![Page 1: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/1.jpg)
Automatic Analysis of Malware Behavior using Machine Learning
Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz
Peng Su
CISC850
Cyber Analytics
![Page 2: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/2.jpg)
Automatic Analysis of Malware Behavior
• Malware threaten the Internet
• Dynamic VS Static • binary packers, encryption, or self-modifying code, to obstruct
analysis.
• behavior of malicious software during run-time.
CISC850 Cyber Analytics
![Page 3: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/3.jpg)
Automatic Analysis of Malware Behavior
CISC850 Cyber Analytics
![Page 4: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/4.jpg)
Monitoring of Malware Behavior
• Malware Sandboxes --CWSandbox
• Malware Instruction Set
CISC850 Cyber Analytics
![Page 5: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/5.jpg)
Malware Instruction Set
• MIST instruction keep the stable and discriminative patterns such as directory and mutex name at the beginning.
CISC850 Cyber Analytics
![Page 6: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/6.jpg)
Embedding of Malware Behavior
• Embedding using Instruction Q-grams
• Comparing Embedding reports
CISC850 Cyber Analytics
![Page 7: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/7.jpg)
Embedding using Instruction Q-grams
• For example, if report x=‘1|A 2|A 1|A 2|A’, A={1|A, 2|A }, the q for q-grams is 2.
CISC850 Cyber Analytics
![Page 8: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/8.jpg)
Embedding using Instruction Q-grams
• Normalization
• Redundancy of behavior, considered alphabet, length of reports
CISC850 Cyber Analytics
![Page 9: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/9.jpg)
Comparing Embedding reports
• Euclidean distance
CISC850 Cyber Analytics
![Page 10: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/10.jpg)
Clustering and Classification
• Prototypes->Clustering-> Classification
CISC850 Cyber Analytics
![Page 11: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/11.jpg)
Prototype Extraction
CISC850 Cyber Analytics
![Page 12: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/12.jpg)
Clustering using Prototypes
CISC850 Cyber Analytics
![Page 13: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/13.jpg)
Classification using Prototypes
CISC850 Cyber Analytics
![Page 14: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/14.jpg)
Incremental Analysis
CISC850 Cyber Analytics
![Page 15: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/15.jpg)
Experiments & Application
• Evaluation Data • Three parameters to decide
• Evaluation of Components
• How to select the best parameters dp, dc, dr
CISC850 Cyber Analytics
![Page 16: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/16.jpg)
Evaluation Data
• A reference data set
• Evaluate and calibrate the framework
• An application data set
• See the performance on unknown malwares
CISC850 Cyber Analytics
![Page 17: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/17.jpg)
Reference Data Set
CISC850 Cyber Analytics
![Page 18: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/18.jpg)
Application Data Set
CISC850 Cyber Analytics
![Page 19: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/19.jpg)
Evaluation of Components
• Precision and recall
CISC850 Cyber Analytics
![Page 20: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/20.jpg)
Evaluation of Components
• F-measure
![Page 21: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/21.jpg)
Evaluation of Components--dp
CISC850 Cyber Analytics
![Page 22: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/22.jpg)
Evaluation of Components--dc
CISC850 Cyber Analytics
![Page 23: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/23.jpg)
Evaluation of Components--dr
CISC850 Cyber Analytics
![Page 24: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/24.jpg)
Comparative Evaluation with State-of-the-Art
CISC850 Cyber Analytics
![Page 25: Automatic Analysis of Malware Behavior using Machine Learningcavazos/cisc850-spring... · Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,](https://reader035.vdocument.in/reader035/viewer/2022071020/5fd40b30dfc6c36b2550d131/html5/thumbnails/25.jpg)
An Application Scenario
CISC850 Cyber Analytics