SlideShare a Scribd company logo

Malware classification and detection

Chong-Kuan Chen
Chong-Kuan Chen
EngineeringTechnology
1 of 39
Download to read offline
Malware  Clustering  and   Detec2on C.K.Chen  @  DSNSLab,  NCTU   2014.05.20  
Outline •  Introduc2on   •  Current  state  of  AV  classifica2on   •  Automa2c  Malware  Clustering   •  Malware  Detec2on   •  Anomaly  Detec2on   •  Specific  Purpose  Detec2on   •  General  Purpose  Detec2on   u Note:  Some  part  of  this  slide  is  removed  due   to  research  is  under  processing  
INTRODUCTION
Why  Malware  Clustering   •  Large  Amount  of  Malware Virus  Total  Sta2s2cal  2014.5.15
Why  Malware  Clustering   •  Recognize  and  filter  known  malware,  so   analyst  can  focus  on  new  one.   •  Track  a  malware  family  and  its  evolu2on   •  Develop  remedy  mechanism  for  certain  type   •  Help  to  construct  malware  model/signature
Malware  Taxonomy •  Target  System   – WIN32,  LINUX,  ANDROID,  …   •  Propagate  Method   – Worm,  Virus,  Email,  USB,  Exploit…   •  Protec2on  Method   – Packed,  Rootkit   •  Malicious  Func2on   – Trojan,  Backdoor,  DOS,….
CURRENT  STATE  OF  AV   CLASSIFICATION
How  AV  Classify  Malware •  Signature-­‐based  method  are  s2ll  used  by  most   vendors   Sample  1 Sample  2 Sample  3 An2Vir TR/Spy.16896.281 TR/Dldr.Agent.hboro -­‐ ClamAV WIN.Trojan.Agent-­‐131 -­‐ -­‐ ESET-­‐NOD32 Win32/Poison.NHM Win32/ TrojanDownloader.Ny maim.AB BAT/KillProc.L F-­‐Secure Gen:Trojan.Heur.FU.bq W@a4uT4@bb Trojan.GenericKDZ. 24494 Trojan.Generic. 11056070 Kaspersky Trojan.Win32.Agent.tk ql HEUR:Trojan.Win32.Ge neric Trojan.BAT.KillFiles.pv McAfee Generic  pws.y!1ij Dowloader-­‐FEX RDN/Generic  Del.x!br Microsog Backdoor:Win32/ Poison.E VirTool:Win32/ CeeInject.gen!KK -­‐ Symantec Trojan.Dropper Trojan.Nymaim.B Trojan.ADH TrendMicro BKDR_POISON.BLW TSPY_ZBOT.ADJU TROJ_SPNV.03D214
Malware  Naming  Rules •  <Malware  Prefix>.<Malware   Name>.<Malware  Posmix>   – ClamAV:  WIN.Trojan.Agent-­‐131   – Kaspersky:  Trojan.Win32.Agent.tkql   – Malware  prefix  represent  malware’s  plamorm  or   malware’s  func2onality     •  "Heur"  means  heuris2c  detec2ons  
Kaspersky •  Classifying  the  malware   items  according  to  their   ac2vity  on  users’  computers   –  The  types  with  least  threat   are  shown  in  the  lower  area     –  The  types  with  greater  threat   are  displayed  in  the  upper   area     •  Mul2ple  func2on  malware   –  The  behaviors  that  pose  a   higher  risk  outrank  those   behaviors  that  represent  a   lower  risk.
Trend  Micro Prefix   Descrip2on   ADW   Adware   ATVX   Ac2veX  malicious  code   BAT   Batch  file  virus   BHO   Browser  Helper  Object  -­‐  A  non-­‐destruc2ve  toolbar  applica2on   BKDR   Backdoor  virus   CHM   Compiled  HTML  file  found  on  malicious  Web  sites   COOKIE   Cookie  used  to  track  a  user's  Web  habits  for  the  purpose  of  data  mining   DOS,  DDOS   Virus  that  prevents  a  user  from  accessing  security  and  an2virus  company   Web  sites   ELF   Executable  and  Link  format  viruses   EXPL   Exploit  that  does  not  fit  other  categories   GENERIC   Memory-­‐resident  boot  virus   HTML   HTML  virus   IRC   Internet  Relay  Chat  malware   JAVA   Java  malicious  code   JS   JavaScript  virus   PE   File  infector   PERL   Malware,  such  as  a  file  infector,  created  in  PERL   RAP   Remote  access  program   REG   Threat  that  modifies  the  system  registry   RTKT   Rootkit  programs   SPYW   Spyware/Grayware   TSPY   Malicious  malware   TROJ   Trojan   VBS   VBScript  virus   WORM   Worm   W2KM,  W97M,  X97M,  P97M,  A97M,  O97M,  WM,  XF,  XM,  V5M,  X2KM,  X97M   Macro  virus  
