kunyu chen junwei song
play

KunYu Chen JunWei Song Security Researcher , Security Researcher - PowerPoint PPT Presentation

Sep 02, 2022 •622 likes •1.17k views

Europython 2020 So, You Want to Build an Anti-Virus Engine? KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine CoFounder of Quark Engine 2 Outline #1: Introduction of Malware Scoring System #2: Design

  1. Europython 2020 So, You Want to Build an Anti-Virus Engine?

  2. KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine CoFounder of Quark Engine 2

  3. Outline #1: Introduction of Malware Scoring System #2: Design Logic of the Dalvik Bytecode Loader #3: Case Study of Malware Analysis using Quark #4: Future Works 3

  4. #1: Introduction of Malware Scoring System 4

  5. Intro. of Malware Scoring System As we know, when developing a malware analysis engine. It is important to have a scoring system. However, those systems are either Business secretes or too complicated Therefore, we decided to create A simple but solid one And take that as a challenge 5

  6. Intro. of Malware Scoring System And since we wanted to design A novel scoring system. We stop reading and decoding What other people do in the field of cyber security Because we don’t want our ideas To be subjected to existing systems 6

  7. Intro. of Malware Scoring System We started to find ideas In fields other than cyber security And luckily, we found one 7

  8. Intro. of Malware Scoring System The Best Practice We Found: Criminal Law!!!! 8

  9. Intro. of Malware Scoring System Decoding the law When sentence a penalty for a criminal. The Judge weights the penalties based on the criminal law. Principles behind the law Based on the decoded principles We developed a scoring system for Android malware! 9

  10. Intro. of Malware Scoring System Principle # 1 A malware crime consists of action and target Decoded principle Definition: A crime consists of action and target E.g.: Steal Money , Kill People . Quark principle Definition: Malware crime consists of action and target. E.g.: Steal photos , Steal banking account passwords . 10

  11. Intro. of Malware Scoring System Principle # 2 Loss of fame > Loss of wealth Decoded principle Physical Body Injury(death) Is more serious than Psychological Injury(intimidate) * Hard to recover = Felony Quark principle Loss of fame > Loss of wealth Because it’s easier to make money back than rebuild your reputation. 11

  12. Intro. of Malware Scoring System Principle # 3 Arithmetic Sequence Decoded principle When a murderer is sentenced 20 years in prison for the crime. Robber (7 years) Why 20 and 7 years? No obvious principle can be decoded. Quark principle We use arithmetic sequence to weight the penalty of each crime. Eg. y1 = 10, y2 = 20, y3 = 30 12

  13. Intro. of Malware Scoring System Principle # 4 The latter the stage, the more we’re sure that the crime is practiced. (The order Theory) Decoded principle Order theory of criminal Explains the stages of committing a crime. As mentioned in chapter 4 of Taiwan Criminal Law Each crime consists of a sequence of behaviors. Those behaviors can be categorized (stages) in a specific order. 13

  14. Intro. of Malware Scoring System Principle # 4 The latter the stage, the more we’re sure that the crime is practiced. (The order Theory) For Instance: Murder 14

  15. Intro. of Malware Scoring System Principle # 4 The latter the stage, the more we’re sure that the crime is practiced. (The order Theory) Android Malware Crime Order Theory android.permission.SEND_SMS android.permission.ACCESS_CORSE_LOCATI getCellLocation() getCellLocation() getCellLocation() The location data ON sendTextMessage() sendTextMessage() android.permission.ACCESS_FINE_LOCATIO N 15

  16. Intro. of Malware Scoring System Principle # 4 The latter the stage, the more we’re sure that the crime is practiced. (The order Theory) Android Malware Crime Order Theory Crime # 5 Crime # 1 We have found We have found certain native APIs called combination of in a correct native APIs called sequence and they’re handling the same register 16

  17. Intro. of Malware Scoring System Principle # 5 The more evidence we caught, the more weight we give.(The order Theory) Quark principle Stage 2 is given more weight than stage 1. x2 > x1 17

  18. Intro. of Malware Scoring System Principle # 6 Proportional Sequence (The order Theory) Decoded principle The latter the stage the more we’re sure that the crime is practiced. Quark principle We use proportional sequence to present such principle. 18

  19. Intro. of Malware Scoring System Principle # 7 Crimes are independent events Quark principle For simplicity, we assume crimes are independent events. And can add up penalty weights directly. 19

