based medicine terminology. 2. Explain sex differences in

11/28/2018 The Impact of Sex and Gender on Disease and Medication I have nothing to disclose. Marissa C. Salvo, PharmD, BCACP Associate Clinical Professor Department of Pharmacy Practice University of Connecticut School of Pharmacy December

451 views • 6 slides
Meta-Analysis of Varenicline Use and Treatment-Emergent

Meta-Analysis of Varenicline Use and Treatment-Emergent

Meta-Analysis of Varenicline Use and Treatment-Emergent Cardiovascular Serious Adverse Events Judith J. Prochaska, PhD, MPH Associate Professor of Medicine Stanford

668 views • 53 slides
Productivity Growth in Health Care John A. Romley, PhD Associate Professor USC Schaeffer Center

Productivity Growth in Health Care John A. Romley, PhD Associate Professor USC Schaeffer Center

Productivity Growth in Health Care John A. Romley, PhD Associate Professor USC Schaeffer Center for Health Policy & Economics USC Price School of Public Policy USC School of Pharmacy June 25, 2019 A little health economic theory:

530 views • 25 slides
Providing Patient Safety with Alarm Standardization Maureen A. Secke l, RN, APN, ACNS,BC, CCNS,

Providing Patient Safety with Alarm Standardization Maureen A. Secke l, RN, APN, ACNS,BC, CCNS,

Providing Patient Safety with Alarm Standardization Maureen A. Secke l, RN, APN, ACNS,BC, CCNS, CCRN Clinical Nurse Specialist Medical Critical Care Pulmonary Melody Kasprzak , Phd Project Manager, Information Technology Christiana Care Health

445 views • 32 slides
Chapter 6 Memory Objectives Master the concepts of hierarchical memory organization.

Chapter 6 Memory Objectives Master the concepts of hierarchical memory organization.

Chapter 6 Memory Objectives Master the concepts of hierarchical memory organization. Understand how each level of memory contributes to system performance, and how the performance is measured. Master the concepts behind cache

985 views • 86 slides
Embracing High Speed, Low Power, Complex Security Analytics at the Heart of the Cloud Sakir Sezer

Embracing High Speed, Low Power, Complex Security Analytics at the Heart of the Cloud Sakir Sezer

Embracing High Speed, Low Power, Complex Security Analytics at the Heart of the Cloud Sakir Sezer Chief Technical Officer IP-SoC 2019 Conference December 3 rd , 2019 1 3/12/2019 1 Sakir Sezer Overview Evolution of Datacenter Server

627 views • 18 slides
A National Web Conference on Assessing Patient Health Information Needs for Developing Consumer

A National Web Conference on Assessing Patient Health Information Needs for Developing Consumer

A National Web Conference on Assessing Patient Health Information Needs for Developing Consumer Health IT Tools Presented By: Wanda Pratt, Ph.D., FACMI James Ralston, M.D., M.P.H. Patricia Flatley Brennan, R.N., Ph.D. Moderated By: Teresa

815 views • 67 slides
structure tensors Lek-Heng Lim July 18, 2017 acknowledgments Turner, many MS students as well

structure tensors Lek-Heng Lim July 18, 2017 acknowledgments Turner, many MS students as well

structure tensors Lek-Heng Lim July 18, 2017 acknowledgments Turner, many MS students as well Fahroo), NSF thank you all from the bottom of my heart kind colleagues who nominated/supported me: Shmuel Friedland Sayan Mukherjee

555 views • 37 slides
Optimizing Application Performance in Large Multi-core Systems Waiman Long / Aug 19, 2015 HP

Optimizing Application Performance in Large Multi-core Systems Waiman Long / Aug 19, 2015 HP

Optimizing Application Performance in Large Multi-core Systems Waiman Long / Aug 19, 2015 HP Server Performance & Scalability Team Version 1.1 1 Agenda 1. Why Optimizing for Multi-Core Systems 2. Non-Uniform Memory Access (NUMA) 3.

313 views • 28 slides
gr-ettus GR RFNoC - OOT UHD Host

gr-ettus GR RFNoC - OOT UHD Host

gr-ettus GR RFNoC - OOT UHD Host fpga-src rfnocmodtool help linux; GNU C++ version 4.8.4;Boost_105400;UHD_4.0.0.rfnoc-devel-162-g335a1317 Usage: rfnocmodtool <command> [options]

596 views • 20 slides
Advances in Heart Failure Jonathan D Davis, MD, MPHS Director, Heart Failure Program Assistant

Advances in Heart Failure Jonathan D Davis, MD, MPHS Director, Heart Failure Program Assistant

Advances in Heart Failure Jonathan D Davis, MD, MPHS Director, Heart Failure Program Assistant Clinical Professor | Division of Cardiology Zuckerberg San Francisco General Hospital Department of Medicine | University of California, San

478 views • 46 slides
Clinical update Heart Failure: Trials changing patients lives? Univ.-Prof. Dr. Burkert Pieske

Clinical update Heart Failure: Trials changing patients lives? Univ.-Prof. Dr. Burkert Pieske

WCN Congress Amsterdam Novermber 28-29,2019 Clinical update Heart Failure: Trials changing patients lives? Univ.-Prof. Dr. Burkert Pieske Department of Internal Medicine and Cardiology Charit University Medicine, Campus Virchow-Klinikum