Our  Naming  Sugges2on •  Describe  whole  life  cycle  of  malware     •  <Aqack   Vector>.<Protec2on>.<Func2onality>.<Propag a2on  method>   – Aqack  Vector:  How  malware  infected  vic2m   – Protec2on:  How  malware  protect  itself   – Func2onality:  The  malicious  behavior  executed   – Propagate  Method:  How  malware  aqack  other   machine  
Label  Inconsistent •  Each  AV  company  has  its  own  way  of  naming   malware  families   – Popular  name  in  underground  forums  may  be   used  by    AV  vendors.  E.g.  Zeus,  ZeroAcess….   – Smaller  and  less  prominent  families  are  named   independently  by  each  AV  company   •  Even  in  the  same  vendor,  Different  detect   mechanism  may  give  different  label
Problem? •  Make  sharing  between  vendors  more  hard   •  Put  a  barrier  to  develop  remedy  mechanism     •  Many  automa2c  detec2on  mechanism  need  pre-­‐ define  clustering  result.
Low  Detec2on  Rate
AUTOMATIC  MALWARE   CLUSTERING  
Malware  Clustering •  Clustering  malware  already  known     –  Reduce  signature  size   –  Generate  high  quality  signature/model   –  Group  similar  malware   •  An2-­‐virus  clustering  malware  for  expert  to  filter  out  old   threat  and  generate  remedy  for  new  threat   –  Informa2on  familiar  to  human  being,  e.g.  file  name,  remote   address,  ….     •  In  our  research,  we  want  construct  automa2c  detec2on   mechanism   –  Informa2on  suitable  for  machine  processing,  e.g.  instruc2on   trace,  system  call  trace,  …..  
Clustering  Procedure •  Mostly,  three  steps  are  involved  to  clustering  malware   –  Malware  Analysis   •  Dynamic,  Sta2c   –  Feature  Extrac2on   •  Instruc2on  Sequence   •  Func2on  Call  Sequence   •  Control  Flow  Graph   •  Data  Flow  Graph   •  Network  Communica2on   –  Clustering  Algorithms   •  Hierarchy  Clustering   •  Kmeans   •  DBScan  
Android Malware Clustering •  Aim  to  group  similar  android  malware   – Sta2c  and  internal  informa2on  are  used     •  Also  try  to  detect  android  malware  in  these   group   N-­‐gram/   Feature  Hash   Hierarchical   Clustering Centroid  of   Cluster Samples Feature   Vector Detec2on   Model Feature  Extrac2on Model  Construc2on Detec2on 19/25
N-gram & Feature Hash .method  public  testMethod(II)I       iload_1     iload_2     Iadd       istore_3   iload_3     iconst_1       Iadd       Ireturn     .end  method     1 1 •  Reverse  APK  into  Java  byte  code   •  Separate  into  N-­‐gram  slide  and  compute  feature  hash     Feature  Hash 20/25
Distance Heuristic 1 1 1 1 1 1 1 1 •  With  feature  hash,  distance  between  samples   can  be  computed       – D(A,B)  =  Intersect(A,B)/Union(A,B)   malware  A malware  B Intersect Union Distance   0.33 21/25
Hierarchical Clustering •  Hierarchical  Clustering  is  apply  to  group   similar  malware   0.70 0.80 22/25
Summary of Similarity-based Method •  Our  system  can  clustering  similar  malware  and   possible  to  construct  detect  mechanism   •  Pros   – Construct  compact  model  which  can  be  deployed   in  end  user’s  device   •  Cons   – Sta2c  only,  cannot  analysis  obfusca2on  app   – Not  Scalable,  pairwise  comparison  is  needed   23/25
MALWARE  DETECTION
Automa2c  Malware  Detec2on/ Classifica2on •  Detec2on  vs.  Classifica2on   – Detec2on  is  also  the  classifica2on  problem  with   only  two  labels     •  Malware  Detec2on   – Signature-­‐based  Detector   – Specific  Detector   – General  Detector
Mul2-­‐Level  Detec2on Signature-­‐ Based General   Detector Specific   Detector Anomaly   Detector Known   Malware Mutate   Malware Brand-­‐new   Malware Benign   Program 1.  Unknown  Malware   2.  Mutate  Malware   3.  Benign  Program Samples 1.  Unknown  Malware   2.  Benign  Program 1.  Unknown   Malware   2.  Benign   Program 1.  Unknown   Malware   2.  Benign   Program Malware   Clustering Expert
