SlideShare a Scribd company logo

Libor Mořkovský - Recognizing Malware

Machine Learning Prague, profile picture
Machine Learning Prague

This document discusses techniques for recognizing malware files. It describes how each file is represented as a feature vector that captures static and dynamic attributes. A distance function is used to measure the similarity between vectors and identify nearest neighbors for classification. Files are classified using an instance-based classifier and optimized with techniques like a VP-tree and distance-bounded search. Classifications are deployed in a system that collects file fingerprints from users and shares threats and updates between components. A rule generator also aims to detect malware variants by learning rules based on conditions in files.

Technology
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Recognizing malware Libor Mořkovský
Computer virus bacterial cell based on work by Anderson Brito
Computer virus executable file entry point
Computer virus Inserting code into files is never “good”. executable file entry point
image courtesy of Looking Glass Studios Malware How do you recognize a thief?
image courtesy of Looking Glass Studios Twentieth Century Fox Malware How do you recognize a thief?
Malware How do you recognize a thief? image courtesy of Looking Glass Studios Twentieth Century Fox Paramount Pictures
Malware completely different behaviors are considered “bad” we need a judge to decide who crossed the line • •
Malware | Many faces unlike real thieves, malware can be duplicated not only duplicated, but also modified all this is done by machines too much work to judge each one manually • • • •
Finding similar files oooooooooooo o oo o oo oooo ooooo oooo o oo o oo o ooooooooo o o MDS1 MDS2 class oo oo oo oo CLEAN MALWARE QUERY UNKNOWN
Finding similar files need a file representation need a distance function • •
Finding similar files | File vector each executable file is represented by a feature vector the PE format is complex, so we keep exactly one version of the extractor code (C++) the vector comprises static and dynamic features, the exact content is proprietary • • • Database record • One record = constant vector of over 100 attributes • the “file fingerprint” • Each attribute has a data type and semantic Attribute Data Type Semantic sha256 32 byte array CHECKSUM pe_sect_cnt uint16_t VALUE pe_sect_rawoff_entry uint32_t OFFSET • The complete contents of the vector are kept secret • static and dynamic features of PE executables
Finding similar files | Distance sum of partial distances each distance operator assigned manually weights assigned manually to equalize contribution • • • Nearest neighbor query • Compound distance function • Data type and semantic determine partial dist. func. Data Type Semantic Partial distance function 32 byte array CHECKSUM RETURN_ZERO uint16_t VALUE EQUAL_RET32 uint32_t OFFSET LOG • Each partial distance function = one kernel function • Over 100 kernels for every NN query • Intermediate results kept in the “Scratchpad”
Finding similar files | Data ~60 M data points sparse and well separated (in many cases) • •
Finding similar files | Implementation we started with GPUs their high memory throughput allows “naive” implementation and rapid prototyping column-oriented database • • •
Classification | Requirements find easily what is responsible for a mistake – transparency fix the problem quickly – tractability • •
Classification | Algorithm Instance based classifier.
Classification | Optimizations scaling and HW problems with GPUs we invested in algorithmic optimizations: VP-tree, distance bounded search hand optimized distance function (assembly) CPU version is ~100x faster • • • •
Classification | Deployment → FileSHAandu ser id → ←Fileprevale nce ← ← Fileclass ification ← → Filefinger print → ← Generic detections ← ↑ File classifications and Evo-gen detections → Threats → Set updates ↓ Medusa Scavenger Avast users FileRep
Classification | Deployment → FileSHAandu ser id → ←Fileprevale nce ← ← Fileclass ification ← → Filefinger print → ← Generic detections ← ↑ File classifications and Evo-gen detections → Threats → Set updates ↓ Medusa Scavenger Avast users FileRep
Classification | Deployment → FileSHAandu ser id → ←Fileprevale nce ← ← Fileclass ification ← → Filefinger print → ← Generic detections ← ↑ File classifications and Evo-gen detections → Threats → Set updates ↓ Medusa Scavenger Avast users FileRep
Rule generator detect more variants in the wild (our) rule is a conjunction of several conditions known as Win32:Evo-Gen completely different optimization problem than classification - still uses the GPU • • • •
Libor Mořkovský - Recognizing Malware
Q&A

More Related Content

PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
PPTX
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
PDF
Is Linux/Moose endangered or extinct?
ESET
 
PDF
Practical Malware Analysis Ch13
Sam Bowne
 
PPTX
Malware analysis
Prakashchand Suthar
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
CNIT 126 12: Covert Malware Launching
Sam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Is Linux/Moose endangered or extinct?
ESET
 
Practical Malware Analysis Ch13
Sam Bowne
 
Malware analysis
Prakashchand Suthar
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 126 12: Covert Malware Launching
Sam Bowne
 

What's hot (20)

PDF
CNIT 126 13: Data Encoding
Sam Bowne
 
PDF
Practical Malware Analysis Ch12
Sam Bowne
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
PPTX
Basic Malware Analysis
Albert Hui
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
PDF
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
PDF
Awesome Concurrency with Elixir Tasks
Jonathan Magen
 
