machine learning for malware analysis
play

Machine Learning for Malware Analysis Andrew Davis Data Scientist - PowerPoint PPT Presentation

Jan 11, 2023 •582 likes •904 views

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

  1. Machine Learning for Malware Analysis Andrew Davis Data Scientist

  2. Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors - Trojans - Ransomware - Botnets - Worms - Rootkits - ...

  3. Malware Detection - Hashing - Simplest method: - Compute a fingerprint of the sample (MD5, SHA1, SHA256, …) 7578034f6f7cb994c69afdf09fc487d9 - Check for existance of hash in a database of known malicious hashes Query DB - If the hash exists, the file is malicious - Fast and simple - Requires work to keep up the database Malicious Benign

  4. Malware Detection - Signatures Look for specific strings, byte sequences, … in the file. If attributes match, the file is likely the piece of malware in question

  5. Signature Example

  6. Problems with Signatures - Can be thought of as an overfit classifier - No generalization capability to novel threats - Requires reverse engineers to write new signatures - Signature may be trivially bypassed by the malware author

  7. Malware Detection - Behavioral Methods - Instead of scanning for signatures, examine what the program does when executed - Very slow - AV must run the program and extract information about what the sample does - Malicious samples can “run out the clock” on behavior checks

  8. Scaling Malware Detection - Previously mentioned approaches have difficulty generalizing to new malware - New kinds of malware require humans in the loop to reverse-engineer and create new signatures and heuristics for adequate detection - Can we automate this process with machine learning?

  9. Focus: Windows DLL/EXEs (Portable Executable) Number of samples submitted to VirusTotal, Jan 29 2017

  10. Portable Executable (PE) Format

  11. Feature Engineering - Static Analysis - What kinds of features can we extract for PE files? - Objective: extract features from the EXE without executing anything - PE-Specific features - Information about the structure of the PE file - Strings - Print off all human-readable strings from the binary - Entropy features - Extract information about the predictability of byte sequences - Compressed/encrypted data is high entropy - Disassembly features - Get an idea of what kind of code the sample will execute

  12. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  13. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  14. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  15. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  16. Feature Engineering - String Features - Extract contiguous runs of ASCII-printable strings from the binary - Can see strings used for dialog boxes, user queries, menu items, ... - Samples trying to obfuscate themselves won’t have many strings

  17. Entropy Features - Interpret the stream of bytes as a time-series signal - Compute a sliding-window entropy of the sample - Information can determine if there are compressed, obfuscated, or encrypted parts of the sample “Wavelet decomposition of software entropy reveals symptoms of malicious code”. Wojnowicz, et. al. https://arxiv.org/abs/1607.04950

  18. Disassembly Features - Contains information about what will actually execute - Disassembly is difficult: - Hard to get all of the compiled instructions from a sample - x86 instruction set is variable-length - Ambiguity about what is executed depending on where one starts interpreting the stream of x86 instructions

  19. Difficulties for Static Analysis - Polymorphic code - Code that can modify itself as it executes - Packing - Samples that compress themselves prior to execution, and decompress themselves while executing - Can hide malicious behavior in a compressed blob of bytes - Can obscure benign code as well - Requires expensive implementation of many unpackers (UPX, ASPack, Mew, Mpress, …) - Disassembly - Malware authors can intentionally make the disassembly difficult to obtain

  20. Modelling - Malicious versus Benign - Boils down to a binary classification task - N: hundreds of millions of samples - P: millions of highly sparse features Malware (s=0.9999) ?? ?? Benign

  21. Modelling - Training on ~600 million samples - Strong preference for minibatch methods and fast, compact models - Logistic regression works very well - Neural networks coupled with dimensionality reduction techniques are the workhorse - Tend to combine lasso, dimensionality reduction, and neural networks

  22. Convolutional Methods on Disassembly push %rbp 55 push %rbx 53 mov %rdi,%rbp 48 89 fd mov $0x718700,%edx ba 00 87 71 00 sub $0x8,%rsp 48 83 ec 08 mov (%rdx),%ecx 8b 0a add $0x4,%rdx 48 83 c2 04 lea -0x1010101(%rcx),%eax 8d 81 ff fe fe fe not %ecx f7 d1 and %ecx,%eax 21 c8 and $0x80808080,%eax 25 80 80 80 80 je 41aa4e <__sprintf_chk@plt+0x18b3e> 74 e9 push %rbp push %rbx mov %rdi,%rbp mov $0x718700,%edx sub $0x8,%rsp mov (%rdx),%ecx add $0x4,%rdx lea -0x1010101(%rcx),%eax not %ecx and %ecx,%eax and $0x80808080,%eax je 41aa4e <__sprintf_chk@plt+0x18b3e> https://www.blackhat.com/docs/us-15/materials/us-15-Davis-Deep-Learning-On-Disassembly.pdf

  23. Convolutional Methods on Disassembly Chunk 1 (1kb) Chunk 2 (1kb) Chunk n (1kb) Global Max Pooling Input Conv+BN+MP Conv+BN+MP

