machine learning for malware analysis
play

Machine Learning for Malware Analysis Andrew Davis Data Scientist - PowerPoint PPT Presentation

Jan 11, 2023 •582 likes •904 views

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

  1. Machine Learning for Malware Analysis Andrew Davis Data Scientist

  2. Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors - Trojans - Ransomware - Botnets - Worms - Rootkits - ...

  3. Malware Detection - Hashing - Simplest method: - Compute a fingerprint of the sample (MD5, SHA1, SHA256, …) 7578034f6f7cb994c69afdf09fc487d9 - Check for existance of hash in a database of known malicious hashes Query DB - If the hash exists, the file is malicious - Fast and simple - Requires work to keep up the database Malicious Benign

  4. Malware Detection - Signatures Look for specific strings, byte sequences, … in the file. If attributes match, the file is likely the piece of malware in question

  5. Signature Example

  6. Problems with Signatures - Can be thought of as an overfit classifier - No generalization capability to novel threats - Requires reverse engineers to write new signatures - Signature may be trivially bypassed by the malware author

  7. Malware Detection - Behavioral Methods - Instead of scanning for signatures, examine what the program does when executed - Very slow - AV must run the program and extract information about what the sample does - Malicious samples can “run out the clock” on behavior checks

  8. Scaling Malware Detection - Previously mentioned approaches have difficulty generalizing to new malware - New kinds of malware require humans in the loop to reverse-engineer and create new signatures and heuristics for adequate detection - Can we automate this process with machine learning?

  9. Focus: Windows DLL/EXEs (Portable Executable) Number of samples submitted to VirusTotal, Jan 29 2017

  10. Portable Executable (PE) Format

  11. Feature Engineering - Static Analysis - What kinds of features can we extract for PE files? - Objective: extract features from the EXE without executing anything - PE-Specific features - Information about the structure of the PE file - Strings - Print off all human-readable strings from the binary - Entropy features - Extract information about the predictability of byte sequences - Compressed/encrypted data is high entropy - Disassembly features - Get an idea of what kind of code the sample will execute

  12. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  13. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  14. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  15. PE-Specific Features https://virustotal.com/en/file/e328b2406d8784e54e77ccc7dbe8e3731891a703e6c21cf7e2f924fa8a42ea5c/analysis/

  16. Feature Engineering - String Features - Extract contiguous runs of ASCII-printable strings from the binary - Can see strings used for dialog boxes, user queries, menu items, ... - Samples trying to obfuscate themselves won’t have many strings

  17. Entropy Features - Interpret the stream of bytes as a time-series signal - Compute a sliding-window entropy of the sample - Information can determine if there are compressed, obfuscated, or encrypted parts of the sample “Wavelet decomposition of software entropy reveals symptoms of malicious code”. Wojnowicz, et. al. https://arxiv.org/abs/1607.04950

  18. Disassembly Features - Contains information about what will actually execute - Disassembly is difficult: - Hard to get all of the compiled instructions from a sample - x86 instruction set is variable-length - Ambiguity about what is executed depending on where one starts interpreting the stream of x86 instructions

  19. Difficulties for Static Analysis - Polymorphic code - Code that can modify itself as it executes - Packing - Samples that compress themselves prior to execution, and decompress themselves while executing - Can hide malicious behavior in a compressed blob of bytes - Can obscure benign code as well - Requires expensive implementation of many unpackers (UPX, ASPack, Mew, Mpress, …) - Disassembly - Malware authors can intentionally make the disassembly difficult to obtain

  20. Modelling - Malicious versus Benign - Boils down to a binary classification task - N: hundreds of millions of samples - P: millions of highly sparse features Malware (s=0.9999) ?? ?? Benign

  21. Modelling - Training on ~600 million samples - Strong preference for minibatch methods and fast, compact models - Logistic regression works very well - Neural networks coupled with dimensionality reduction techniques are the workhorse - Tend to combine lasso, dimensionality reduction, and neural networks

  22. Convolutional Methods on Disassembly push %rbp 55 push %rbx 53 mov %rdi,%rbp 48 89 fd mov $0x718700,%edx ba 00 87 71 00 sub $0x8,%rsp 48 83 ec 08 mov (%rdx),%ecx 8b 0a add $0x4,%rdx 48 83 c2 04 lea -0x1010101(%rcx),%eax 8d 81 ff fe fe fe not %ecx f7 d1 and %ecx,%eax 21 c8 and $0x80808080,%eax 25 80 80 80 80 je 41aa4e <__sprintf_chk@plt+0x18b3e> 74 e9 push %rbp push %rbx mov %rdi,%rbp mov $0x718700,%edx sub $0x8,%rsp mov (%rdx),%ecx add $0x4,%rdx lea -0x1010101(%rcx),%eax not %ecx and %ecx,%eax and $0x80808080,%eax je 41aa4e <__sprintf_chk@plt+0x18b3e> https://www.blackhat.com/docs/us-15/materials/us-15-Davis-Deep-Learning-On-Disassembly.pdf