  20. Intro. of Malware Scoring System Principle # 7 Crimes are independent events Steal Photos (Penalty weight of crime) * (Proportion of caught evidence) [5*(2^2/2^4)=1.25] Steal Banking Account Password [1*(2^4/2^4)=1] Total Penalty Weight 1.25 + 1 = 2.25 20

  21. Intro. of Malware Scoring System Principle # 8 Threshold Generate System Decoded principle: No obvious principles for threat level thresholds. Quark principle: To design a threshold generate system. Not Just give any number by intuition. 21

  22. Intro. of Malware Scoring System Principle # 8 Threshold Generate System Quark principle: To design a threshold generate system. Not Just give any number by intuition. 5 threat levels: Threshold for each level is the sum of ( Same proportion of caught evidence) multipies (Penalty weight of crime s ) Not Perfect: Build a foundation for future optimization! 22

  23. #2: Design Logic of Dalvik Bytecode Loader 23

  24. Design Logic of Dalvik Bytecode Loader (DBL) DBL is the implementation of the Android malware crime order theory. 5 stages: First 3 stages: We simply use APIs in androguard to implement the first 3 stages. 24

  25. Design Logic of Dalvik Bytecode Loader (Stage4) 5 stages: Stage 4: We need to find the calling sequence of native APIs. E.g. Crime: Send Location data via SMS Landroid/telephony/TelephonyManager Landroid/telephony/SmsManager getCellLocation sendTextMessage 25

  26. Design Logic of Dalvik Bytecode Loader (Stage4) Finding calling sequence of native APIs: Find mutual parent function Lcom/google/progress/AndroidClientService sendMessage() sendSms() getLocation() Landroid/telephony/SmsManager Landroid/telephony/TelephonyManager sendTextMessage getCellLocation 26

  27. Design Logic of Dalvik Bytecode Loader (Stage4) Smali-like code of sendMessage(): Malware hash: 14d9f1a92dd984d6040cc41ed06e273e getLocation() sendSms() 27

  28. Design Logic of Dalvik Bytecode Loader (Stage4) Obfuscation-Neglect: Magic! Lcom/ab/cd/ef;->a() f() e() k() Landroid/telephony/SmsManager Landroid/telephony/TelephonyManager sendTextMessage getCellLocation 28

  29. Design Logic of Dalvik Bytecode Loader (Stage5) Stage 5: We need to confirm that if the native APIs are handling the same register. = location_data Landroid/telephony/TelephonyManager getCellLocation input output Landroid/telephony/SmsManager sendTextMessage 29

  30. Design Logic of Dalvik Bytecode Loader (Stage5) Simulating CPU Operation: Read line by line of the smali-like code. And operate like CPU to get 1. The value of every register 2. Information like functions who have operated the same register 30

  31. Design Logic of Dalvik Bytecode Loader (Stage5) Register Object It’s a self-defined data type. Register Name v7 RegisterValue v7 = append(str1, FUNC1()) Used_by_which FUNC2(v7) _function 31

  32. Design Logic of Dalvik Bytecode Loader (Stage5) Expand Every Register Every time when the value of Used_by_which_function is filled. Expand Every Register v7 v7 append(v8, v3) append(“User location”, getLocation()) sendSms( API2 append( “User location:”, sendSms(v7) getLocation() ) ) API1 We produce lots of register objects. 32

  33. Design Logic of Dalvik Bytecode Loader (Stage5) Register Objects are organized with Two-Dimensional Python List Similar idea like the hash table to boost up r/w of the list. [ v1 RegisterObject [RO1], v2 [], v3 [], [RO2,RO3,RO4], v4 RegisterObject RegisterObject RegisterObject [], v5 [RO5,RO6] v6 RegisterObject RegisterObject ] 33

  34. Design Logic of Dalvik Bytecode Loader (Stage5) Finish constructing the hash table We then scan through all register objects to check If APIs are handling the same register. 34

  35. #3: Case Study of Malware analysis using Quark Engine 35

  36. Case Study of Malware Analysis Two malware Non-Obfuscated: 14d9f1a92dd984d6040cc41ed06e273e Obfuscated: 76db25ce55dc2738a387cbbb947f32f0 For each malware Show how we detect the behavior of the malware with detection rule 36