Anomaly  Detector •  Anomaly  detector  used  to  filter  out  benign   program   – High  False  Alert  Rate     •  Access  Miner     – Using  System-­‐Centric  Models  for  Malware   Protec2on   – Proposed  in  CCS’10  by  Ins2tute  Eurecom  
Access  Miner   •  The  intui2on  is  that  benign  programs  in  general   follow  certain  way  in  which  they  use  the  OS   resources   •  While  malware  may  not  follow  this  way   •  Steps  of  Access  Miner   –  Collect  system  calls  used  by  normal  benign  program   –  Employ  N-­‐gram  to  change  into  vector   –  Compute  the  pair-­‐wise  distance  of  benign  program  
Steps  of  Access  Miner ReadFile   WriteFile   Close   SendPkt ReadFile   WriteFile   Close   ReadFile ReadFile   WriteFile   Close   WriteFile   Close   SendPkt ReadFile   WriteFile   Close   WriteFile   Close   ReadFile Distance  =  0.33 Normal   Benign   Program Malicious
Specific  Purpose  Detec2on •  Detect    some  malicious  features  of  malware   •  Most  specific  purpose  detec2on  system  have   low  false  posi2ve   •  Possible  to  iden2fy  new  threat   •  Limit  to  narrow  scope     – Some  behavior  is  only  suspicious,  not  exactly   malicious   •  Register  as  boot  service   •  Receive  a  command  and  execute   30/25
Forenser •  Forenser   – Detect  shellcode  embedded  in  document  files   – Decode  each  part  of  document  as  x86  code   – If  there  are  highly  data  dependency  in  decode   result,  shellcode  may  exists   31/25 mov  eax,  ebx   push  eax   call  func   ….   ….
Stealthy  Rootkit  Detec2on •  Comparing  informa2on  between  guest  system  and   VMM  
Kernel  Mode  Rootkit  Detec2on •  Check  whether  user  code  run  in  kernel  mode   •  Dynamic  Informa2on  Flow  Tracking(Taint)     •  Tracking  if  any  kernel  memory  tainted  ? •  Detect  642  kernel  mode  rootkit  in  14894   samples   stmt A B C A    =  <input> O X X C  =  B O X X C  =  A O X O B  =  C O O O
Malware Recognition based on in-Kernel function Invocation Pattern •  MrKIP’s  goal  is  to  detect  and  classify  rootkit   •  With  the  help  of  in-­‐kernel  func2on  hooking,   invoca2on  sequence  can  be  recorded   •  Construct  malware  model  as  state  machine   Run2me  in-­‐ kernel  call   sequence State   Transi2on   Table HMM   Samples Feature   Vector Detec2on   Model Feature  Extrac2on Model  Construc2on Detec2on 34/25
Behavior to State •  First,  MrKIP  record  run2me  in-­‐kernel  func2on  call   •  Similar  behavior  is  cluster  by  HLC   –  Same  func2on,  different  argument   –  Different  heuris2c  func2on  is  used  for  different  type OverWrIfFile(mc11.bat) SetReg(SERVICESGRANDE48,   00010000) OverWrIfFile(esc.bat) SetReg(SERVICESMSOFT98,  00010000) State  1 State  2 malware  A malware  B 35/25
Hidden Markov Model •  Hidden  Markov  Model  is  construct  to   recognize  samples CreateFile   C:WINDOWSsystem32 SetReg   <SERVICES>DOCKER19     ErrorControl=  00010000 SetReg   <SERVICES>DOCKER19   Start  =  00020000 SetReg   SERVICESDOCKER19   Type  =  00010000 SetReg   <SERVICES>DOCKER19   ImagePath  =   C:WINDOWSsystem32 driversdocker19.sys DelFile   <system32>KERNE L32.PDBSYMBOLS DLLKERNEL32.PDB 0.33 1.0 1.0 1.0 0.16 0.5 0.05 SendPkt   ….trojansssOx0afre ehosWaOx03com... 0.09 0.27 CreateProc   pinch_2.99.exe 0.25 malware  A malware  B State  1 State  2 State  1 State  2 State  2 State  1 36/25
Malware Recognition based on in-Kernel function Invocation Pattern
Conclusion •  There  are  many  different  way  to  clustering  malware   •  How  an2virus  classifica2on   –  Labeling  Inconsistent   –  Low  detec2on  rate   •  Automa2c  malware  clustering  system     •  Different  type  of  detec2on  mechanism   –  Signature-­‐based  detector   –  Anomaly  detector   –  Specific  Purpose  detector   –  General  Purpose  detector  
Q&A

