low level features for multinomial malware classification
play

Low-level Features for Multinomial Malware Classification Sergii - PowerPoint PPT Presentation

Mar 25, 2024 •340 likes •540 views

Low-level Features for Multinomial Malware Classification Sergii Banin 10.05.2017 Sergii Banin, COINS Finse Winter School, 1 10.05.2017 Agenda Introduction (problem description). Previous research. Malware classification

  1. Low-level Features for Multinomial Malware Classification Sergii Banin 10.05.2017 Sergii Banin, COINS Finse Winter School, 1 10.05.2017

  2. Agenda • Introduction (problem description). • Previous research. • Malware classification approaches. • Related studies. • Applying of low-level features for malware classification. Sergii Banin, COINS Finse Winter School, 2 10.05.2017

  3. Introduction (problem description) • Signature-based malware detection is not robust against simple obfuscation techniques. • Static properties can be easily changed. • Dynamic analysis can aid and outperform static analysis. • Malware developers try to conceal malware’s functionality. • It is impossible to avoid execution on the hardware. • Thus we propose to analyze hardware or low-level activity produced by malware. Sergii Banin, COINS Finse Winter School, 3 10.05.2017

  4. Previous Research • Memory access patterns were used for malware detection. • Record sequence of memory read and write accesses ( memtraces ) with a help of dynamic binary instrumentation tool Intel Pin. • Extract n-grams from memtrace sequence and use them as features. • Select best features . • Train Machine Learning models. • Assess classification accuracy achieved by ML models. • kNN and ANN achieved classification accuracy of 98.92% for 1,000,000 memtraces, 800 features and 96-grams. Sergii Banin, COINS Finse Winter School, 4 10.05.2017

  5. Next Step • Apply low-level features for malware classification. BUT • Why do we need malware classification? • How it is usually performed? • Is it possible to apply low-level features for malware classification? Sergii Banin, COINS Finse Winter School, 5 10.05.2017

  6. (Low-level Features for) Multinomial Malware Classification Sergii Banin 10.05.2017 Sergii Banin, COINS Finse Winter School, 6 10.05.2017

  7. Agenda • Problem description. • Malware classification. • Malware families and types. • Reasons for separating malware by families and types. • Related studies. Sergii Banin, COINS Finse Winter School, 7 10.05.2017

  8. Problem description. • Inconsistent terminology (family/type). • Dozens of malware naming systems. • CARO (Computer AntiVirus Researcher’s Organization ) naming system. [http://www.caro.org/articles/naming.html] • Common Malware Enumeration (CME) initiative by MITRE. [https://cme.mitre.org/about/] • Naming is usually made to describe malware’s target platform, functionality, variation of a certain sample, etc. [http://security.di.unimi.it/~roberto/teaching/vigorelli/0607/malware/material/caro.pdf, https://zeltser.com/malware-naming-approaches/, https://www.microsoft.com/en- us/security/portal/mmpc/shared/malwarenaming.aspx ] Sergii Banin, COINS Finse Winter School, 8 10.05.2017

  9. Problem description (2) Sergii Banin, COINS Finse Winter School, 9 10.05.2017

  10. Malware classification With classification we can: • assign threat level • assess possible harm • apply countermeasures • perform post-attack actions Sergii Banin, COINS Finse Winter School, 10 10.05.2017

  11. Malware classification (types) • Malware types: Trojan, Virus, Hoax, Ransomware, Adware, Spyware. • Malware type is assigned by general functionality.  E.g. Viruses are self-replicating malware, and Ransomware encrypts user data while asking for ransom to be paid. • Certain type can have different subtypes assigned by actions performed on the victim system.  Trojan-Bankers are designed to steal account data from online banking.  Backdoor Trojans give malicious users remote control over the infected computer. Sergii Banin, COINS Finse Winter School, 11 10.05.2017

  12. Malware classification (families) • Malware families are the malware categorization based on the particular functionality. • For describing malware families the following functionality could be used:  Which files are created/modified by a malware.  Which registry entries are affected by it.  Affected drivers.  Commands run by malware.  E.g. Win32/Ursnif (Gozi) (according to Microsoft Malware Protection Center) can run from PDF, MSI or EXE file. Create files in system directories, change registry entries related to software protection, capture screenshots, steal cookies, download and install new executables etc. Sergii Banin, COINS Finse Winter School, 12 10.05.2017

