Upload File

automatic analysis of malware behavior using machine learningcavazos/cisc850-spring... · automatic...

  • Home
  • Documents
  • Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,
25
Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz Peng Su CISC850 Cyber Analytics

Upload: others

Post on 24-Aug-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning

Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz

Peng Su

CISC850

Cyber Analytics

Page 2: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior

• Malware threaten the Internet

• Dynamic VS Static • binary packers, encryption, or self-modifying code, to obstruct

analysis.

• behavior of malicious software during run-time.

CISC850 Cyber Analytics

Page 3: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior

CISC850 Cyber Analytics

Page 4: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Monitoring of Malware Behavior

• Malware Sandboxes --CWSandbox

• Malware Instruction Set

CISC850 Cyber Analytics

Page 5: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Malware Instruction Set

• MIST instruction keep the stable and discriminative patterns such as directory and mutex name at the beginning.

CISC850 Cyber Analytics

Page 6: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Embedding of Malware Behavior

• Embedding using Instruction Q-grams

• Comparing Embedding reports

CISC850 Cyber Analytics

Page 7: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Embedding using Instruction Q-grams

• For example, if report x=‘1|A 2|A 1|A 2|A’, A={1|A, 2|A }, the q for q-grams is 2.

CISC850 Cyber Analytics

Page 8: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Embedding using Instruction Q-grams

• Normalization

• Redundancy of behavior, considered alphabet, length of reports

CISC850 Cyber Analytics

Page 9: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Comparing Embedding reports

• Euclidean distance

CISC850 Cyber Analytics

Page 10: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Clustering and Classification

• Prototypes->Clustering-> Classification

CISC850 Cyber Analytics

Page 11: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Prototype Extraction

CISC850 Cyber Analytics

Page 12: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Clustering using Prototypes

CISC850 Cyber Analytics

Page 13: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Classification using Prototypes

CISC850 Cyber Analytics

Page 14: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Incremental Analysis

CISC850 Cyber Analytics

Page 15: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Experiments & Application

• Evaluation Data • Three parameters to decide

• Evaluation of Components

• How to select the best parameters dp, dc, dr

CISC850 Cyber Analytics

Page 16: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Evaluation Data

• A reference data set

• Evaluate and calibrate the framework

• An application data set

• See the performance on unknown malwares

CISC850 Cyber Analytics

Page 17: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Reference Data Set

CISC850 Cyber Analytics

Page 18: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Application Data Set

CISC850 Cyber Analytics

Page 19: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Evaluation of Components

• Precision and recall

CISC850 Cyber Analytics

Page 20: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Evaluation of Components

• F-measure

Page 21: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Evaluation of Components--dp

CISC850 Cyber Analytics

Page 22: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Evaluation of Components--dc

CISC850 Cyber Analytics

Page 23: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Evaluation of Components--dr

CISC850 Cyber Analytics

Page 24: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Comparative Evaluation with State-of-the-Art

CISC850 Cyber Analytics

Page 25: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

An Application Scenario

CISC850 Cyber Analytics


Automatic Way To Remove PC Malware & User Guide

Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware … · 2011-08-16 · Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware

Malware analysis automation · When developing an automatic malware analysis system, it is critical to make sure that the results of the system satisfy the requirements An automatic

Graph, Entropy and Grid Computing: Automatic Comparison … · Graph, Entropy and Grid Computing: Automatic Comparison of Malware Ismael Briones Aitor Gomez PandaLabs Malware Researcher

Automatic Malware Signature Generation

Visualization of shared system call sequence …cavazos/cisc850-spring2017/...Visualization of Shared System Call Sequence Relationships in Large Malware Corpora Josh Saxe Invincea

Cuckoo Sandbox - University of Delawarecavazos/cisc850-spring2017/...CISC 850 : Cyber Analytics Cuckoo Sandbox • Automated malware analysis system. • Uses virtualization and supports

Remove Iobit Malware Fighter - Automatic Removal Guide

Automatic Analysis of Malware Behavior using Machine Learning · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck1, Philipp Trinius2, Carsten Willems2, and

Research Article Malware Analysis Using …cavazos/cisc850-spring2017/...Research Article Malware Analysis Using Visualized Image Matrices KyoungSooHan, 1 BooJoongKang, 2 andEulGyuIm

2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System

Malware analysis using visualized images and …cavazos/cisc850-spring2017/...Int. J. Inf. Secur. (2015) 14:1–14 DOI 10.1007/s10207-014-0242-0 REGULAR CONTRIBUTION Malware analysis

Visual Analysis of Malware Behavior Using Treemaps and ...cavazos/cisc850-spring2017/papers/... · Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs ... [1, 6,

Automatic Discovery of Parasitic Malware

Automatic Malware Detection on an Alexa-Pi IoT Device › 2019 › files › web › acsac2019_thu_poster_no… · a behavioral-based malware detector and compare the effectiveness

Automatic Malware Detection Using Common Segment Analysis

Automatic Generation of Remediation Procedures for Malware Infections

Automatic Analysis of Malware Behavior using Machine Learning Analysis of... · Automatic Analysis of Malware Behavior using Machine Learning ... Internet worms and Trojan ... the

Automatic Generation of String Signatures for Malware ... · Malware Detection Kent Gri n Scott Schneider Xin Hu Tzi-cker Chiueh Symantec Research Laboratories Abstract. Scanning

Cyber Analytics Service Constraints and Solutionscavazos/cisc850-spring... · What the really large players do: CISC850 Cyber Analytics Mastering Chaos - A Netflix Guide to Microservices

Malware Slums: Measurement and Analysis of Malware on ...homepage.cs.uiowa.edu/~mshafiq/files/malware... · Malware Slums: Measurement and Analysis of Malware on Traffic Exchanges

Malware Fails Best Bugs in Malware Felix Leder [Malware ... · 1 Malware Fails Best Bugs in Malware Felix Leder [Malware Detection Team] [email protected] 5. desember 2011 malware

Intrusion Detection and Malware Analysis - Automatic signature

Metamorphic Malware 1 Metamorphic Malware Research

A Survey of Visualization Systems for Malware …cavazos/cisc850-spring2017/...Abstract • Problem : increasing of malware • Automatic approaches for malware detection • The paper

Malware Images: Visualization and Automatic Classification · 2020-03-11 · malware. Hence, difficult to prevent a zero day attack. • Characterization: At present, the characterization

Challenges and results in automatic malware … · Challenges and results in automatic malware analysis and classification ... To test accuracy and robustness of our system we need

Automatic Analysis of Malware Behavior using … Analysis of Malware Behavior using Machine Learning ... system calls—a sequential report of ... ranging from a bird’s eye view

Towards Automatic Software Lineage Inferenceusers.ece.cmu.edu/~jiyongj/papers/usenixsec13.pdf · Towards Automatic Software Lineage Inference ... malware triage and software vulnerability

MalDozer: Automatic framework for android malware ... · Android malware detection with automatic representation learning. To achieve this aim, we leverage deep learning tech-niques

Automatic Analysis of Malware Behavior using Machine · PDF fileAutomatic Analysis of Malware Behavior using Machine Learning ... and bot networks, ... system calls—a sequential

Automatic Generation of String Signatures for Malware ... · Automatic Generation of String Signatures for Malware Detection Scott Schneider, Kent Griffin – SRL Xin Hu – University

Improving Malware Classification: Bridging the …cavazos/cisc850-spring2017/...Improving Malware Classification: Bridging the Static/Dynamic Gap Blake Anderson Los Alamos National

Automatic comparison of malware

MalDozer: Automatic framework for android malware