when malware is packin heat
play

When Malware is Packin Heat; Limits of Machine Learning Classifiers - PowerPoint PPT Presentation

Feb 16, 2023 •470 likes •1.01k views

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

  1. When Malware is Packin’ Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

  2. Packing Original PE Header PE Header Packing Decompression Process Stub .text Packed Section/s .data, .rsrc, .rdata, … Packed File Original File 2

  3. Packing Original PE Header Original PE Header PE Header Packing Decompression Unpacking Process Stub RouAne .text .text Packed Section/s .data, .rsrc, .rdata, … .data, .rsrc, .rdata, … Packed File Original File Original Program Loaded in Memory 3

  4. Packing Employed By Malware Authors 4

  5. Packing Evolution • Most packers are not this simple anymore... 5

  6. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used 6

  7. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers 7

  8. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers • Unpacking routines are not necessarily executed in a straight line 8

  9. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers • Unpacking routines are not necessarily executed in a straight line • Only a single fragment of the original code at any given time 9

  10. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers • Unpacking routines are not necessarily executed in a straight line • Only a single fragment of the original code at any given time • Usually anti-debugging or anti-reverse-engineering techniques are employed 10

  11. Why Does Packing Matter? • It hampers the analysis of the code 11

  12. Why Does Packing Matter? • It hampers the analysis of the code • Makes malware classification more challenging! 12

  13. Why Does Packing Matter? • It hampers the analysis of the code • Makes malware classification more challenging! • Especially, when using only static analysis 13

  14. Malware Classification Using Static Analysis Static Analysis Anti-Malware + Companies Dynamic Machine Learning Analysis 16

  15. Malware Classification Using Static Analysis Static Analysis Anti-Malware + Companies Dynamic Machine Learning Analysis • What happens if the program is packed, i.e., the features are obfuscated? 17

  16. Do Benign Software Programs Use Packing? Packed Malicious YES NO Not Packed 18

  17. Packing Is Common in Benign Programs 19

  18. Packing Is Common in Benign Programs • Rahbarinia et al. [84], who studied 3 million web-based software downloads over 7 months in 2014, found that both malicious and benign files use known packers (58% and 54%, respectively) B. Rahbarinia, M. Balduzzi, and R. Perdisci, “Exploring the Long Tail of (Malicious) Software Downloads,” 20 in Proc. of the International Conference on Dependable Systems and Networks (DSN) , 2017.

  19. “Packing == Malicious” 21

  20. “Packing == Malicious” on VirusTotal? 613 Windows 10 binaries located Pack with Themida Submit to VT in C: \ Windows \ System32 22

  21. Dataset Pollution 24

  22. Does static analysis on packed binaries provide rich enough features to a malware classifier? 25

  23. Datasets 1. Wild Dataset (50,724 executables): • 4,396 unpacked benign • 12,647 packed benign • 33,681 packed malicious 26

  24. Datasets 1. Wild Dataset (50,724 executables): • 4,396 unpacked benign • 12,647 packed benign • 33,681 packed malicious 2. Lab Dataset: 91,987 Benign Samples Pack with 9 packers Wild (including Themida, Dataset PECompact, UPX, …) 198,734 Malicious Samples 27

  25. Nine Feature Categories Category # Features PE headers 28 PE sections 570 DLL imports 4,305 API imports 19,168 Rich Header 66 Byte n-grams 13,000 Opcode n-grams 2,500 Strings 16,900 File generic 2 28

  26. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 29

  27. Experiment “Different Packed Ratios (lab)” 1. We exclude packed benign samples from the training set 2. Then, we keep adding more packed benign samples to the training set 33

  28. Experiment “Different Packed Ratios (lab)” 1. We exclude packed benign samples from the training set. 2. Then, we keep adding more packed benign samples to the training set • Surprisingly, the classifier is doing ok! 34

  29. But, How?? • We focused on one packer at a time to identify useful features for each packer! 1. Some packers (e.g., Themida) often keep the Rich Header. 2. Packers often keep .CAB file headers in the resource sections of the executables. 3. UPX keeps one API for each DLL. 35