Recommended

Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachYury Leonychev
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxMalware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxAlamgir Hossain
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 

Recommended

Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachYury Leonychev
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxMalware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxAlamgir Hossain
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Akash Karwande
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Presentation_Malware Analysis.pptx
Presentation_Malware Analysis.pptxPresentation_Malware Analysis.pptx
Presentation_Malware Analysis.pptxnishanth kurush
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Marco Balduzzi
 
Collective classification for unknown malware detection - SECRYPT 2011
Collective classification for unknown malware detection - SECRYPT 2011Collective classification for unknown malware detection - SECRYPT 2011
Collective classification for unknown malware detection - SECRYPT 2011Carlos Laorden
 

More Related Content

What's hot

Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Akash Karwande
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Presentation_Malware Analysis.pptx
Presentation_Malware Analysis.pptxPresentation_Malware Analysis.pptx
Presentation_Malware Analysis.pptxnishanth kurush
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 

What's hot (20)

Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Presentation_Malware Analysis.pptx
Presentation_Malware Analysis.pptxPresentation_Malware Analysis.pptx
Presentation_Malware Analysis.pptx
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Malware
MalwareMalware
Malware
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 

Viewers also liked

Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Marco Balduzzi
 
Collective classification for unknown malware detection - SECRYPT 2011
Collective classification for unknown malware detection - SECRYPT 2011Collective classification for unknown malware detection - SECRYPT 2011
Collective classification for unknown malware detection - SECRYPT 2011Carlos Laorden
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_pptNarayanan
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundImperva
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Codemotion
 

Viewers also liked (7)

Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
 
Collective classification for unknown malware detection - SECRYPT 2011
Collective classification for unknown malware detection - SECRYPT 2011Collective classification for unknown malware detection - SECRYPT 2011
Collective classification for unknown malware detection - SECRYPT 2011
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
 

