signature synthesizer
play

Signature Synthesizer Jonas Zaddach Mariano Graziano @jzaddach - PowerPoint PPT Presentation

Apr 18, 2023 •370 likes •689 views

BASS Automated Signature Synthesizer Jonas Zaddach Mariano Graziano @jzaddach @emd3l INTRODUCTION Mariano Graziano Jonas Zaddach Security Researchers in > > LETS TALK ABOUT THE THREAT LANDSCAPE THREAT LANDSCAPE 1.5 MILLION

  1. BASS Automated Signature Synthesizer Jonas Zaddach Mariano Graziano @jzaddach @emd3l

  2. INTRODUCTION Mariano Graziano Jonas Zaddach Security Researchers in > >

  3. LET’S TALK ABOUT THE THREAT LANDSCAPE

  4. THREAT LANDSCAPE 1.5 MILLION

  5. AV PIPELINE OVERVIEW Malware

  6. MALWARE DETECTION CHALLENGE ≈ 560,000 signatures over a 3-month period ≈ 9,500 Signatures  Huge number of signatures  Pattern-based signatures can reduce resource footprint compared to hash-based signatures

  8. BASS OVERVIEW

  9. CLUSTERING • Clustering is NOT a part of BASS! • Several cluster sources feed BASS – Sandbox Indicator of Compromise (IoC) clustering – Structural hashing – Spam campaign dataset

  10. UNPACKING & INSPECTION • Extract all content ClamAV can extract – ZIP archives – Email attachments – Packed executables – Nested documents: e.g., PE file inside a Word document – … • Gather information about file content – File size – Mime type/Magic string – …

  11. FILTERING • Reject clusters with wrong file types – In the near future BASS will handle any executable file type handled by the disassembler (IDA Pro) – Currently limited to PE executables • Clean outliers with wrong file types from clusters

  12. SIGNATURE GENERATION

  13. DISASSEMBLING • Export disassembly database • Currently uses IDA Pro as a disassembler – Others are possible in the future

  14. FINDING COMMON CODE • Use binary diffing to identify similar functions across binaries • Build similarity graph between functions and extract largest connected subgraph

  15. FINDING COMMON CODE • Test found function against a database of whitelisted functions – Kam1n0, a database for binary code clone search, contains functions of whitelisted samples – If a found function is whitelisted, take the next-best subgraph Kam1n0

  16. FINDING AN LCS • Use k-LCS algorithm to find a longest common subsequence • Implemented Hamming-kLCS described by C. Blichmann [1]

  17. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACABACCBCA ACBCBACCACB BACCABBBBBBAC

  18. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACABACCBCA 8 ACBCBACCACB 11 12 BACCABBBBBBAC

  19. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACABACCBCA ABBACCB ACBCBACCACB BACCABBBBBBAC

  20. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACCB BACCABBBBBBAC

  21. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACCB ABBAC BACCABBBBBBAC

  22. GENERATING A SIGNATURE • Create ClamAV signature – Find possible “gaps” in result sequence – Delete single characters • Find a common name – Use AvClass to label cluster

  23. VALIDATION • False Positive testing – Against a set of known clean binaries • Manual validation by Analyst – Assisted by CASC plugin [4] – Matched binary parts are highlighted in IDA Pro

  24. TECHNICAL IMPLEMENTATION BASS Kam1n0 Client BASS

  25. DEMO

  26. CONCLUSION

  27. LIMITATIONS • Only works for executables • Does not work well for – File infectors (Small, varying snippets of malicious code) – Backdoors (Clean functions mixed with malicious ones) • Alpha stage

  28. CONCLUSION • Presented automated signature generation system for executables • Implemented research ideas not available as code – VxClass from Zynamics • Code will be available open-source – For others to try, improve and comment on https://github.com/CISCO-TALOS/bass

  29. talosintel.com blogs.cisco.com/talos @talossecurity

  30. RESOURCES “ Automatisierte Signaturgenerierung für Malware-Stämme ”, Christian 1. Blichmann https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/blichmann-christian-- diplomarbeit--final.pdf “ AVClass: A Tool for Massive Malware Labeling ”, Sebastian et al., 2. https://software.imdea.org/~juanca/papers/avclass_raid16.pdf “ Kam1n0: MapReduce-based Assembly Clone Search for Reverse 3. Engineering ”, Ding et al., http://www.kdd.org/kdd2016/papers/files/adp0461-dingAdoi.pdf 4. CASC IDA Pro plugin, https://github.com/Cisco-Talos/CASC VxClass – Automated classification of malware and trojans into families 5. https://www.zynamics.com/vxclass.html

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Synthesize any piece of DNA you want! DNA synthesizer middleman time

Synthesize any piece of DNA you want! DNA synthesizer middleman time

Synthesize any piece of DNA you want! DNA synthesizer middleman time consuming toxic reagents inefficient http://www.gotosam.com/ABI_3400.JPG Terminal deoxynucleotidyl Transferase - natively found in mammalian

674 views • 49 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Presentation & Handwriting Policy Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson Date 24 th January 2018 Review date Jan 2020 1 Presentation 1 Book covers should indicate:

