Malware Analysis at AIRBUS Practical Considerations and Issues - - PowerPoint PPT Presentation

malware analysis at airbus
SMART_READER_LITE
LIVE PREVIEW

Malware Analysis at AIRBUS Practical Considerations and Issues - - PowerPoint PPT Presentation

Sep 30, 2022 499 likes •641 views

Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier Mehrenberger, Raphal Rigo, Sarah Zennou Plan Introduction Automated analysis Machine learning experiments 2 M. Mehrenberger, R. Rigo, S. Zennou ::

slide-1
SLIDE 1

Malware Analysis at AIRBUS

Practical Considerations and Issues

July, 12th 2017

Xavier Mehrenberger, Raphaël Rigo, Sarah Zennou

slide-2
SLIDE 2

Plan

Introduction Automated analysis Machine learning experiments

  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

2

slide-3
SLIDE 3

Context

  • high number of received binary samples
  • analyst time is in limited supply
  • ⇒ need automated analysis and triage
  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

3

slide-4
SLIDE 4

Typical workflow of a malware sample

malicious? new? reverser

malware exotic malware binary SOC Security Operations Center

Our tools

  • Tools for automated malware analysis and triage, for SOC (Security

Operations Center)

  • Tools for manual analysis by reverser – including our own, BinCAT
  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

4

slide-5
SLIDE 5

Plan

Introduction Automated analysis Machine learning experiments

  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

5

slide-6
SLIDE 6

SOC Tasks

Incoming binaries processing

  • distinguish malicious from benign files;
  • determine what a malware sample does;
  • learn to recognize future similar samples (identify artifacts);
  • distinguish targeted malware from opportunistic ones (phishing, etc.);
  • give priorities on suspicious malware that have to be inspected by a

reverser Observation: targeted malware are much more unsual than opportunistic ones

  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

6

slide-7
SLIDE 7

Infrastructure

REbus: communication bus (developed in-house, open source)

  • goal: make analysis tools cooperate!
  • exchange of typed messages (/binary/pe/%abc123...def)
  • independent programs may choose to process each message, based on type
  • decentralized processing & workflow
  • facilitates experimentation
  • scalable

Analysis agents

  • wrappers for existing tools
  • implementations of published techniques

Open source! https://github.com/airbus-seclab/rebus (agents will be published soon)

  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

7

slide-8
SLIDE 8

Automated analysis (I)

Analysis automation

  • extract e-mails, archives
  • extract javascript from PDFs
  • extract macros from documents

Identification

  • sha256, . . .
  • exif data
  • document rendering
  • visual rendering (packer?)

Static metadata extraction

  • list imports
  • extract suspicious strings
  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

8

slide-9
SLIDE 9

Automated analysis (II)

Signature matching

  • apply yara rules
  • antiviruses (IRMA)
  • signature-based identification techniques (peid, signsrch. . . )
  • query public databases (NSRL, virustotal)
  • common RAT configuration extraction tools

Dynamic analysis

  • run sample through several sandboxes
  • several OS images
  • collect and consolidate results
  • dubious behaviour detected by the sandbox
  • accessed files
  • resources: registry keys, mutexes, pipes. . .
  • network operations
  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

9

slide-10
SLIDE 10

Plan

Introduction Automated analysis Machine learning experiments

  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

10

slide-11
SLIDE 11

ML experiments

feature extraction hashing (minhash) distance computation classification goal: identify similar malware, classify into families

features

  • opcodes (using several disassemblers: IDA, objdump, jakstab, amoco)
  • strings
  • imports, . . .

combined feature extraction & distance computation algorithms

  • ssdeep
  • sdhash
  • simhash
  • bindiff, . . .
  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

11

slide-12
SLIDE 12

ML Issues

  • issues:
  • feature choice
  • representative initial corpus to train your classifier
  • new samples may be completely different from what you already know (not

a physical process)

  • new samples have to be compared to every known sample Θ(n2)
  • typical data base are not well labelled (VT)
  • use analyst feedback in ML algorithms
  • application: identify near-identical new samples ⇒ reduce manual analysis
  • M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS

12