Similar to Malware classification and detection

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
A malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningA malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningjaigera
 
Malware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxMalware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxalishapatidar2021
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 

Similar to Malware classification and detection (20)

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
A malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningA malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learning
 
Malware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptxMalware Detection By Machine Learning Presentation.pptx
Malware Detection By Machine Learning Presentation.pptx
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
 
012
012012
012
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Malware
MalwareMalware
Malware
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 

More from Chong-Kuan Chen

DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
Compilation and Execution
Compilation and ExecutionCompilation and Execution
Compilation and ExecutionChong-Kuan Chen
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure ComputationChong-Kuan Chen
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Intro. to static analysis
Intro. to static analysisIntro. to static analysis
Intro. to static analysisChong-Kuan Chen
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享Chong-Kuan Chen
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security MasterChong-Kuan Chen
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 

More from Chong-Kuan Chen (16)

Cgc2
Cgc2Cgc2
Cgc2
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
Compilation and Execution
Compilation and ExecutionCompilation and Execution
Compilation and Execution
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure Computation
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Addios!
Addios!Addios!
Addios!
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Intro. to static analysis
Intro. to static analysisIntro. to static analysis
Intro. to static analysis
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Android system security
Android system securityAndroid system security
Android system security
 
HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享HITCON CTF 2014 BambooFox 解題心得分享
HITCON CTF 2014 BambooFox 解題心得分享
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security Master
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 

Recently uploaded

Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Intro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfIntro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfrs7054576148
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 

Recently uploaded (20)

Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Intro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfIntro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdf
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 