  13. Reasons for separating malware by families and types. • Classification allows to assign threat level and assess possible harm. • Knowledge about the type of malware allows to apply particular counter-measures. • Knowledge about the family of malware allows to perform exact actions for restoring and cleaning the system. Sergii Banin, COINS Finse Winter School, 13 10.05.2017

  14. Related studies • SANS in their paper (Malware 101 - Viruses) suggest the following virus classification strategy:  How malware stay in memory: resident, temporary resident, user process, kernel process.  Spreading methods: compiled, interpreted, multipartite.  Obfuscation techniques: no obfuscation, encryption, metamorphism, polymorphism, stealth.  By payload type: no payload, non-destructive, destructive, droppers. Sergii Banin, COINS Finse Winter School, 14 10.05.2017

  15. Related studies SANS Sergii Banin, COINS Finse Winter School, 15 10.05.2017

  16. Ways to perform multinomial malware detection • In the literature there are different ways of performing multinomial malware classification:  API calls, Byte and opcode n-grams, opcode frequencies.  API call sequences, control flow, autostart exstensibility points.  System state changes (through VM slices), call graph analysis, clustering via filesystem/registry/network activity. [Malware Analysis and Classification: A Survey Ekta Gandotra , Divya Bansal , Sanjeev Sofat] Sergii Banin, COINS Finse Winter School, 16 10.05.2017

  17. Application of low-level features for multinomial classification. (Based on SANS taxonomy) • Memory activity can be analyzed on the level of single operations. (ongoing research) • Malware obfuscation-related activity could be traced within memory and CPU. • Interpreted viruses can be analyzed while interpreter is active. • Boot sector infection can be traced via HDD operations. Sergii Banin, COINS Finse Winter School, 17 10.05.2017

  18. Conclusions and Suggestions. • Different ways of classification. • Properly described clustering can work better than well-known taxonomies. • Application of low-level activity can improve stealthy detection and new classification methods. Sergii Banin, COINS Finse Winter School, 18 10.05.2017

  19. Thank you. Sergii Banin, COINS Finse Winter School, 19 10.05.2017

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
Malware Classification into Families based on File - Content and Characteristics KARAN BANSAL

Malware Classification into Families based on File - Content and Characteristics KARAN BANSAL

Malware Classification into Families based on File - Content and Characteristics KARAN BANSAL 12342 PALAK AGARWAL 13453 Motivation One of the major challenges faced by anti-malware today is the vast amount of data and files which

1.14k views • 14 slides
Overview Video classification Bag of spatio-temporal features Action localization

Overview Video classification Bag of spatio-temporal features Action localization

Overview Video classification Bag of spatio-temporal features Action localization Spatio-temporal human localization State of the art for video classification Low-level video descriptors Space-time interest points

1.14k views • 58 slides
Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos VU University Amsterdam DIMVA 2014 Introduction Trigger-Based Malware Trigger-based malware (TBM) remains dormant until a specific trigger E.g.

586 views • 14 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4.

661 views • 47 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
SATTVA: SpArsiTy inspired classificaTion of malware VAriants Lakshmanan Nataraj, S. Karthikeyan,

SATTVA: SpArsiTy inspired classificaTion of malware VAriants Lakshmanan Nataraj, S. Karthikeyan,

SATTVA: SpArsiTy inspired classificaTion of malware VAriants Lakshmanan Nataraj, S. Karthikeyan, B.S. Manjunath Vision Research Lab University of California, Santa Barbara Sattva ( ) means Purity 1 Introduction

713 views • 43 slides
Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015 Problem and Motivation Malware

139 views • 13 slides
Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team Know Your Enemy Server-side polymorphic worm. EXE and DLL modules First seen around 2007 Features

662 views • 19 slides
Analysis of Code Heterogeneity for High-precision Classification of Repackaged Malware Gang Tan

Analysis of Code Heterogeneity for High-precision Classification of Repackaged Malware Gang Tan

MOBILE SECURITY TECHNOLOGIES 2016 Analysis of Code Heterogeneity for High-precision Classification of Repackaged Malware Gang Tan Ke Tian, Daphne Yao, Barbara Ryder Department of Computer Science Department of Computer Science Virginia

457 views • 24 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Music Classification Overview and Audio Features Graduate School of Culture Technology, KAIST

Music Classification Overview and Audio Features Graduate School of Culture Technology, KAIST

