signature synthesizer
play

Signature Synthesizer Jonas Zaddach Mariano Graziano @jzaddach - PowerPoint PPT Presentation

Apr 18, 2023 •370 likes •689 views

BASS Automated Signature Synthesizer Jonas Zaddach Mariano Graziano @jzaddach @emd3l INTRODUCTION Mariano Graziano Jonas Zaddach Security Researchers in > > LETS TALK ABOUT THE THREAT LANDSCAPE THREAT LANDSCAPE 1.5 MILLION

  1. BASS Automated Signature Synthesizer Jonas Zaddach Mariano Graziano @jzaddach @emd3l

  2. INTRODUCTION Mariano Graziano Jonas Zaddach Security Researchers in > >

  3. LET’S TALK ABOUT THE THREAT LANDSCAPE

  4. THREAT LANDSCAPE 1.5 MILLION

  5. AV PIPELINE OVERVIEW Malware

  6. MALWARE DETECTION CHALLENGE ≈ 560,000 signatures over a 3-month period ≈ 9,500 Signatures  Huge number of signatures  Pattern-based signatures can reduce resource footprint compared to hash-based signatures

  8. BASS OVERVIEW

  9. CLUSTERING • Clustering is NOT a part of BASS! • Several cluster sources feed BASS – Sandbox Indicator of Compromise (IoC) clustering – Structural hashing – Spam campaign dataset

  10. UNPACKING & INSPECTION • Extract all content ClamAV can extract – ZIP archives – Email attachments – Packed executables – Nested documents: e.g., PE file inside a Word document – … • Gather information about file content – File size – Mime type/Magic string – …

  11. FILTERING • Reject clusters with wrong file types – In the near future BASS will handle any executable file type handled by the disassembler (IDA Pro) – Currently limited to PE executables • Clean outliers with wrong file types from clusters

  12. SIGNATURE GENERATION

  13. DISASSEMBLING • Export disassembly database • Currently uses IDA Pro as a disassembler – Others are possible in the future

  14. FINDING COMMON CODE • Use binary diffing to identify similar functions across binaries • Build similarity graph between functions and extract largest connected subgraph

  15. FINDING COMMON CODE • Test found function against a database of whitelisted functions – Kam1n0, a database for binary code clone search, contains functions of whitelisted samples – If a found function is whitelisted, take the next-best subgraph Kam1n0

  16. FINDING AN LCS • Use k-LCS algorithm to find a longest common subsequence • Implemented Hamming-kLCS described by C. Blichmann [1]

  17. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACABACCBCA ACBCBACCACB BACCABBBBBBAC

  18. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACABACCBCA 8 ACBCBACCACB 11 12 BACCABBBBBBAC

  19. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACABACCBCA ABBACCB ACBCBACCACB BACCABBBBBBAC

  20. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACCB BACCABBBBBBAC

  21. FINDING AN LCS • Hamming distance between all strings is computed • 2-LCS algorithm (Hirschberg algorithm) is applied to strings with lowest distance • Resulting LCS is kept  Rinse and repeat ABBACCB ABBAC BACCABBBBBBAC

  22. GENERATING A SIGNATURE • Create ClamAV signature – Find possible “gaps” in result sequence – Delete single characters • Find a common name – Use AvClass to label cluster

  23. VALIDATION • False Positive testing – Against a set of known clean binaries • Manual validation by Analyst – Assisted by CASC plugin [4] – Matched binary parts are highlighted in IDA Pro

  24. TECHNICAL IMPLEMENTATION BASS Kam1n0 Client BASS

  25. DEMO

  26. CONCLUSION

  27. LIMITATIONS • Only works for executables • Does not work well for – File infectors (Small, varying snippets of malicious code) – Backdoors (Clean functions mixed with malicious ones) • Alpha stage

  28. CONCLUSION • Presented automated signature generation system for executables • Implemented research ideas not available as code – VxClass from Zynamics • Code will be available open-source – For others to try, improve and comment on https://github.com/CISCO-TALOS/bass

  29. talosintel.com blogs.cisco.com/talos @talossecurity

  30. RESOURCES “ Automatisierte Signaturgenerierung für Malware-Stämme ”, Christian 1. Blichmann https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/blichmann-christian-- diplomarbeit--final.pdf “ AVClass: A Tool for Massive Malware Labeling ”, Sebastian et al., 2. https://software.imdea.org/~juanca/papers/avclass_raid16.pdf “ Kam1n0: MapReduce-based Assembly Clone Search for Reverse 3. Engineering ”, Ding et al., http://www.kdd.org/kdd2016/papers/files/adp0461-dingAdoi.pdf 4. CASC IDA Pro plugin, https://github.com/Cisco-Talos/CASC VxClass – Automated classification of malware and trojans into families 5. https://www.zynamics.com/vxclass.html