  37. Case Study of Malware Analysis Malware #1 Non-Obfuscated: 14d9f1a92dd984d6040cc41ed06e273e Detection Rule: Detect whether if the malware sends out cellphone’s location data via SMS . 37

  38. Case Study of Malware Analysis 38

  39. Source Code - sendMessage Native API sendTextMessage() inside! Native API getCellLocation() inside! 39

  40. Source Code - getLocation Get Cell Location Return location info 40

  41. Source Code - sendSms 41

  42. Case Study of Malware Analysis Malware #2 Obfuscated: 76db25ce55dc2738a387cbbb947f32f0 Detection Rule: Detect whether if the malware Detect WiFi Hotspot by gathering information Like active network info and cell phone location . 42

  43. Case Study of Malware Analysis 43

  44. Source Code - p.a Native API getActiveNetworkInfo() inside! Native API getCellLocation() inside! 44

  45. Source Code - ap.a 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2016 TRECVID Mul0media Event Detec0on Report Team INF Junwei Liang, Poyao Huang, Lu Jiang,

2016 TRECVID Mul0media Event Detec0on Report Team INF Junwei Liang, Poyao Huang, Lu Jiang,

2016 TRECVID Mul0media Event Detec0on Report Team INF Junwei Liang, Poyao Huang, Lu Jiang, Zhenzhong Lan, Jia Chen and Alexander Hauptmann 1 Outline System Overview (10Ex, 100Ex) Feature Representa0ons Selected Topics

1.06k views • 103 slides
VTint: Protecting Virtual Function Tables Integrity Chao Zhang (UC Berkeley) Chengyu Song

VTint: Protecting Virtual Function Tables Integrity Chao Zhang (UC Berkeley) Chengyu Song

VTint: Protecting Virtual Function Tables Integrity Chao Zhang (UC Berkeley) Chengyu Song (Georgia Tech) Kevin Zhijie Chen (UC Berkeley) Zhaofeng Chen (Peking University) Dawn Song (UC Berkeley) VTable for Dynamic Dispatch (C++) void

401 views • 27 slides
The TAU 2016 Contest Timing Macro Modeling Jin Hu Song Chen Xin Zhao Xi Chen IBM Corp.

The TAU 2016 Contest Timing Macro Modeling Jin Hu Song Chen Xin Zhao Xi Chen IBM Corp.

The TAU 2016 Contest Timing Macro Modeling Jin Hu Song Chen Xin Zhao Xi Chen IBM Corp. Synopsys IBM Corp. Synopsys [Speaker] Sponsors: 1 TAU 2016 Workshop March 10 th -11 th , 2016 Motivation of Macro Modeling Performance

242 views • 22 slides
driven ECO Subramanyam Sripada Song Chen Synopsys Inc. Mar 16, 2017 Agenda Background

driven ECO Subramanyam Sripada Song Chen Synopsys Inc. Mar 16, 2017 Agenda Background

Efficient Incremental Flow for signoff- driven ECO Subramanyam Sripada Song Chen Synopsys Inc. Mar 16, 2017 Agenda Background Motivation Approach Results Design/Complexity Projections SoC Transistor Count Trend Scenario

554 views • 14 slides
S upport V ector E lastic N etwork Quan Zhou, Wenlin Chen, Shiji Song, Jacob R. Gardner , Kilian

S upport V ector E lastic N etwork Quan Zhou, Wenlin Chen, Shiji Song, Jacob R. Gardner , Kilian

S upport V ector E lastic N etwork Quan Zhou, Wenlin Chen, Shiji Song, Jacob R. Gardner , Kilian Q. Weinberger, Yixin Chen Sven the Terrible T raditional Computer Science Traditional CS: Data Output Program Computer Machine Learning

1.38k views • 17 slides
MCUNet: Tiny Deep Learning on IoT Devices Ji Lin 1 Song Han 1 Wei-Ming Chen 1,2 Yujun Lin 1 John

MCUNet: Tiny Deep Learning on IoT Devices Ji Lin 1 Song Han 1 Wei-Ming Chen 1,2 Yujun Lin 1 John

MCUNet: Tiny Deep Learning on IoT Devices Ji Lin 1 Song Han 1 Wei-Ming Chen 1,2 Yujun Lin 1 John Cohn 3 Chuang Gan 3 1 MIT 2 National Taiwan University 3 MIT-IBM Watson AI Lab NeurIPS 2020 (spotlight) Background: The Era of AIoT on