GCT634: Musical Applications of Machine Learning Music Classification Overview and Audio Features Graduate School of Culture Technology, KAIST Juhan Nam Outlines Definition of Music Classification Tasks Overview of Music Classification

392 views • 37 slides
Chapter 11 Categorical Data Analysis Categorical Data and the Multinomial Distribution

Chapter 11 Categorical Data Analysis Categorical Data and the Multinomial Distribution

Chapter 11 Categorical Data Analysis Categorical Data and the Multinomial Distribution Properties of the Multinomial Experiment 1. Experiment has n identical trials 2. There are k possible outcomes to each trial, called classes, categories or

231 views • 12 slides
Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis

Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis

Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis Storlie, Terran Lane Vinit Singh 18 th April 2017 CISC850 Cyber Analytics CISC850 Cyber Analytics INTRODUCTION Why is there a need for

192 views • 16 slides
Risky Business: How Companies Fall Victim to Fraud Presented by: Tony Okray Julie Latchaw

Risky Business: How Companies Fall Victim to Fraud Presented by: Tony Okray Julie Latchaw

6/5/2016 Risky Business: How Companies Fall Victim to Fraud Presented by: Tony Okray Julie Latchaw Julie Lombardi Member FDIC Agenda: Fraud Statistics Fun With Numbers Check Fraud & ACH Fraud Your Role in Preventing Fraud Fraud

238 views • 13 slides
MAY 2020 This presentation and the accompanying slides (the Presentation), which have been

MAY 2020 This presentation and the accompanying slides (the Presentation), which have been

Q4 & FY20 MAY 2020 This presentation and the accompanying slides (the Presentation), which have been prepared by Quick Heal Safe Harbor Technologies Ltd. (the Company), have been prepared solely for information purposes and do not

771 views • 48 slides
Tech Terminology Overview Devices Desktop Laptop Tablet Smartphone

Tech Terminology Overview Devices Desktop Laptop Tablet Smartphone

Tech Terminology Overview Devices Desktop Laptop Tablet Smartphone Operating System Determines how device will look and behave Different operating systems on computers and laptops than on mobile devices.

352 views • 17 slides
EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013 Session

EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013 Session

EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013 Session Contents Why European data protection rules matter and an introduction to the main privacy rules Transferring data outside of Europe

510 views • 40 slides
OVERVIEW OF DDOS, RANSOMWARE, MALWARE.& ALL THINGS GENERALLY UNPLEASANT (HOPE YOU ENJOY

OVERVIEW OF DDOS, RANSOMWARE, MALWARE.& ALL THINGS GENERALLY UNPLEASANT (HOPE YOU ENJOY

OVERVIEW OF DDOS, RANSOMWARE, MALWARE.& ALL THINGS GENERALLY UNPLEASANT (HOPE YOU ENJOY IT!) BCNET Conference April 25 th , 2017 shawn.beaton@cira.ca AGENDA Lets start with the positive Improvement of the Internet in Canada

700 views • 48 slides
Insurance Service Providers and the Communications Circle March 10 th , 2015 Presented by: Sean

Insurance Service Providers and the Communications Circle March 10 th , 2015 Presented by: Sean

Insurance Service Providers and the Communications Circle March 10 th , 2015 Presented by: Sean Cassidy Benchmark IME Security Breaches Affect Us All New York According to New Yorks Attorney General, 22.8 million private records of New

815 views • 27 slides
Security Partners or Security Police? Presented by: Janna Loeffler

Security Partners or Security Police? Presented by: Janna Loeffler

T12 Security Testing 2019-05-02 11:15 Security Partners or Security Police? Presented by: Janna Loeffler , Carnival Corp. Yesenia Yser, Ultimate Software Brought to you

157 views • 15 slides
Brilliant presentation richard hall pdf Mirror Link #1 2007-12-26 16 52 -- d-w C Documents and

Brilliant presentation richard hall pdf Mirror Link #1 2007-12-26 16 52 -- d-w C Documents and

DownloadBrilliant presentation richard hall pdf. Complete the UCLA Graduate Theater Departmental Online Application. 953 AOPEN WHEEL MOUSE IN BLA InStock Computer. 9 Sep 2014 Dec 5, 2007 drivers for ISSCBTA bluetooth radio in XP. chm 16,42 MB

177 views • 3 slides

More recommend