  24. Spatial Structure in Instruction Visualizations

  25. Global Max Pooling → Interpretability

  26. MS Malware Kaggle Dataset 9 malware family classes: ● Ramnit Lollipop Kelihos_ver3 Vundo Simda Tracur Kelihos_ver1 Obfuscator.ACY Gatak 1541 2478 2942 475 42 751 398 1228 1013 ~10k training, ~10k testing ● Provides Ida disassembly and raw bytes, minus the PE header ● Methodology: Separate training data into 90% training, 10% validation ● Use 10k testing samples to generate “pseudo-labels” (semi-supervision) ●

  27. Model Definition

  28. Model Definition

  29. Model: Results Overall Acc 98.30% Ramnit 98.96% Lollipop 99.34% Kelihos_v3 99.57% Vundo 97.47% Simda 90.00% Tracur 99.22% Kelihos_v1 95.89% Obfusc 93.27% Gatak 98.75% #184 on Kaggle leaderboard

  30. Thank You! Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz Peng Su CISC850 Cyber Analytics CISC850 Cyber Analytics Automatic Analysis of Malware Behavior Malware threaten

451 views • 25 slides
Malware Analysis Machine Learning Approach Chiheb Chebbi TEK-UP University DeepSec 14-17 Nov

Malware Analysis Machine Learning Approach Chiheb Chebbi TEK-UP University DeepSec 14-17 Nov

Malware Analysis Machine Learning Approach Chiheb Chebbi TEK-UP University DeepSec 14-17 Nov 2017 Vienna, Austria &lt;whoami/&gt; Computer science engineering student @TEK-UP Cyber security leadership program fellow @Kaspersky_Lab

626 views • 58 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier

Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier

Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier Mehrenberger, Raphal Rigo, Sarah Zennou Plan Introduction Automated analysis Machine learning experiments 2 M. Mehrenberger, R. Rigo, S. Zennou ::

637 views • 12 slides
MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED

MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED

ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING Structure of todays and next weeks class 1) Briefly go through one

613 views • 28 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
November 2018 City of London Group City of London Group plc is the AIM-listed parent company of a

November 2018 City of London Group City of London Group plc is the AIM-listed parent company of a

November 2018 City of London Group City of London Group plc is the AIM-listed parent company of a group focused on serving two key segments, the UK SME market and home reversion. While grounded with traditional values through the strength and

554 views • 22 slides
Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije Universiteit Amsterdam Reverse engineering Hardening programs/anti-exploitation Malware analysis ... Attack developer in GameOver Zeus

532 views • 15 slides
Wallumbilla Gas Supply Hub &amp; Services GAB Meeting 20 May 2014 John Jamieson Wallumbilla Gas

Wallumbilla Gas Supply Hub &amp; Services GAB Meeting 20 May 2014 John Jamieson Wallumbilla Gas

Wallumbilla Gas Supply Hub &amp; Services GAB Meeting 20 May 2014 John Jamieson Wallumbilla Gas Supply Hub Voluntary Market which commenced operation on 20 March 2014 ~ 2 Year development process Consists of 3 trading nodes at the

187 views • 6 slides
Hawaii Invasive Species Council May 31, 2016 / Plant Quarantine Conf. Room, HDOA / 1849 Auiki St,

Hawaii Invasive Species Council May 31, 2016 / Plant Quarantine Conf. Room, HDOA / 1849 Auiki St,

Hawaii Invasive Species Council May 31, 2016 / Plant Quarantine Conf. Room, HDOA / 1849 Auiki St, Honolulu, HI, 96819 1. Call&amp;to&amp;order&amp; 2. Introduc1ons&amp; 3.

408 views • 16 slides
Year 8 Parent Evening Wednesday, 19 February 2020 Positive Education Student Wellbeing Student

Year 8 Parent Evening Wednesday, 19 February 2020 Positive Education Student Wellbeing Student

Year 8 Parent Evening Wednesday, 19 February 2020 Positive Education Student Wellbeing Student Wellbeing Positive Education Positive Education aims to build strength and capability in wellbeing and resilience in an educational

500 views • 38 slides
Metro Banking Webinar Current Financial Case Law and Legislative Issues to have on Your Teams

Metro Banking Webinar Current Financial Case Law and Legislative Issues to have on Your Teams

Metro Banking Webinar Current Financial Case Law and Legislative Issues to have on Your Teams Radar Thursday, October 26, 2017 Daniel A. Beckman dbeckman@gislason.com Minnesota Probate Code Change Affidavit of Collection for Personal

720 views • 54 slides
Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1 OUTLINE INTRODUCTION to dynamic instrumentation Trap instruction INstruction punning technique Proposed compiler-assisted technique

662 views • 31 slides
Toward a Core Design to Distribute an Execution on a Manycore Processor. Bernard Goossens, David

Toward a Core Design to Distribute an Execution on a Manycore Processor. Bernard Goossens, David

PaCT2015, Petrozavodsk, August 31 - September 4, 2015 Toward a Core Design to Distribute an Execution on a Manycore Processor. Bernard Goossens, David Parello, Katarzyna Porada, Djallal Rahmoune Universit e de Perpignan Via Domitia

960 views • 66 slides

More recommend