when malware is packin heat
play

When Malware is Packin Heat; Limits of Machine Learning Classifiers - PowerPoint PPT Presentation

Feb 16, 2023 •470 likes •1.01k views

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

  1. When Malware is Packin’ Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

  2. Packing Original PE Header PE Header Packing Decompression Process Stub .text Packed Section/s .data, .rsrc, .rdata, … Packed File Original File 2

  3. Packing Original PE Header Original PE Header PE Header Packing Decompression Unpacking Process Stub RouAne .text .text Packed Section/s .data, .rsrc, .rdata, … .data, .rsrc, .rdata, … Packed File Original File Original Program Loaded in Memory 3

  4. Packing Employed By Malware Authors 4

  5. Packing Evolution • Most packers are not this simple anymore... 5

  6. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used 6

  7. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers 7

  8. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers • Unpacking routines are not necessarily executed in a straight line 8

  9. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers • Unpacking routines are not necessarily executed in a straight line • Only a single fragment of the original code at any given time 9

  10. Packing Evolution • Most packers are not this simple anymore... • Different methods of obfuscation or encryption are being used • Packing happens at multiple layers • Unpacking routines are not necessarily executed in a straight line • Only a single fragment of the original code at any given time • Usually anti-debugging or anti-reverse-engineering techniques are employed 10

  11. Why Does Packing Matter? • It hampers the analysis of the code 11

  12. Why Does Packing Matter? • It hampers the analysis of the code • Makes malware classification more challenging! 12

  13. Why Does Packing Matter? • It hampers the analysis of the code • Makes malware classification more challenging! • Especially, when using only static analysis 13

  14. Malware Classification Using Static Analysis Static Analysis Anti-Malware + Companies Dynamic Machine Learning Analysis 16

  15. Malware Classification Using Static Analysis Static Analysis Anti-Malware + Companies Dynamic Machine Learning Analysis • What happens if the program is packed, i.e., the features are obfuscated? 17

  16. Do Benign Software Programs Use Packing? Packed Malicious YES NO Not Packed 18

  17. Packing Is Common in Benign Programs 19

  18. Packing Is Common in Benign Programs • Rahbarinia et al. [84], who studied 3 million web-based software downloads over 7 months in 2014, found that both malicious and benign files use known packers (58% and 54%, respectively) B. Rahbarinia, M. Balduzzi, and R. Perdisci, “Exploring the Long Tail of (Malicious) Software Downloads,” 20 in Proc. of the International Conference on Dependable Systems and Networks (DSN) , 2017.

  19. “Packing == Malicious” 21

  20. “Packing == Malicious” on VirusTotal? 613 Windows 10 binaries located Pack with Themida Submit to VT in C: \ Windows \ System32 22

  21. Dataset Pollution 24

  22. Does static analysis on packed binaries provide rich enough features to a malware classifier? 25

  23. Datasets 1. Wild Dataset (50,724 executables): • 4,396 unpacked benign • 12,647 packed benign • 33,681 packed malicious 26

  24. Datasets 1. Wild Dataset (50,724 executables): • 4,396 unpacked benign • 12,647 packed benign • 33,681 packed malicious 2. Lab Dataset: 91,987 Benign Samples Pack with 9 packers Wild (including Themida, Dataset PECompact, UPX, …) 198,734 Malicious Samples 27

  25. Nine Feature Categories Category # Features PE headers 28 PE sections 570 DLL imports 4,305 API imports 19,168 Rich Header 66 Byte n-grams 13,000 Opcode n-grams 2,500 Strings 16,900 File generic 2 28

  26. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 29

  27. Experiment “Different Packed Ratios (lab)” 1. We exclude packed benign samples from the training set 2. Then, we keep adding more packed benign samples to the training set 33

  28. Experiment “Different Packed Ratios (lab)” 1. We exclude packed benign samples from the training set. 2. Then, we keep adding more packed benign samples to the training set • Surprisingly, the classifier is doing ok! 34

  29. But, How?? • We focused on one packer at a time to identify useful features for each packer! 1. Some packers (e.g., Themida) often keep the Rich Header. 2. Packers often keep .CAB file headers in the resource sections of the executables. 3. UPX keeps one API for each DLL. 35

  30. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 2. Do packers preserve static analysis features that are useful for Packers preserve some information when packing malware classification? programs that may be “useful” for malware 3. Can a classifier that is carefully trained and not biased towards classification, however, such information does not specific packing routines perform well in real-world scenarios? necessarily represent the real nature of samples 36

  31. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 2. Can such a classifier perform well in real-world scenarios? 37

  32. Our Research Questions 1. Do packers preserve static analysis features that are useful for malware classification? 2. Can such a classifier perform well in real-world scenarios? Generalization to unseen packers Adversarial examples 38

  33. Generalization To Unseen Packers • Runtime packers are evolving, and malware authors often tend to use their own custom packers 39

  34. Generalization To Unseen Packers 1. Experiment “withheld packer” UPX Themida Obsidium PECompact Petite PELock MPRESS tElock kkrunchy Training Set Test Set 42