Malware classification and detection

  • 1. Malware  Clustering  and   Detec2on C.K.Chen  @  DSNSLab,  NCTU   2014.05.20  
  • 2. Outline •  Introduc2on   •  Current  state  of  AV  classifica2on   •  Automa2c  Malware  Clustering   •  Malware  Detec2on   •  Anomaly  Detec2on   •  Specific  Purpose  Detec2on   •  General  Purpose  Detec2on   u Note:  Some  part  of  this  slide  is  removed  due   to  research  is  under  processing  
  • 4. Why  Malware  Clustering   •  Large  Amount  of  Malware Virus  Total  Sta2s2cal  2014.5.15
  • 5. Why  Malware  Clustering   •  Recognize  and  filter  known  malware,  so   analyst  can  focus  on  new  one.   •  Track  a  malware  family  and  its  evolu2on   •  Develop  remedy  mechanism  for  certain  type   •  Help  to  construct  malware  model/signature
  • 6. Malware  Taxonomy •  Target  System   – WIN32,  LINUX,  ANDROID,  …   •  Propagate  Method   – Worm,  Virus,  Email,  USB,  Exploit…   •  Protec2on  Method   – Packed,  Rootkit   •  Malicious  Func2on   – Trojan,  Backdoor,  DOS,….
  • 7. CURRENT  STATE  OF  AV   CLASSIFICATION
  • 8. How  AV  Classify  Malware •  Signature-­‐based  method  are  s2ll  used  by  most   vendors   Sample  1 Sample  2 Sample  3 An2Vir TR/Spy.16896.281 TR/Dldr.Agent.hboro -­‐ ClamAV WIN.Trojan.Agent-­‐131 -­‐ -­‐ ESET-­‐NOD32 Win32/Poison.NHM Win32/ TrojanDownloader.Ny maim.AB BAT/KillProc.L F-­‐Secure Gen:Trojan.Heur.FU.bq W@a4uT4@bb Trojan.GenericKDZ. 24494 Trojan.Generic. 11056070 Kaspersky Trojan.Win32.Agent.tk ql HEUR:Trojan.Win32.Ge neric Trojan.BAT.KillFiles.pv McAfee Generic  pws.y!1ij Dowloader-­‐FEX RDN/Generic  Del.x!br Microsog Backdoor:Win32/ Poison.E VirTool:Win32/ CeeInject.gen!KK -­‐ Symantec Trojan.Dropper Trojan.Nymaim.B Trojan.ADH TrendMicro BKDR_POISON.BLW TSPY_ZBOT.ADJU TROJ_SPNV.03D214
  • 9. Malware  Naming  Rules •  <Malware  Prefix>.<Malware   Name>.<Malware  Posmix>   – ClamAV:  WIN.Trojan.Agent-­‐131   – Kaspersky:  Trojan.Win32.Agent.tkql   – Malware  prefix  represent  malware’s  plamorm  or   malware’s  func2onality     •  "Heur"  means  heuris2c  detec2ons  
  • 10. Kaspersky •  Classifying  the  malware   items  according  to  their   ac2vity  on  users’  computers   –  The  types  with  least  threat   are  shown  in  the  lower  area     –  The  types  with  greater  threat   are  displayed  in  the  upper   area     •  Mul2ple  func2on  malware   –  The  behaviors  that  pose  a   higher  risk  outrank  those   behaviors  that  represent  a   lower  risk.
  • 11. Trend  Micro Prefix   Descrip2on   ADW   Adware   ATVX   Ac2veX  malicious  code   BAT   Batch  file  virus   BHO   Browser  Helper  Object  -­‐  A  non-­‐destruc2ve  toolbar  applica2on   BKDR   Backdoor  virus   CHM   Compiled  HTML  file  found  on  malicious  Web  sites   COOKIE   Cookie  used  to  track  a  user's  Web  habits  for  the  purpose  of  data  mining   DOS,  DDOS   Virus  that  prevents  a  user  from  accessing  security  and  an2virus  company   Web  sites   ELF   Executable  and  Link  format  viruses   EXPL   Exploit  that  does  not  fit  other  categories   GENERIC   Memory-­‐resident  boot  virus   HTML   HTML  virus   IRC   Internet  Relay  Chat  malware   JAVA   Java  malicious  code   JS   JavaScript  virus   PE   File  infector   PERL   Malware,  such  as  a  file  infector,  created  in  PERL   RAP   Remote  access  program   REG   Threat  that  modifies  the  system  registry   RTKT   Rootkit  programs   SPYW   Spyware/Grayware   TSPY   Malicious  malware   TROJ   Trojan   VBS   VBScript  virus   WORM   Worm   W2KM,  W97M,  X97M,  P97M,  A97M,  O97M,  WM,  XF,  XM,  V5M,  X2KM,  X97M   Macro  virus  
  • 12. Our  Naming  Sugges2on •  Describe  whole  life  cycle  of  malware     •  <Aqack   Vector>.<Protec2on>.<Func2onality>.<Propag a2on  method>   – Aqack  Vector:  How  malware  infected  vic2m   – Protec2on:  How  malware  protect  itself   – Func2onality:  The  malicious  behavior  executed   – Propagate  Method:  How  malware  aqack  other   machine  
