Fighting advanced malware using machine learning (English)


Published on

In this paper, behavioral-based detection powered by machine learning is introduced. As the result, detection ratio is dramatically improved by comparison with traditional detection.
Needless to say that malware detection is getting harder today. Everybody knows signature-based detection reaches its limit, so that most anti-virus vendors use heuristic, behavioral and reputation-based detections altogether. About targeted attack, basically attackers use undetectable malware, so that reputation-based detection doesn't work well because it needs other victims beforehand. And it is a fact that detection ratio is not enough though we use heuristic and behavioral-based detections. In our research using the Metascan, average detection ratio of newest malware by most anti-virus scanner is about 30 %( the best is about 60 %).
By the way, heuristic and behavioral-based detections are developed by knowledge and experience of malware analyst. For example, most analysts know that following features are indicator that those programs are malicious.
- A file imports VirtualAlloc, VirtualProtect and LoadLibrary only and has a strange section name
- An entry point that does not fall within declared text or code section
- Creating remote threads into a legitimate process like explore.exe
- After unpacking, calling OpenMutex and CreateMutex to avoid multiple infections
- Register itself to auto start extension points like services and registry
- Creating a .bat file and try to delete own itself through executing the file with cmd.exe
- Setting global hook to capture keystroke using SetWindowsHookEx
Heuristic and behavioral-based detections are developed based on those pre-determined features like above. Analysts are finding those features day by day. But, this kind of work is not appropriate for human. Therefore we classified programs as malware or benign by machine learning through dynamic analysis results. Thereby, detection ratio is dramatically improved and we could recognize that which features are strongly related to malware by numeric score. And then, we could find the features which we’ve never found by this method. Finally, the outlook and challenges of this method will be tackled.

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fighting advanced malware using machine learning (English)

  1. 1. FFRI, Inc. @PacSec 2013 Fighting advanced malware using machine learning Fourteenforty Research Institute, Inc. Junichi Murakami Director of Advanced Development FFRI, Inc.
  2. 2. FFRI, Inc. Who am I ? • Security Researcher at FFRI, Inc – Malware and vulnerabilities analysis with RCE – Both Windows and Linux kernel development • Speaker at – BlackHat USA/JP, RSA, PacSec, AVAR, etc. • *NOT* a MS/PhD degree in CS/Math – Just a user of machine learning 2
  3. 3. FFRI, Inc. The Data Science Venn Diagram (in security) 3
  4. 4. FFRI, Inc. I am, and this talk is 4
  5. 5. FFRI, Inc. Agenda • Background • Our approach • Future works – Computers vs. Man – Applying to real time protection • Conclusion 5
  6. 6. FFRI, Inc. Background – malware and its detection Generators Obfuscators Increasing malware Limitation of pattern matching Targeted Attack (Unknown malware) other methods Reputation Bigdata Heuristic Behavioral Machine learning 6
  7. 7. FFRI, Inc. Limitation of signature matching • Evaluated 11 AV-product’s TRP using Metascan • Used fresh malware (not wildlist malware) • Prepared 2 test sets from different sources and period – test-1: 1,000 samples Pattern – test-2: 900 samples Reputation Huer. Bhvr. ML 7
  8. 8. test-1 test-2 test-1 test-2 test-1 test-2 test-1 test-2 test-1 test-2 test-1 test-2 test-1 test-2 A B C D E F G H I J test-1 test-2 test-1 test-2 TPR test-1 test-2 test-1 test-2 FFRI, Inc. Limitation of signature matching FNR 100% 80% 60% 40% Avg. 20% 0% K 8
  9. 9. FFRI, Inc. Advantage of (cloud) reputation • Concept is the same with signature-matching(Blacklisting) • Endpoints don’t have to keep HEAVY patterns anymore • Easy to reflect a new pattern to the others 2. check 1. query 3. response Pattern Reputation Huer. Bhvr. ML 9
  10. 10. FFRI, Inc. Disdvantage of (cloud) reputation • “Detectable” means that someone is already attacked • What if you are the first victim? • How much effective against “Targeted Attack” it is? 2. check 1. query 3. response Pattern Reputation Huer. Bhvr. ML 10