PDF
CNIT 126 7: Analyzing Malicious Windows Programs
Sam Bowne
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
PPT
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
PPTX
Basic Dynamic Analysis of Malware
Natraj G
 
PDF
9: OllyDbg
Sam Bowne
 
PDF
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
PDF
CNIT 126 Ch 9: OllyDbg
Sam Bowne
 
PDF
Practical Malware Analysis: Ch 11: Malware Behavior
Sam Bowne
 
PDF
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
PPTX
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Dan Gunter
 
CNIT 126 13: Data Encoding
Sam Bowne
 
Practical Malware Analysis Ch12
Sam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
Basic Malware Analysis
Albert Hui
 
Introduction to Malware Analysis
Andrew McNicol
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
Awesome Concurrency with Elixir Tasks
Jonathan Magen
 
CNIT 126 7: Analyzing Malicious Windows Programs
Sam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Basic Dynamic Analysis of Malware
Natraj G
 
9: OllyDbg
Sam Bowne
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
CNIT 126 Ch 9: OllyDbg
Sam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Sam Bowne
 
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Dan Gunter
 
Ad

Similar to Libor Mořkovský - Recognizing Malware (20)

PDF
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
PDF
Inbot10 vxclass
zynamics GmbH
 
PDF
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
IJNSA Journal
 
PDF
A STATIC MALWARE DETECTION SYSTEM USING DATA MINING METHODS
ijaia
 
PPT
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
Silvio Cesare
 
PDF
MALWARE DETECTION AND SUPPRESSION USING BLOCKCHAIN TECHNOLOGY
IRJET Journal
 
PDF
stackconf 2021 | Data Driven Security
NETWAYS
 
DOCX
A malware detection method for health sensor data based on machine learning
jaigera
 
PDF
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
PDF
Malware1
poojamancharkar
 
PPTX
Object Recognition
Eman Abed AlWahhab
 
PDF
A trust system based on multi level virus detection
UltraUploader
 
PDF
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
IRJET Journal
 
PDF
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Security Conference
 
PPTX
Malware Classification Using Deep Learning
Kourosh Sajjadi
 
PPTX
malware detection ppt for vtu project and other final year project
NaveenAd4
 
PDF
VxClass for Incident Response
zynamics GmbH
 
PDF
Fast Parallel Similarity Calculations with FPGA Hardware
TigerGraph
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PPTX
Team_8_CSM_B_Presentatbbvvvvvvion[1].pptx
PurushottamRajpurohi1
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Inbot10 vxclass
zynamics GmbH
 
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
IJNSA Journal
 
A STATIC MALWARE DETECTION SYSTEM USING DATA MINING METHODS
ijaia
 
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
Silvio Cesare
 
MALWARE DETECTION AND SUPPRESSION USING BLOCKCHAIN TECHNOLOGY
IRJET Journal
 
stackconf 2021 | Data Driven Security
NETWAYS
 
A malware detection method for health sensor data based on machine learning
jaigera
 
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
Malware1
poojamancharkar
 
Object Recognition
Eman Abed AlWahhab
 
A trust system based on multi level virus detection
UltraUploader
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
IRJET Journal
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Security Conference
 
Malware Classification Using Deep Learning
Kourosh Sajjadi
 
malware detection ppt for vtu project and other final year project
NaveenAd4
 
VxClass for Incident Response
zynamics GmbH
 
Fast Parallel Similarity Calculations with FPGA Hardware
TigerGraph
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Team_8_CSM_B_Presentatbbvvvvvvion[1].pptx
PurushottamRajpurohi1
 
Ad

More from Machine Learning Prague (13)

PDF
Vít Listík - Email.cz workshop
Machine Learning Prague
 
PDF
Lukáš Vrábel - Deep Convolutional Neural Networks
Machine Learning Prague
 
PDF
Tomáš Cícha - Machine Learning Solutions at Seznam.cz
Machine Learning Prague
 
PDF
Jan Pospíšil - Azure ML
Machine Learning Prague
 
PPTX
Michael Levin - MatrixNet Applications at Yandex
Machine Learning Prague
 
PDF
Adam Ashenfelter - Finding the Oddballs
Machine Learning Prague
 
PPTX
Chris Brew - TR Discover: A Natural Language Interface for Exploring Linked D...
Machine Learning Prague
 
PPTX
Tomáš Mikolov - Distributed Representations for NLP
Machine Learning Prague
 
PDF
Kateřina Veselovská - ML Approaches to Sentiment Analysis
Machine Learning Prague
 
PPTX
Jiří Materna - Artificial Intelligence in Creative Writing
Machine Learning Prague
 
PPTX
Jan Šedivý - Intelligent Personal Assistants
Machine Learning Prague
 
PPTX
Marek Rosa - Inventing General Artificial Intelligence: A Vision and Methodology
Machine Learning Prague
 
