automatic analysis of malware behavior using machine
play

Automatic Analysis of Malware Behavior using Machine Learning - PowerPoint PPT Presentation

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz Peng Su CISC850 Cyber Analytics CISC850 Cyber Analytics Automatic Analysis of Malware Behavior Malware threaten


  1. Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz Peng Su CISC850 Cyber Analytics

  2. CISC850 Cyber Analytics Automatic Analysis of Malware Behavior • Malware threaten the Internet • Dynamic VS Static • binary packers, encryption, or self-modifying code, to obstruct analysis. • behavior of malicious software during run-time.

  3. CISC850 Cyber Analytics Automatic Analysis of Malware Behavior

  4. CISC850 Cyber Analytics Monitoring of Malware Behavior • Malware Sandboxes --CWSandbox • Malware Instruction Set

  5. CISC850 Cyber Analytics Malware Instruction Set • MIST instruction keep the stable and discriminative patterns such as directory and mutex name at the beginning.

  6. CISC850 Cyber Analytics Embedding of Malware Behavior • Embedding using Instruction Q-grams • Comparing Embedding reports

  7. CISC850 Cyber Analytics Embedding using Instruction Q-grams • For example, if report x=‘1|A 2|A 1|A 2|A’, A={1|A, 2|A }, the q for q-grams is 2.

  8. CISC850 Cyber Analytics Embedding using Instruction Q-grams • Normalization • Redundancy of behavior, considered alphabet, length of reports

  9. CISC850 Cyber Analytics Comparing Embedding reports • Euclidean distance

  10. CISC850 Cyber Analytics Clustering and Classification • Prototypes->Clustering-> Classification

  11. CISC850 Cyber Analytics Prototype Extraction

  12. CISC850 Cyber Analytics Clustering using Prototypes

  13. CISC850 Cyber Analytics Classification using Prototypes

  14. CISC850 Cyber Analytics Incremental Analysis

  15. CISC850 Cyber Analytics Experiments & Application • Evaluation Data • Three parameters to decide • Evaluation of Components • How to select the best parameters d p , d c , d r

  16. CISC850 Cyber Analytics Evaluation Data • A reference data set • Evaluate and calibrate the framework • An application data set • See the performance on unknown malwares

  17. CISC850 Cyber Analytics Reference Data Set

  18. CISC850 Cyber Analytics Application Data Set

  19. CISC850 Cyber Analytics Evaluation of Components • Precision and recall

  20. Evaluation of Components • F-measure

  21. CISC850 Cyber Analytics Evaluation of Components--d p

  22. CISC850 Cyber Analytics Evaluation of Components--d c

  23. CISC850 Cyber Analytics Evaluation of Components--d r

  24. CISC850 Cyber Analytics Comparative Evaluation with State-of- the-Art

  25. CISC850 Cyber Analytics An Application Scenario

Recommend


More recommend