  • 13. Label  Inconsistent •  Each  AV  company  has  its  own  way  of  naming   malware  families   – Popular  name  in  underground  forums  may  be   used  by    AV  vendors.  E.g.  Zeus,  ZeroAcess….   – Smaller  and  less  prominent  families  are  named   independently  by  each  AV  company   •  Even  in  the  same  vendor,  Different  detect   mechanism  may  give  different  label
  • 14. Problem? •  Make  sharing  between  vendors  more  hard   •  Put  a  barrier  to  develop  remedy  mechanism     •  Many  automa2c  detec2on  mechanism  need  pre-­‐ define  clustering  result.
  • 17. Malware  Clustering •  Clustering  malware  already  known     –  Reduce  signature  size   –  Generate  high  quality  signature/model   –  Group  similar  malware   •  An2-­‐virus  clustering  malware  for  expert  to  filter  out  old   threat  and  generate  remedy  for  new  threat   –  Informa2on  familiar  to  human  being,  e.g.  file  name,  remote   address,  ….     •  In  our  research,  we  want  construct  automa2c  detec2on   mechanism   –  Informa2on  suitable  for  machine  processing,  e.g.  instruc2on   trace,  system  call  trace,  …..  
  • 18. Clustering  Procedure •  Mostly,  three  steps  are  involved  to  clustering  malware   –  Malware  Analysis   •  Dynamic,  Sta2c   –  Feature  Extrac2on   •  Instruc2on  Sequence   •  Func2on  Call  Sequence   •  Control  Flow  Graph   •  Data  Flow  Graph   •  Network  Communica2on   –  Clustering  Algorithms   •  Hierarchy  Clustering   •  Kmeans   •  DBScan  
  • 19. Android Malware Clustering •  Aim  to  group  similar  android  malware   – Sta2c  and  internal  informa2on  are  used     •  Also  try  to  detect  android  malware  in  these   group   N-­‐gram/   Feature  Hash   Hierarchical   Clustering Centroid  of   Cluster Samples Feature   Vector Detec2on   Model Feature  Extrac2on Model  Construc2on Detec2on 19/25
  • 20. N-gram & Feature Hash .method  public  testMethod(II)I       iload_1     iload_2     Iadd       istore_3   iload_3     iconst_1       Iadd       Ireturn     .end  method     1 1 •  Reverse  APK  into  Java  byte  code   •  Separate  into  N-­‐gram  slide  and  compute  feature  hash     Feature  Hash 20/25
  • 21. Distance Heuristic 1 1 1 1 1 1 1 1 •  With  feature  hash,  distance  between  samples   can  be  computed       – D(A,B)  =  Intersect(A,B)/Union(A,B)   malware  A malware  B Intersect Union Distance   0.33 21/25
  • 22. Hierarchical Clustering •  Hierarchical  Clustering  is  apply  to  group   similar  malware   0.70 0.80 22/25
  • 23. Summary of Similarity-based Method •  Our  system  can  clustering  similar  malware  and   possible  to  construct  detect  mechanism   •  Pros   – Construct  compact  model  which  can  be  deployed   in  end  user’s  device   •  Cons   – Sta2c  only,  cannot  analysis  obfusca2on  app   – Not  Scalable,  pairwise  comparison  is  needed   23/25
  • 25. Automa2c  Malware  Detec2on/ Classifica2on •  Detec2on  vs.  Classifica2on   – Detec2on  is  also  the  classifica2on  problem  with   only  two  labels     •  Malware  Detec2on   – Signature-­‐based  Detector   – Specific  Detector   – General  Detector
  • 26. Mul2-­‐Level  Detec2on Signature-­‐ Based General   Detector Specific   Detector Anomaly   Detector Known   Malware Mutate   Malware Brand-­‐new   Malware Benign   Program 1.  Unknown  Malware   2.  Mutate  Malware   3.  Benign  Program Samples 1.  Unknown  Malware   2.  Benign  Program 1.  Unknown   Malware   2.  Benign   Program 1.  Unknown   Malware   2.  Benign   Program Malware   Clustering Expert