52 views • 4 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
LIVE-CODING A MUSIC SYNTHESIZER! by Ram Rachum Full code to this talk on GitHub:

LIVE-CODING A MUSIC SYNTHESIZER! by Ram Rachum Full code to this talk on GitHub:

LIVE-CODING A MUSIC SYNTHESIZER! by Ram Rachum Full code to this talk on GitHub: github.com/cool-RR/python_synthesizer Special thanks: Matthias Geier, Matti Picus, Miki Tebeka RAM RACHUM Long-time Python developer My projects:

613 views • 14 slides
[Synthesizer] Sound Design with Patrick Young About Speaker Feature Studios - Patch Design

[Synthesizer] Sound Design with Patrick Young About Speaker Feature Studios - Patch Design

[Synthesizer] Sound Design with Patrick Young About Speaker Feature Studios - Patch Design http://www.speakerfeaturestudios.com/soundbanks/ BSEE, MSEE with specialization in Digital Signal Processing Favorite waveform:

303 views • 15 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve signature metrics for each signature platform over a period of years. 3 Vision for Quality, Affordable Early Learning Strength, confidence,

291 views • 18 slides
ITACA SFR Agorantic Mediathor: Multimedia Creation Instrument Feedback Audio Voice

ITACA SFR Agorantic Mediathor: Multimedia Creation Instrument Feedback Audio Voice

I nformation T echnology and A rtistic C re A tion ITACA ITACA SFR Agorantic Mediathor: Multimedia Creation Instrument Feedback Audio Voice Synthesizer Intelligent Music Interfaces Video Synthesizer Movement detection Feature

482 views • 19 slides
Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

New enhancements in ADMS and Spectre CMI XML scripts Sergey Sukharev March 24, 2006, Workshop, Bblingen CADENCE CONFIDENTIAL CADENCE CONFIDENTIAL Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

467 views • 15 slides
Motivation for IDS Developing absolutely secure systems is Intrusion Detection (IDS) not

Motivation for IDS Developing absolutely secure systems is Intrusion Detection (IDS) not

Motivation for IDS Developing absolutely secure systems is Intrusion Detection (IDS) not possible Most existing systems have security flaws Abuses by privileged insiders are possible Simone Fischer-Hbner Not all kinds of

414 views • 4 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Feb. 8, 2010 Malicious Software Malicious Software programs exploiting system vulnerabilities known

427 views • 10 slides
Cloud Security VS Cybercrime Economy: The Kaspersky Vision Eugene Kaspersky Co-founder &

Cloud Security VS Cybercrime Economy: The Kaspersky Vision Eugene Kaspersky Co-founder &

Cloud Security VS Cybercrime Economy: The Kaspersky Vision Eugene Kaspersky Co-founder & CEO, Kaspersky Lab The Digital World is Under Attack 20,000,000 Cybercrime is an integral part of the 18,000,000 Digital World 16,000,000

409 views • 16 slides
ROA Contents & Format Proposal Brian Weis Overview An informal study was conducted

ROA Contents & Format Proposal Brian Weis Overview An informal study was conducted

ROA Contents & Format Proposal Brian Weis Overview An informal study was conducted considering ROA Contents Based on Steve Kents earlier presentations ROA Format Design Considerations Three possible formats

145 views • 14 slides
STORAGE@TGCC & LUSTRE FILESYSTEMS WORKING & BEST PRACTICES Philippe DENIEL | |

STORAGE@TGCC & LUSTRE FILESYSTEMS WORKING & BEST PRACTICES Philippe DENIEL | |

STORAGE@TGCC & LUSTRE FILESYSTEMS WORKING & BEST PRACTICES Philippe DENIEL | | CEA/DAM/DIF PATC PARALLEL I/O APRIL 25TH, 2018 23 AVRIL 2018 CEA | 10 AVRIL 2012 | PAGE 1 AGENDA TGCC storage architecture TGCC storage workspaces

484 views • 26 slides
Envisioning a Parallel File System without Dedicated Metadata Servers Qing Zheng Kai Ren, Garth

Envisioning a Parallel File System without Dedicated Metadata Servers Qing Zheng Kai Ren, Garth

Whats Beyond IndexFS & BatchFS Envisioning a Parallel File System without Dedicated Metadata Servers Qing Zheng Kai Ren, Garth Gibson, Bradley W. Settlemyer, Gary Grider Carnegie Mellon University Los Alamos National Laboratory Scaling

561 views • 32 slides
NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1

NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1

NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1 pNFS product community Value of NFSv4.1 / pNFS Industry Standard Secure Performance and Scale Throughput Increased Storage Capacity

368 views • 24 slides
elfutils debuginfo-server necessary non-evil Mark Wielaard, Frank Ch. Eigler Red Hat

elfutils debuginfo-server necessary non-evil Mark Wielaard, Frank Ch. Eigler Red Hat

elfutils debuginfo-server necessary non-evil Mark Wielaard, Frank Ch. Eigler Red Hat mark@klomp.org fche@redhat.com FOSDEM 2020-02-02 1/26 Mark Wielaard, Frank Ch. Eigler elfutils debuginfo-server abstract elfutils debuginfod is a web

477 views • 26 slides

More recommend