PPTX
Xuedong Huang - Deep Learning and Intelligent Applications
Machine Learning Prague
 
Vít Listík - Email.cz workshop
Machine Learning Prague
 
Lukáš Vrábel - Deep Convolutional Neural Networks
Machine Learning Prague
 
Tomáš Cícha - Machine Learning Solutions at Seznam.cz
Machine Learning Prague
 
Jan Pospíšil - Azure ML
Machine Learning Prague
 
Michael Levin - MatrixNet Applications at Yandex
Machine Learning Prague
 
Adam Ashenfelter - Finding the Oddballs
Machine Learning Prague
 
Chris Brew - TR Discover: A Natural Language Interface for Exploring Linked D...
Machine Learning Prague
 
Tomáš Mikolov - Distributed Representations for NLP
Machine Learning Prague
 
Kateřina Veselovská - ML Approaches to Sentiment Analysis
Machine Learning Prague
 
Jiří Materna - Artificial Intelligence in Creative Writing
Machine Learning Prague
 
Jan Šedivý - Intelligent Personal Assistants
Machine Learning Prague
 
Marek Rosa - Inventing General Artificial Intelligence: A Vision and Methodology
Machine Learning Prague
 
Xuedong Huang - Deep Learning and Intelligent Applications
Machine Learning Prague
 

Recently uploaded (20)

PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A Presentation on Artificial Intelligence
memembruh336
 
Cloud computing and distributed systems.
kkkkkhan
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Approach and Philosophy of On baking technology
30anthuong17
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 

Libor Mořkovský - Recognizing Malware

  • 2. Computer virus bacterial cell based on work by Anderson Brito
  • 4. Computer virus Inserting code into files is never “good”. executable file entry point
  • 5. image courtesy of Looking Glass Studios Malware How do you recognize a thief?
  • 6. image courtesy of Looking Glass Studios Twentieth Century Fox Malware How do you recognize a thief?
  • 7. Malware How do you recognize a thief? image courtesy of Looking Glass Studios Twentieth Century Fox Paramount Pictures
  • 8. Malware completely different behaviors are considered “bad” we need a judge to decide who crossed the line • •
  • 9. Malware | Many faces unlike real thieves, malware can be duplicated not only duplicated, but also modified all this is done by machines too much work to judge each one manually • • • •
  • 11. Finding similar files need a file representation need a distance function • •
  • 12. Finding similar files | File vector each executable file is represented by a feature vector the PE format is complex, so we keep exactly one version of the extractor code (C++) the vector comprises static and dynamic features, the exact content is proprietary • • • Database record • One record = constant vector of over 100 attributes • the “file fingerprint” • Each attribute has a data type and semantic Attribute Data Type Semantic sha256 32 byte array CHECKSUM pe_sect_cnt uint16_t VALUE pe_sect_rawoff_entry uint32_t OFFSET • The complete contents of the vector are kept secret • static and dynamic features of PE executables
  • 13. Finding similar files | Distance sum of partial distances each distance operator assigned manually weights assigned manually to equalize contribution • • • Nearest neighbor query • Compound distance function • Data type and semantic determine partial dist. func. Data Type Semantic Partial distance function 32 byte array CHECKSUM RETURN_ZERO uint16_t VALUE EQUAL_RET32 uint32_t OFFSET LOG • Each partial distance function = one kernel function • Over 100 kernels for every NN query • Intermediate results kept in the “Scratchpad”
  • 14. Finding similar files | Data ~60 M data points sparse and well separated (in many cases) • •
  • 15. Finding similar files | Implementation we started with GPUs their high memory throughput allows “naive” implementation and rapid prototyping column-oriented database • • •
  • 16. Classification | Requirements find easily what is responsible for a mistake – transparency fix the problem quickly – tractability • •
  • 18. Classification | Optimizations scaling and HW problems with GPUs we invested in algorithmic optimizations: VP-tree, distance bounded search hand optimized distance function (assembly) CPU version is ~100x faster • • • •
  • 19. Classification | Deployment → FileSHAandu ser id → ←Fileprevale nce ← ← Fileclass ification ← → Filefinger print → ← Generic detections ← ↑ File classifications and Evo-gen detections → Threats → Set updates ↓ Medusa Scavenger Avast users FileRep
  • 20. Classification | Deployment → FileSHAandu ser id → ←Fileprevale nce ← ← Fileclass ification ← → Filefinger print → ← Generic detections ← ↑ File classifications and Evo-gen detections → Threats → Set updates ↓ Medusa Scavenger Avast users FileRep
  • 21. Classification | Deployment → FileSHAandu ser id → ←Fileprevale nce ← ← Fileclass ification ← → Filefinger print → ← Generic detections ← ↑ File classifications and Evo-gen detections → Threats → Set updates ↓ Medusa Scavenger Avast users FileRep
  • 22. Rule generator detect more variants in the wild (our) rule is a conjunction of several conditions known as Win32:Evo-Gen completely different optimization problem than classification - still uses the GPU • • • •
  • 24. Q&A