  30. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 2. Do packers preserve static analysis features that are useful for Packers preserve some information when packing malware classification? programs that may be “useful” for malware 3. Can a classifier that is carefully trained and not biased towards classification, however, such information does not specific packing routines perform well in real-world scenarios? necessarily represent the real nature of samples 36

  31. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 2. Can such a classifier perform well in real-world scenarios? 37

  32. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 2. Can such a classifier perform well in real-world scenarios? Generalization to unseen packers Adversarial examples 38

  33. Generalization To Unseen Packers • Runtime packers are evolving, and malware authors often tend to use their own custom packers 39

  34. Generalization To Unseen Packers 1. Experiment “withheld packer” UPX Themida Obsidium PECompact Petite PELock MPRESS tElock kkrunchy Training Set Test Set 42

  35. Generalization To Unseen Packers Withheld Packer FPR (%) FNR (%) 1. Experiment “withheld packer” PELock 7.30 3.74 PECompact 47.49 2.14 Obsidium 17.42 3.32 Petite 5.16 4.47 tElock 43.65 2.02 Themida 6.21 3.29 MPRESS 5.43 4.53 kkrunchy 83.06 2.50 UPX 11.21 4.34 43

  36. Generalization To Unseen Packers 2. Experiment “lab against wild” • We train the classifier on Lab Dataset • And evaluate it on packed executables in Wild Dataset 44

  37. Generalization To Unseen Packers 2. Experiment “lab against wild” • We train the classifier on Lab Dataset • And evaluate it on packed executables in Wild Dataset • We observed the false negative rate of 41.84%, and false positive rate of 7.27% 45

  38. Poor Generalization To Unseen Packers 46

  39. Adversarial Examples • Machine-learning-based malware detectors shown to be vulnerable to adversarial samples 47

  40. Adversarial Examples • Machine-learning-based malware detectors shown to be vulnerable to adversarial samples • Packing produces features not directly deriving from the actual (unpacked) program 48

  41. Adversarial Examples • Machine-learning-based malware detectors shown to be vulnerable to adversarial samples • Packing produces features not directly deriving from the actual (unpacked) program • Generating such adversarial samples would be easier for an adversary 49

  42. Adversarial Examples Unpacked Benign Packed Random Benign Forest Training: Packed Malicious Training Set Train RF Model 50

  43. Adversarial Examples Unpacked Benign Packed Random Benign Forest Training: Packed Malicious Training Set Train RF Model Benign Packed Evasion: Malicious Strings Malicious Test Set Prediction 51

  44. Adversarial Examples Unpacked Benign Packed Random Benign Forest Training: Packed Malicious Training Set Train RF Model Benign Packed Evasion: Benign Strings Malicious Test Set Prediction 52

  45. Ma Machine Le Learn rning St Static E Evasion on Comp Competition on Benign 150 Malicious Samples 50% Evasion!!! Strings 53

  46. Ma Machine Le Learn rning St Static E Evasion on Comp Competition on Benign 150 Malicious Samples 50% Evasion!!! Strings • Recently, a group of researchers found a very similar way to subvert an AI-based anti-malware engine • By simply taking strings from an online gaming program and appending them to known malware, like WannaCry 54

  47. Vulnerable To Trivial Adversarial Examples 56

  48. Conclusion Unpacked Benign Packed Benign Packed Malicious Training Set Not Biased Model 57

  49. Conclusion .CAB Headers .CAB Headers Rich Header Rich Header M M a a n n i i f f e e s s t t API Imports API Imports S S t t r r i i n n g g s s 58

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

companie ies in involv lved in in productio ion, dis istrib ibutio ion and packin ing of

companie ies in involv lved in in productio ion, dis istrib ibutio ion and packin ing of

MELVIT was establi lished in in 1998. . Today we are one of f th the lea leadin ing companie ies in involv lved in in productio ion, dis istrib ibutio ion and packin ing of lo loose se art rtic icle les su such as s oat t