  35. Generalization To Unseen Packers Withheld Packer FPR (%) FNR (%) 1. Experiment “withheld packer” PELock 7.30 3.74 PECompact 47.49 2.14 Obsidium 17.42 3.32 Petite 5.16 4.47 tElock 43.65 2.02 Themida 6.21 3.29 MPRESS 5.43 4.53 kkrunchy 83.06 2.50 UPX 11.21 4.34 43

  36. Generalization To Unseen Packers 2. Experiment “lab against wild” • We train the classifier on Lab Dataset • And evaluate it on packed executables in Wild Dataset 44

  37. Generalization To Unseen Packers 2. Experiment “lab against wild” • We train the classifier on Lab Dataset • And evaluate it on packed executables in Wild Dataset • We observed the false negative rate of 41.84%, and false positive rate of 7.27% 45

  38. Poor Generalization To Unseen Packers 46

  39. Adversarial Examples • Machine-learning-based malware detectors shown to be vulnerable to adversarial samples 47

  40. Adversarial Examples • Machine-learning-based malware detectors shown to be vulnerable to adversarial samples • Packing produces features not directly deriving from the actual (unpacked) program 48

  41. Adversarial Examples • Machine-learning-based malware detectors shown to be vulnerable to adversarial samples • Packing produces features not directly deriving from the actual (unpacked) program • Generating such adversarial samples would be easier for an adversary 49

  42. Adversarial Examples Unpacked Benign Packed Random Benign Forest Training: Packed Malicious Training Set Train RF Model 50

  43. Adversarial Examples Unpacked Benign Packed Random Benign Forest Training: Packed Malicious Training Set Train RF Model Benign Packed Evasion: Malicious Strings Malicious Test Set Prediction 51

  44. Adversarial Examples Unpacked Benign Packed Random Benign Forest Training: Packed Malicious Training Set Train RF Model Benign Packed Evasion: Benign Strings Malicious Test Set Prediction 52

  45. Ma Machine Le Learn rning St Static E Evasion on Comp Competition on Benign 150 Malicious Samples 50% Evasion!!! Strings 53

  46. Ma Machine Le Learn rning St Static E Evasion on Comp Competition on Benign 150 Malicious Samples 50% Evasion!!! Strings • Recently, a group of researchers found a very similar way to subvert an AI-based anti-malware engine • By simply taking strings from an online gaming program and appending them to known malware, like WannaCry 54

  47. Vulnerable To Trivial Adversarial Examples 56

  48. Conclusion Unpacked Benign Packed Benign Packed Malicious Training Set Not Biased Model 57

  49. Conclusion .CAB Headers .CAB Headers Rich Header Rich Header M M a a n n i i f f e e s s t t API Imports API Imports S S t t r r i i n n g g s s 58

Recommend

companie ies in involv lved in in productio ion, dis istrib ibutio ion and packin ing of

companie ies in involv lved in in productio ion, dis istrib ibutio ion and packin ing of

MELVIT was establi lished in in 1998. . Today we are one of f th the lea leadin ing companie ies in involv lved in in productio ion, dis istrib ibutio ion and packin ing of lo loose se art rtic icle les su such as s oat t

135 views • 11 slides
Mult lti-Resource Packin ing for Clu luster Schedule lers Robert Grandl, Ganesh

Mult lti-Resource Packin ing for Clu luster Schedule lers Robert Grandl, Ganesh

Mult lti-Resource Packin ing for Clu luster Schedule lers Robert Grandl, Ganesh Ananthanarayanan, Srikanth Kandula, Sriram Rao, Aditya Akella Performance of cluster schedulers We find that: Resources are fragmented i.e. machines run

339 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat

Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat

Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat Stress? Total heat load on the body, including: Heat generated by the body Air temperature and humidity Radiant heat (sun, machines,

295 views • 10 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Extreme Heat Preparedness Objectives What is extreme heat ? How does it impact SF? What are the

Extreme Heat Preparedness Objectives What is extreme heat ? How does it impact SF? What are the

Extreme Heat Preparedness Objectives What is extreme heat ? How does it impact SF? What are the health effects of heat? How do we prepare for extreme heat? Extreme Heat in the City What is extreme heat? A Tale of Two Neighborhoods Chicago

646 views • 40 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
H-H H + H 430 kJ + Breaking bond always requires E Endothermic: heat = R Topic 9.2 Heat

H-H H + H 430 kJ + Breaking bond always requires E Endothermic: heat = R Topic 9.2 Heat

H-H H + H 430 kJ + Breaking bond always requires E Endothermic: heat = R Topic 9.2 Heat of reaction, heat of formation, Table I E absorbed H + H H- H + 430 kJ Forming bonds always releases E Exothermic: heat = P E

260 views • 3 slides
Preventing Heat Inj uries Learn to live with the heat Obj ectives Identify types of heat

Preventing Heat Inj uries Learn to live with the heat Obj ectives Identify types of heat

Preventing Heat Inj uries Learn to live with the heat Obj ectives Identify types of heat injuries Discuss signs, symptoms and first aid measures Discuss preventive recommendations Share resources Heat Rash Heat rash is a

630 views • 32 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides

More recommend