  11. 11. FFRI, Inc. Advantage of heuristic/behavioral detection • Based on pre-determined characteristics or behaviors – OpenProcess -> WriteProcessMemory -> CreateRemoteThread – Registering itself to auto start extensibility points – Disabling Windows Firewall, etc. • Providing generic logics to detect malware • Signature-free (eliminate regular scanning and update) Pattern Reputation Huer. Bhvr. ML 11
  12. 12. FFRI, Inc. Disadvantage of heuristic/behavioral detection • Difficult to avoid false positives completely • Or ask user to determine if an action would be allow or not (User dependent) • Have to analyze malware and update logics continuously (Not human task, more suitable for computers) Pattern Reputation Huer. Bhvr. ML 12
  13. 13. FFRI, Inc. Heuristic Behavioral Test - July 2012 • AV-comparatives publishes H/B Test results since 2012 • The behavioral hardly contributes to detect (avg: 4.8%) 13
  14. 14. FFRI, Inc. Our approach • Behavioral-based detection powered by machine learning • Not new but more practical for the industry • Easy to try and automate using open source below – Cuckoo Sandbox – Jubatus Pattern Reputation Huer. Bhvr. ML 14
  15. 15. FFRI, Inc. Machine learning-based detection • • • • Pattern Most research is doing in academic Basically, it is a classification problem (task) Mainly focusing on a combination of the factors below Some good results are reported Reputation Bhvr. Huer. ML Features Algorithms Evaluation Static information SVM TPR/FRP, etc. Dynamic information Naive bayes Accuracy, Precision Hybrid Perceptron, etc. ROC-curve, etc. 15
  16. 16. FFRI, Inc. Overview original data set malware Dynamic analysis Cuckoo Sandbox benign training set feature selection test set convert to Feature Vector train test Jubatus Jubatus TPR: X% FPR: Y% 16
  17. 17. FFRI, Inc. How many samples should we use? • It is a “Confidence Interval” theory • It depends on how margin of error we accept • All of these below hit rates are 1% – 1/100 (N=100) – 10/1,000 (N=1,000) – 100/10,000 (N=10,000) • Each confidences for determining to “1%” are different – Each of them has different error 17
  18. 18. FFRI, Inc. How many samples should we use? Hit Rate containing errors (95% confidence) • We can calculate estimation of margin of error based on N 6.0% 5.0% 4.0% 3.0% 2.0% 1.0% 0.0% 100 1,000 10,000 100,000 1,000,000 (N) 18
  19. 19. FFRI, Inc. Malware and benign files • Randomly sampling from files collected by ourselves – Malware: 15,000(5,000 = training, 10,000 = testing) – Benign: 15,000 (5,000 = training, 10,000 = testing) • *Random* is very important – Different period (choose 15,000/N sample from every day) – Different sources – Never care about filetype or malware type 19
  20. 20. FFRI, Inc. Cuckoo Sandbox - • Open source automated malware analysis system – Sending malware into a virtual machine from a host – Executing the malware inside the virtual machine – Monitoring and saving its behaviors at runtime • API calls, network activity, VT results, etc. 20
  21. 21. FFRI, Inc. API calls 21
  22. 22. FFRI, Inc. Trends of API calls The Number of samples which finished calling API • Most of the samples finished calling API within 1s (or keep calling APIs) -> Used API only called within 5s malware goodware 10000 8000 6000 4000 2000 0 1s 5s 10s 15s 30s 45s Elapsed time 60s 60s+ 22
  23. 23. FFRI, Inc. Jubatus - • Distributed Online Machine Learning Framework – Distributed: Scalable – Online: Not batch, continuous learning • Open source, LGPL v2.1. Latest release is 0.4.5(22/07/2013) • Developed by Preferred Infrastructure, Inc. and NTT Software Innovation Center • Support various machine learning – Classification, Regression, Recommendation, Anomaly Detection • Easy to use (many language bindings, feature converter, etc) 23
  24. 24. FFRI, Inc. Feature selection and convert to FV NtOpenFile Call sequence NtWriteFile NtWriteFile NtOpenFile NtWriteFile NtWriteFile NtOpenFileNtWriteFileNtWriteFile NtWriteFileNtWriteFileNtOpenFile NtWriteFileNtOpenFileNtWriteFile . . . . . NtCreateProcess 24
  25. 25. FFRI, Inc. Feature selection and convert to FV NtOpenFile NtWriteFile Nt NtOpenFileNtWriteFileNtWriteFile malware malware malware label:malware train Jubatus NtCreateProcess NtClose NtCreateProcess NtClose NtCreateProcessNtCloseNtClose benign NtClose benign NtClose benign label:benign 25