135 views • 11 slides
Mult lti-Resource Packin ing for Clu luster Schedule lers Robert Grandl, Ganesh

Mult lti-Resource Packin ing for Clu luster Schedule lers Robert Grandl, Ganesh

Mult lti-Resource Packin ing for Clu luster Schedule lers Robert Grandl, Ganesh Ananthanarayanan, Srikanth Kandula, Sriram Rao, Aditya Akella Performance of cluster schedulers We find that: Resources are fragmented i.e. machines run

339 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat

Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat

Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat Stress? Total heat load on the body, including: Heat generated by the body Air temperature and humidity Radiant heat (sun, machines,

295 views • 10 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Extreme Heat Preparedness Objectives What is extreme heat ? How does it impact SF? What are the

Extreme Heat Preparedness Objectives What is extreme heat ? How does it impact SF? What are the

Extreme Heat Preparedness Objectives What is extreme heat ? How does it impact SF? What are the health effects of heat? How do we prepare for extreme heat? Extreme Heat in the City What is extreme heat? A Tale of Two Neighborhoods Chicago

646 views • 40 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Ascent timescales at the Onset of the Oruanui, NZ Supereruption Madison Myers University of

Ascent timescales at the Onset of the Oruanui, NZ Supereruption Madison Myers University of

Ascent timescales at the Onset of the Oruanui, NZ Supereruption Madison Myers University of Oregon In collaboration with: Paul J. Wallace, Colin J.N. Wilson, Jim Watkins and Yang Liu How are large volume eruptions triggered? Chamber Triggered

212 views • 18 slides
Trip Report FINAL MEETING AND SUMMER SCHOOL OF DFG PRIORITY PROGRAM ALGORITHM ENGINEERING DFG

Trip Report FINAL MEETING AND SUMMER SCHOOL OF DFG PRIORITY PROGRAM ALGORITHM ENGINEERING DFG

Trip Report FINAL MEETING AND SUMMER SCHOOL OF DFG PRIORITY PROGRAM ALGORITHM ENGINEERING DFG PP 1307: Algorithm Engineering DFG Priority Program: nationwide funding program over 6 years for up to 30 individual projects PP 1307: Algorithm

243 views • 21 slides
p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Need for testing In forensic voice comparison,

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Need for testing In forensic voice comparison,

Multi-laboratory evaluation of forensic voice comparison systems under conditions reflecting those of a real forensic case forensic_eval_01 Geoffrey Stewart Morrison Ewald Enzinger p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Need for testing

337 views • 21 slides
Exact JPEG recompression and forensics using interval arithmetic Andrew B. Lewis and Markus G.

Exact JPEG recompression and forensics using interval arithmetic Andrew B. Lewis and Markus G.

Exact JPEG recompression and forensics using interval arithmetic Andrew B. Lewis and Markus G. Kuhn Computer Laboratory Security Group MM&Sec08 rump session What is recompression? Exact recompression is useful because it allows us to

369 views • 12 slides
Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh

Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh

Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh Memory Solutions Lab 07 April 2020 Version 1.2 Samsung Semiconductor, Inc. ICPE 2020 Agenda Modeling Analytics for Computational Storage

848 views • 21 slides
Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of

Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of

Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of Technology (NJIT) Joint work with S.-H. Park 1 , O. Sahin 2 and S. Shamai 3 3 1 2 Cloud Radio Access Networks Base stations operate as radio units

1.09k views • 57 slides
Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen

Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen

Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen (Caltech), Maurizio Pierini(CERN) --on behalf of the CMS collaboration CPAD Instrumentation Frontier Workshop December 8-10, 2019 The LHC Big Data Problem

750 views • 20 slides
Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael Naehrig 1 Joost Renes 3 David Urbanik 2 1 Microsoft Research, Redmond, USA 2 University of Waterloo, Ontario, Canada 3 Radboud University, Nijmegen, The

835 views • 44 slides

More recommend