1.2k views • 79 slides
Particle Flow Bayes Rule Xinshi Chen 1* , Hanjun Dai 1* , Le Song 1,2 1 Georgia Tech, 2

Particle Flow Bayes Rule Xinshi Chen 1* , Hanjun Dai 1* , Le Song 1,2 1 Georgia Tech, 2

Particle Flow Bayes Rule Xinshi Chen 1* , Hanjun Dai 1* , Le Song 1,2 1 Georgia Tech, 2 Ant Financial (*equal contribution) ICML 2019 Sequential Bayesian Inference 1. Prior distribution () # $ %

237 views • 10 slides
Multi-level Thresholding Tests for High Dimensional Means and Covariance Matrices Song Xi Chen

Multi-level Thresholding Tests for High Dimensional Means and Covariance Matrices Song Xi Chen

Multi-level Thresholding Tests for High Dimensional Means and Covariance Matrices Song Xi Chen Guanghua School of Management Center for Statistical Science Peking University Joint work with Bin Guo and Yumou Qiu Two Sample Testing and Signal

875 views • 70 slides
Song of Songs Song of Solomon Song of Songs 5 (NIV) He I have come into my garden, my sister,

Song of Songs Song of Solomon Song of Songs 5 (NIV) He I have come into my garden, my sister,

Song of Songs Song of Solomon Song of Songs 5 (NIV) He I have come into my garden, my sister, my bride; I have gathered my myrrh with my spice. I have eaten my honeycomb and my honey; I have drunk my wine and my milk. Song of Songs 5 (NIV)

415 views • 24 slides
TAU19 WORKSHOP MONTEREY, MARCH 21-22 2019 SONG CHEN (SYNOPSYS) GENERAL CHAIR JOO GEADA

TAU19 WORKSHOP MONTEREY, MARCH 21-22 2019 SONG CHEN (SYNOPSYS) GENERAL CHAIR JOO GEADA

TAU19 WORKSHOP MONTEREY, MARCH 21-22 2019 SONG CHEN (SYNOPSYS) GENERAL CHAIR JOO GEADA (ANSYS) TECHNICAL PROGRAM CHAIR WELCOME TO 26TH ACM International Workshop on Timing Issues in the Specification and Synthesis of Digital

117 views • 9 slides
TEA IN THE SONG PERIOD History of the Song Tea Development in the Song Period Teaware

TEA IN THE SONG PERIOD History of the Song Tea Development in the Song Period Teaware

TEA IN THE SONG PERIOD History of the Song Tea Development in the Song Period Teaware of the Song Period Art and Tea in the Song Period Grinding Song Period-Style Mch Song dynasty ( ; Sng cho ) 960 1279

593 views • 34 slides
TAU18 WORKSHOP MONTEREY, MARCH 15-16 2018 TOM SPYROU (INTEL) GENERAL CHAIR SONG CHEN

TAU18 WORKSHOP MONTEREY, MARCH 15-16 2018 TOM SPYROU (INTEL) GENERAL CHAIR SONG CHEN

TAU18 WORKSHOP MONTEREY, MARCH 15-16 2018 TOM SPYROU (INTEL) GENERAL CHAIR SONG CHEN (SYNOPSYS) TECHNICAL PROGRAM CHAIR First of All THANK YOU all for registering and coming to the workshop! Your participation and contribution are

544 views • 8 slides
An Integrated Rapid Multi-Scale Analysis and Min Chen Ming-Xuan Chen Cong-lan Cheng Feng Gao

An Integrated Rapid Multi-Scale Analysis and Min Chen Ming-Xuan Chen Cong-lan Cheng Feng Gao

An Integrated Rapid Multi-Scale Analysis and Min Chen Ming-Xuan Chen Cong-lan Cheng Feng Gao Lin-ye Song Prediction System (RMAPS-IN) in Beijing Area Ins nstitut ute of of Urba ban Meteor orol olog ogy, Beij ijin ing, CM CMA and

431 views • 29 slides
I Let You Know Who Can See What Xuemeng Song , Xiang Wang , Liqiang Nie , Xiangnan He

I Let You Know Who Can See What Xuemeng Song , Xiang Wang , Liqiang Nie , Xiangnan He