Recommend

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Synthesize any piece of DNA you want! DNA synthesizer middleman time

Synthesize any piece of DNA you want! DNA synthesizer middleman time

Synthesize any piece of DNA you want! DNA synthesizer middleman time consuming toxic reagents inefficient http://www.gotosam.com/ABI_3400.JPG Terminal deoxynucleotidyl Transferase - natively found in mammalian

674 views • 49 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Presentation & Handwriting Policy Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson Date 24 th January 2018 Review date Jan 2020 1 Presentation 1 Book covers should indicate:

52 views • 4 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
LIVE-CODING A MUSIC SYNTHESIZER! by Ram Rachum Full code to this talk on GitHub:

LIVE-CODING A MUSIC SYNTHESIZER! by Ram Rachum Full code to this talk on GitHub:

LIVE-CODING A MUSIC SYNTHESIZER! by Ram Rachum Full code to this talk on GitHub: github.com/cool-RR/python_synthesizer Special thanks: Matthias Geier, Matti Picus, Miki Tebeka RAM RACHUM Long-time Python developer My projects:

613 views • 14 slides
[Synthesizer] Sound Design with Patrick Young About Speaker Feature Studios - Patch Design

[Synthesizer] Sound Design with Patrick Young About Speaker Feature Studios - Patch Design

[Synthesizer] Sound Design with Patrick Young About Speaker Feature Studios - Patch Design http://www.speakerfeaturestudios.com/soundbanks/ BSEE, MSEE with specialization in Digital Signal Processing Favorite waveform:

303 views • 15 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve signature metrics for each signature platform over a period of years. 3 Vision for Quality, Affordable Early Learning Strength, confidence,

291 views • 18 slides
ITACA SFR Agorantic Mediathor: Multimedia Creation Instrument Feedback Audio Voice

ITACA SFR Agorantic Mediathor: Multimedia Creation Instrument Feedback Audio Voice

I nformation T echnology and A rtistic C re A tion ITACA ITACA SFR Agorantic Mediathor: Multimedia Creation Instrument Feedback Audio Voice Synthesizer Intelligent Music Interfaces Video Synthesizer Movement detection Feature

482 views • 19 slides
Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

New enhancements in ADMS and Spectre CMI XML scripts Sergey Sukharev March 24, 2006, Workshop, Bblingen CADENCE CONFIDENTIAL CADENCE CONFIDENTIAL Abstract Automatic Device Model Synthesizer (ADMS) now provides the ability to create all

467 views • 15 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
MIDI Synthesizer Kyle, Peter, and Eric Motivation Interest in digital audio applications .

MIDI Synthesizer Kyle, Peter, and Eric Motivation Interest in digital audio applications .

MIDI Synthesizer Kyle, Peter, and Eric Motivation Interest in digital audio applications . A good way to learn about the hardware and software aspects of system design Interactive and fun demo. Nice way to learn about an

389 views • 15 slides
Signature Alfresco Kitchen November 2019 Signature Alfresco Kitchen The ultimate in outdoor

Signature Alfresco Kitchen November 2019 Signature Alfresco Kitchen The ultimate in outdoor

Signature Alfresco Kitchen November 2019 Signature Alfresco Kitchen The ultimate in outdoor entertaining. Signatures alfresco kitchen range is a spacious, high quality outdoor cooking and preparation space. Designed for our BBQs to perform at

452 views • 10 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe Pasquier ENGAGING THE WORLD The preset generation problem Modern synthesizers are very powerful and have many parameters resulting in a vast

543 views • 12 slides
Signature Aviation 2020 Interim Results Mark Johnstone (CEO) David Crook (FD) Signature

Signature Aviation 2020 Interim Results Mark Johnstone (CEO) David Crook (FD) Signature

Signature Aviation 2019 Interim Results Signature Aviation 2020 Interim Results Mark Johnstone (CEO) David Crook (FD) Signature Aviation 2020 Interim Results Summary Signatures US market has recovered strongly to be down 19% in

343 views • 31 slides
Signature Aviation 2019 Final Results Mark Johnstone (CEO) David Crook (FD) Signature Aviation

Signature Aviation 2019 Final Results Mark Johnstone (CEO) David Crook (FD) Signature Aviation

Signature Aviation 2019 Interim Results Signature Aviation 2019 Final Results Mark Johnstone (CEO) David Crook (FD) Signature Aviation 2019 Final Results 2019 Transformational Year Ontic disposal $1bn of capital returned to

692 views • 39 slides
Day 4: HPSG approaches to information structure The signature of an HPSG grammar The signature

Day 4: HPSG approaches to information structure The signature of an HPSG grammar The signature

Day 4: HPSG approaches to information structure The signature of an HPSG grammar The signature HPSG in a nutshell defines the ontology (declaration of what exists): Approaches to information structure: which kind of objects

641 views • 18 slides

More recommend