Meet a machine learning classifier

(upbeat music) - [Instructor] In this and the next few lessons, we are going to be working with real malware. As a consequence, you should be working in a safe lab environment, such as a VM, and making sure that it is disconnected or secured from the malware spreading. If you're not familiar with the techniques for doing this, please see my course, Cybersecurity Data Science, where I guide you through setting up a safe malware analysis environment. So once you're in your VM or safe environment, I'm going to introduce you to a machine learning classifier called Ember. And we're now going to walk through the installation instructions together. The first thing I'm going to do is connect my VM to the network. Next, you'll want to have Python 3.6 in particular, or set up a virtual environment with Python 3.6. The packages we're going to be needing are something called Lief, which we'll discuss in more detail. It's library for editing and analyzing PE files. And in addition, you'll want to have PyTorch. So while we're installing Lief, let's also see the instructions for PyTorch. And what you're going to want to do is go to GitHub and find Ember. So Ember is a machine learning classifier that utilizes gradient boosting for detection. This should be contrasted with other machine learning classifiers that might use neural networks. And in fact, for your assignment, you will create a malware that evades a neural network called Malcon. More details to follow in the video about the assignment. In the meantime, you can read more about this model. To install it, clone the repository. And then we're going to want to follow these instructions here to install Ember. Now there are two more things we'd like to do. First, we want to clone the repository for this course, and that's in order to get the model in a convenient form that we can work with it and see how it's scoring. The other thing we want to do is get some samples. We're going to go to GitHub and then we're going to get these samples from theZoo. We'll clone these, and let's clone these as well. Now we finally cloned all these repositories. We have theZoo here and we have our model here. So if you look in, you'll see Ember in a zip file, let's unzip that. And this is the actual model. And we have this file here, which is the driver code. Basically it points to the model, and then here it's going to run the model against files in the N directory. So I'm going to make an N directory. I'm going to place some files in there. So let's see how it classifies Jigsaw which is a ransomware. Password is the usual one that you should know. And if I were to set this to be an executable, then it would be fully armed. Place it in here. So now let's run the model against Jigsaw and see how it performs. So let's simply do python models, and I should get a score for what Ember thinks about Jigsaw. And you can see it gets 0.9999 et cetera score from Jigsaw, which means it is very, very, very, very sure that it is malicious. And the way the classifier is designed in practice is that it will threshold. So if the score exceeds a value, which I will show you in a moment. So if the score exceeds 0.8336, then Ember is going to classify the sample as malicious. And if it's below this value, it'll be classified as benign. So now that we've got some introduction to Ember and how it works and how it classifies, in the next videos, we are going to learn how to modify our malware so that it remains malicious, but it's not detected by Ember. So I hope you're as excited as I am, and let's get started. (upbeat music)