  • 27. Anomaly  Detector •  Anomaly  detector  used  to  filter  out  benign   program   – High  False  Alert  Rate     •  Access  Miner     – Using  System-­‐Centric  Models  for  Malware   Protec2on   – Proposed  in  CCS’10  by  Ins2tute  Eurecom  
  • 28. Access  Miner   •  The  intui2on  is  that  benign  programs  in  general   follow  certain  way  in  which  they  use  the  OS   resources   •  While  malware  may  not  follow  this  way   •  Steps  of  Access  Miner   –  Collect  system  calls  used  by  normal  benign  program   –  Employ  N-­‐gram  to  change  into  vector   –  Compute  the  pair-­‐wise  distance  of  benign  program  
  • 29. Steps  of  Access  Miner ReadFile   WriteFile   Close   SendPkt ReadFile   WriteFile   Close   ReadFile ReadFile   WriteFile   Close   WriteFile   Close   SendPkt ReadFile   WriteFile   Close   WriteFile   Close   ReadFile Distance  =  0.33 Normal   Benign   Program Malicious
  • 30. Specific  Purpose  Detec2on •  Detect    some  malicious  features  of  malware   •  Most  specific  purpose  detec2on  system  have   low  false  posi2ve   •  Possible  to  iden2fy  new  threat   •  Limit  to  narrow  scope     – Some  behavior  is  only  suspicious,  not  exactly   malicious   •  Register  as  boot  service   •  Receive  a  command  and  execute   30/25
  • 31. Forenser •  Forenser   – Detect  shellcode  embedded  in  document  files   – Decode  each  part  of  document  as  x86  code   – If  there  are  highly  data  dependency  in  decode   result,  shellcode  may  exists   31/25 mov  eax,  ebx   push  eax   call  func   ….   ….
  • 32. Stealthy  Rootkit  Detec2on •  Comparing  informa2on  between  guest  system  and   VMM  
  • 33. Kernel  Mode  Rootkit  Detec2on •  Check  whether  user  code  run  in  kernel  mode   •  Dynamic  Informa2on  Flow  Tracking(Taint)     •  Tracking  if  any  kernel  memory  tainted  ? •  Detect  642  kernel  mode  rootkit  in  14894   samples   stmt A B C A    =  <input> O X X C  =  B O X X C  =  A O X O B  =  C O O O
  • 34. Malware Recognition based on in-Kernel function Invocation Pattern •  MrKIP’s  goal  is  to  detect  and  classify  rootkit   •  With  the  help  of  in-­‐kernel  func2on  hooking,   invoca2on  sequence  can  be  recorded   •  Construct  malware  model  as  state  machine   Run2me  in-­‐ kernel  call   sequence State   Transi2on   Table HMM   Samples Feature   Vector Detec2on   Model Feature  Extrac2on Model  Construc2on Detec2on 34/25
  • 35. Behavior to State •  First,  MrKIP  record  run2me  in-­‐kernel  func2on  call   •  Similar  behavior  is  cluster  by  HLC   –  Same  func2on,  different  argument   –  Different  heuris2c  func2on  is  used  for  different  type OverWrIfFile(mc11.bat) SetReg(SERVICESGRANDE48,   00010000) OverWrIfFile(esc.bat) SetReg(SERVICESMSOFT98,  00010000) State  1 State  2 malware  A malware  B 35/25
  • 36. Hidden Markov Model •  Hidden  Markov  Model  is  construct  to   recognize  samples CreateFile   C:WINDOWSsystem32 SetReg   <SERVICES>DOCKER19     ErrorControl=  00010000 SetReg   <SERVICES>DOCKER19   Start  =  00020000 SetReg   SERVICESDOCKER19   Type  =  00010000 SetReg   <SERVICES>DOCKER19   ImagePath  =   C:WINDOWSsystem32 driversdocker19.sys DelFile   <system32>KERNE L32.PDBSYMBOLS DLLKERNEL32.PDB 0.33 1.0 1.0 1.0 0.16 0.5 0.05 SendPkt   ….trojansssOx0afre ehosWaOx03com... 0.09 0.27 CreateProc   pinch_2.99.exe 0.25 malware  A malware  B State  1 State  2 State  1 State  2 State  2 State  1 36/25
  • 37. Malware Recognition based on in-Kernel function Invocation Pattern
  • 38. Conclusion •  There  are  many  different  way  to  clustering  malware   •  How  an2virus  classifica2on   –  Labeling  Inconsistent   –  Low  detec2on  rate   •  Automa2c  malware  clustering  system     •  Different  type  of  detec2on  mechanism   –  Signature-­‐based  detector   –  Anomaly  detector   –  Specific  Purpose  detector   –  General  Purpose  detector  
  • 39. Q&A