  23. Convolutional Methods on Disassembly Chunk 1 (1kb) Chunk 2 (1kb) Chunk n (1kb) Global Max Pooling Input Conv+BN+MP Conv+BN+MP

  24. Spatial Structure in Instruction Visualizations

  25. Global Max Pooling → Interpretability

  26. MS Malware Kaggle Dataset 9 malware family classes: ● Ramnit Lollipop Kelihos_ver3 Vundo Simda Tracur Kelihos_ver1 Obfuscator.ACY Gatak 1541 2478 2942 475 42 751 398 1228 1013 ~10k training, ~10k testing ● Provides Ida disassembly and raw bytes, minus the PE header ● Methodology: Separate training data into 90% training, 10% validation ● Use 10k testing samples to generate “pseudo-labels” (semi-supervision) ●

  27. Model Definition

  28. Model Definition

  29. Model: Results Overall Acc 98.30% Ramnit 98.96% Lollipop 99.34% Kelihos_v3 99.57% Vundo 97.47% Simda 90.00% Tracur 99.22% Kelihos_v1 95.89% Obfusc 93.27% Gatak 98.75% #184 on Kaggle leaderboard

  30. Thank You! Questions?

Recommend

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz Peng Su CISC850 Cyber Analytics CISC850 Cyber Analytics Automatic Analysis of Malware Behavior Malware threaten

451 views • 25 slides
Malware Analysis Machine Learning Approach Chiheb Chebbi TEK-UP University DeepSec 14-17 Nov

Malware Analysis Machine Learning Approach Chiheb Chebbi TEK-UP University DeepSec 14-17 Nov

Malware Analysis Machine Learning Approach Chiheb Chebbi TEK-UP University DeepSec 14-17 Nov 2017 Vienna, Austria &lt;whoami/&gt; Computer science engineering student @TEK-UP Cyber security leadership program fellow @Kaspersky_Lab

626 views • 58 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier

Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier

Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier Mehrenberger, Raphal Rigo, Sarah Zennou Plan Introduction Automated analysis Machine learning experiments 2 M. Mehrenberger, R. Rigo, S. Zennou ::

637 views • 12 slides
MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED

MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED

ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING Structure of todays and next weeks class 1) Briefly go through one

613 views • 28 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
Natural Language Processing with Deep Learning Sentiment Analysis with Machine Learning Navid

Natural Language Processing with Deep Learning Sentiment Analysis with Machine Learning Navid

Natural Language Processing with Deep Learning Sentiment Analysis with Machine Learning Navid Rekab-Saz navid.rekabsaz@jku.at Institute of Computational Perception Agenda Introduction to Machine Learning Sentiment Analysis

844 views • 53 slides
Machine learning for CalabiYau manifolds Harold Erbin Asc , Lmu (Germany) Machine Learning

Machine learning for CalabiYau manifolds Harold Erbin Asc , Lmu (Germany) Machine Learning

Machine learning for CalabiYau manifolds Harold Erbin Asc , Lmu (Germany) Machine Learning Landscape, Ictp , Trieste 12th December 2018 1 / 35 Outline: 1. Motivations Motivations Machine learning CalabiYau 3-folds Data analysis ML

500 views • 46 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
WHAT CAN MACHINE LEARNING BRING TO CROWD ANALYSIS, MODELLING AND SIMULATION? CONSIDERATIONS AND

WHAT CAN MACHINE LEARNING BRING TO CROWD ANALYSIS, MODELLING AND SIMULATION? CONSIDERATIONS AND

WHAT CAN MACHINE LEARNING BRING TO CROWD ANALYSIS, MODELLING AND SIMULATION? CONSIDERATIONS AND EXPERIMENTS GIUSEPPE VIZZARI CROWDS: MODELS AND CONTROL CIRM MARSEILLE, FRANCE, JUNE 3-7, 2019 OUTLINE AI, Machine Learning (ML), a turbulent

984 views • 38 slides
Machine Learning 10-701 Tom M. Mitchell Machine Learning Department Carnegie Mellon University

Machine Learning 10-701 Tom M. Mitchell Machine Learning Department Carnegie Mellon University

Machine Learning 10-701 Tom M. Mitchell Machine Learning Department Carnegie Mellon University April 5, 2011 Today: Readings: Kernels: Bishop Ch. 6.1 Latent Dirichlet Allocation topic models optional: Social network analysis

298 views • 13 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides

More recommend