669 views • 45 slides
The Dr. Robert Bree Collaborative Meeting January 21 st , 2015| 12:30pm 4:30pm Agenda

The Dr. Robert Bree Collaborative Meeting January 21 st , 2015| 12:30pm 4:30pm Agenda

The Dr. Robert Bree Collaborative Meeting January 21 st , 2015| 12:30pm 4:30pm Agenda November 20th Meeting Minutes and Revised Bylaws Approve minutes Approve revised bylaws Addiction and Dependence Treatment Report and

1.25k views • 96 slides
Rick Grobbee - UMC Utrecht Professor of Clinical Epidemiology Rationale Progress Drug

Rick Grobbee - UMC Utrecht Professor of Clinical Epidemiology Rationale Progress Drug

Rick Grobbee - UMC Utrecht Professor of Clinical Epidemiology Rationale Progress Drug development in CVD is frustrated by: Poor definition of disease ignoring underlying (molecular) mechanisms and co-/multi-morbidities Lack of approved

712 views • 30 slides
Cardiovascular Disease - Part I Atif Qasim, MD, MSCE Assistant Professor of Medicine, Division of

Cardiovascular Disease - Part I Atif Qasim, MD, MSCE Assistant Professor of Medicine, Division of

Disclosures I have nothing to disclose relevant to this material UCSF Internal Medicine Board Certification and Recertification Review Cardiovascular Disease - Part I Atif Qasim, MD, MSCE Assistant Professor of Medicine, Division of

422 views • 39 slides
OBS Admin Brief for Students 16 th August 2019 Course Objectives Be able to deal with

OBS Admin Brief for Students 16 th August 2019 Course Objectives Be able to deal with

OBS Admin Brief for Students 16 th August 2019 Course Objectives Be able to deal with challenges / adversities positively through self-directed learning and making right choices to influence their circumstances Build friendships with

372 views • 22 slides
Chronic Conditions The need for a comprehensive public health approach Olga McDaid PhD Scholar

Chronic Conditions The need for a comprehensive public health approach Olga McDaid PhD Scholar

Chronic Conditions The need for a comprehensive public health approach Olga McDaid PhD Scholar HRB PhD Programme for Health Services Research, Trinity College Dublin Supervisors Prof. Charles Normand, Dr.Alan Kelly, Dr.Susan Smith 1 Chronic

368 views • 23 slides
Timeseries kinds and applications MAC H IN E L E AR N IN G FOR TIME SE R IE S DATA IN P YTH

Timeseries kinds and applications MAC H IN E L E AR N IN G FOR TIME SE R IE S DATA IN P YTH

Timeseries kinds and applications MAC H IN E L E AR N IN G FOR TIME SE R IE S DATA IN P YTH ON Chris Holdgraf Fello w, Berkele y Instit u te for Data Science Time Series MACHINE LEARNING FOR TIME SERIES DATA IN PYTHON Time Series

802 views • 37 slides
WORKING FAITH studies from the book of JAMES JoLynn Gower 493-6151

WORKING FAITH studies from the book of JAMES JoLynn Gower 493-6151

WORKING FAITH studies from the book of JAMES JoLynn Gower 493-6151 jgower@guardingthetruth.org WORD FOR THE JOURNEY v James 5:16 Therefore, confess your sins to one another, and pray for one another so that you may be

244 views • 12 slides
Secure&Computation: Why,%How%and%When Mariana Raykova Yale University 12/12/16 1 PMPML

Secure&Computation: Why,%How%and%When Mariana Raykova Yale University 12/12/16 1 PMPML

Secure&Computation: Why,%How%and%When Mariana Raykova Yale University 12/12/16 1 PMPML Predictive&Model Patient Blood+Count Heart Conditions Digestive+Track Medicine Effectiveness Arrhyt Inflamm Dyspha

608 views • 48 slides
1 Intro to Clinical Practice 2 COLLABORATOR Key competencies Enabling competencies PHYSICIANS

1 Intro to Clinical Practice 2 COLLABORATOR Key competencies Enabling competencies PHYSICIANS

1 Intro to Clinical Practice 2 COLLABORATOR Key competencies Enabling competencies PHYSICIANS ARE ABLE TO: 1. Work effectively with physicians 1.1 Establish and maintain positive relationships with physicians and other and other colleagues

494 views • 23 slides
Ancient Epic: Homer and Vergil Vergil Ancient Epic: Homer and History and Literature Ancient

Ancient Epic: Homer and Vergil Vergil Ancient Epic: Homer and History and Literature Ancient

Ancient Epic: Homer and Vergil Vergil Ancient Epic: Homer and History and Literature Ancient Epic: Homer and Vergil Vergil Ancient Epic: Homer and History and Literature if histories like Herodotus encompass story along with

365 views • 23 slides
Secure Attachment Promotes Attachment, an enduring emotional bond to a specific a Positive

Secure Attachment Promotes Attachment, an enduring emotional bond to a specific a Positive

3/3/2016 What is Attachment? Secure Attachment Promotes Attachment, an enduring emotional bond to a specific a Positive Emotional Life for person , is especially activated when a child is under stress. The biological function of an

112 views • 10 slides

More recommend