A Personal Privacy Preserving Framework: I Let You Know Who Can See What Xuemeng Song , Xiang Wang , Liqiang Nie , Xiangnan He , Zhumin Chen , Wei Liu $ School of Computer Science and Technology, Shandong University

379 views • 37 slides
Self-learning Monte Carlo method and all optical neural network Junwei Liu ( )

Self-learning Monte Carlo method and all optical neural network Junwei Liu ( )

Self-learning Monte Carlo method and all optical neural network Junwei Liu ( ) Department of Physics Hong Kong University of Science and Technology Deep learning and Physics, YITP, Kyoto, Japan, 2019 The general motivation As

1.08k views • 46 slides
Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei Wang Joint work with Matthieu Rivain WhibOx 2019, May 18, 2019 Overview 1 White-Box Context 2 DCA against Internal Encodings 3 Collision

539 views • 26 slides
Strongly Coupled Physics and the Strong CP problem Anson Hook Stanford Anson Hook -

Strongly Coupled Physics and the Strong CP problem Anson Hook Stanford Anson Hook -

Strongly Coupled Physics and the Strong CP problem Anson Hook Stanford Anson Hook - hep-ph/1411.3325 + work in progress w/ S. Dimopoulos, G. Marques-Tavares, J. Huang Classical Strong CP problem Neutron contains an up quark and two down

801 views • 42 slides
Measurement of high-p T azimuthal anisotropy in charged hadron production from 2.76 TeV PbPb

Measurement of high-p T azimuthal anisotropy in charged hadron production from 2.76 TeV PbPb

Measurement of high-p T azimuthal anisotropy in charged hadron production from 2.76 TeV PbPb collisions at CMS Victoria Zhukova (MIT) for the CMS Collaboration Quark Matter Conference, Washington DC 14 th Aug, 2012 Quark Matter 2012,

345 views • 19 slides
Four-Quark Mesons? Dick Silbar and Terry Goldman, T-2 A Mesonic Analog of the Deuteron Submitted

Four-Quark Mesons? Dick Silbar and Terry Goldman, T-2 A Mesonic Analog of the Deuteron Submitted

Four-Quark Mesons? Dick Silbar and Terry Goldman, T-2 A Mesonic Analog of the Deuteron Submitted to Phys. Rev. C Archive 1304.5480 T-2 Seminar May, 2013 Mesons Are Made of Quarks I. They are colorless objects with B = 0. q q II.

309 views • 29 slides
The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic

The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic

The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic chart orders the chemical elements according to their properties. It provides clues to the underly- ing atomic structure. The fundamental

421 views • 29 slides
The gluon PDF: from LHC heavy quark production to neutrino astrophysics Juan Rojo ! VU Amsterdam

The gluon PDF: from LHC heavy quark production to neutrino astrophysics Juan Rojo ! VU Amsterdam

! The gluon PDF: from LHC heavy quark production to neutrino astrophysics Juan Rojo ! VU Amsterdam & Theory group, Nikhef ! ! Nikhef Jamboree 2016 ! Groningen, 13/12/2016 1 Juan Rojo

846 views • 21 slides
Quart; an asyncio alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 1 Quart; an ASGI

Quart; an asyncio alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 1 Quart; an ASGI

Quart; an asyncio alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 1 Quart; an ASGI alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 2 Me Background rejection for the neutrinoless doublebeta decay experiment SNO+.

504 views • 26 slides
that arise in stochastic games Mike Harrison Thera Stochastics May 31, 2017 Aaron Kolb (2016),

that arise in stochastic games Mike Harrison Thera Stochastics May 31, 2017 Aaron Kolb (2016),

Interesting one-dimensional diffusions that arise in stochastic games Mike Harrison Thera Stochastics May 31, 2017 Aaron Kolb (2016), Strategic real options, working paper, Kelly School of Business, Indiana Univ. (submitted for publication)

176 views • 16 slides
Model-Based Testing There is Nothing More Practical than a Good Theory model Jan Tretmans SUT

Model-Based Testing There is Nothing More Practical than a Good Theory model Jan Tretmans SUT

Model-Based Testing There is Nothing More Practical than a Good Theory model Jan Tretmans SUT ESI Embedded Systems Innovation by TNO Radboud University Nijmegen Hgskolan i Halmstad pass fail jan.tretmans@tno.nl Jan Tretmans Radboud

963 views • 64 slides

More recommend