  26. 26. FFRI, Inc. (Image) Training internal Calc and update each FV’s weight based on its freq. and label (for the detail is dependent on the algorithm called AROW, don’t ask me :-) malware benign 0.0 0.25 0.75 NtClose NtClose NtClose 0.75 NtWriteFile LdrLoadDll NtDelayExecution 0.25 0.75 NtCreateProcess NtClose NtClose 0.25 0.5 NtAllocateVirtualMemory ... ... 0.5 26
  27. 27. FFRI, Inc. Testing results • N of N-gram – 3~5-gram > 2-gram = 6-gram • Best: 3-gram – TRP: 72.33% [71.58 ~ 73.07 % (95% confidence)] – FPR: 0.77% [0.60 ~ 0.99% (95% confidence)] • The result above is an example – A lot of combination of features are available (we used only “API-name” and its sequence) 27
  28. 28. FFRI, Inc. Demo 28
  29. 29. FFRI, Inc. Future Works 29
  30. 30. FFRI, Inc. Dumping training model • (Japanese only) Investigating weight parameters of classifier jubalocal_storage_dump.cpp 30
  31. 31. FFRI, Inc. Indicators of malware likeness in API 3-gram [foo@nolife classifier]$ ./dump --input model --label “malware” 0.181128 api_call$VirtualProtectEx_VirtualProtectEx_VirtualProtectEx@space#log_tf/bin 0.142254 api_call$RegOpenKeyExA_NtOpenKey_NtOpenKey@space#log_tf/bin 0.137144 api_call$NtReadFile_NtReadFile_NtFreeVirtualMemory@space#log_tf/bin 0.134443 api_call$LdrLoadDll_LdrGetProcedureAddress_VirtualProtectEx@space#log_tf/bin 0.130287 api_call$LdrLoadDll_RegOpenKeyExA_NtOpenKey@space#log_tf/bin 0.130287 api_call$DeviceIoControl_LdrLoadDll_RegOpenKeyExA@space#log_tf/bin 0.122363 api_call$VirtualProtectEx_LdrLoadDll_LdrGetProcedureAddress@space#log_tf/bin 0.102545 api_call$NtFreeVirtualMemory_LdrGetDllHandle_NtCreateFile@space#log_tf/bin 0.102485 api_call$RegCloseKey_RegCloseKey_RegCloseKey@space#log_tf/bin 0.0983165 api_call$NtReadFile_NtFreeVirtualMemory_LdrLoadDll@space#log_tf/bin 0.0966545 api_call$NtSetInformationFile_NtReadFile_NtFreeVirtualMemory@space#log_tf/bin 0.094639 api_call$NtMapViewOfSection_NtFreeVirtualMemory_NtOpenKey@space#log_tf/bin 0.0933827 api_call$NtFreeVirtualMemory_LdrLoadDll_LdrGetProcedureAddress@space#log_tf/bin 0.0905402 api_call$DeviceIoControl_DeviceIoControl_NtWriteFile@space#log_tf/bin 0.0903766 api_call$DeviceIoControl_NtWriteFile_NtWriteFile@space#log_tf/bin 0.0884724 api_call$RegOpenKeyExW_RegOpenKeyExW_LdrGetDllHandle@space#log_tf/bin 0.0853282 api_call$LdrLoadDll_LdrLoadDll_LdrLoadDll@space#log_tf/bin ... 31
  32. 32. FFRI, Inc. Indicators of goodware likeness in API 3-gram [foo@nolife classifier]$ ./dump --input model --label “goodware” 0.268353 api_call$LdrGetDllHandle_LdrGetDllHandle_ExitProcess@space#log_tf/bin 0.268353 api_call$LdrGetDllHandle_ExitProcess_NtTerminateProcess@space#log_tf/bin 0.259838 api_call$NtWriteFile_LdrGetDllHandle_LdrGetDllHandle@space#log_tf/bin 0.25887 api_call$NtWriteFile_NtWriteFile_LdrGetDllHandle@space#log_tf/bin 0.135514 api_call$NtOpenFile_NtOpenFile_NtCreateFile@space#log_tf/bin 0.122445 api_call$DeviceIoControl_LdrLoadDll_LdrGetProcedureAddress@space#log_tf/bin 0.12242 api_call$DeviceIoControl_DeviceIoControl_LdrGetDllHandle@space#log_tf/bin 0.119231 api_call$GetSystemMetrics_LdrLoadDll_NtCreateMutant@space#log_tf/bin 0.115319 api_call$DeviceIoControl_LdrGetDllHandle_LdrGetProcedureAddress@space#log_tf/bin 0.109306 api_call$LdrGetProcedureAddress_NtOpenKey_LdrLoadDll@space#log_tf/bin 0.105579 api_call$NtReadFile_NtReadFile_NtReadFile@space#log_tf/bin 0.104565 api_call$NtCreateFile_NtCreateFile_NtWriteFile@space#log_tf/bin 0.103304 api_call$RegOpenKeyExA_LdrGetDllHandle_LdrGetProcedureAddress@space#log_tf/bin 0.10306 api_call$VirtualProtectEx_RegOpenKeyExA_LdrGetDllHandle@space#log_tf/bin 0.100701 api_call$NtFreeVirtualMemory_NtFreeVirtualMemory_GetSystemMetrics@space#log_tf/bin ... 32
  33. 33. FFRI, Inc. Computer vs. Man • “VirtualProtectEx_VirtualProtectEx_VirtualProtectEx” looks like to related to malware • How about “RegOpenKeyExA_NtOpenKey_NtOpenKey”? • Computers might recognize indicators which human can’t (Extremely strong left-brain player) • Why don’t we cooperate with machine? 33
  34. 34. FFRI, Inc. Using computers • Generating models using computers • Checking them and guessing new logics by human (Using our right-brain) • ML-based detection is sometimes difficult to control – Cannot specify strict conditions to detect “ It is detected because ML said so ! ” • Hybrid of ML-based and Logic-based would be powerful 34
  35. 35. FFRI, Inc. Applying to real time protection • Using static information as feature – We can check a file before its execution – The performance is dependent on features • Using dynamic information as feature – Malware is already executed – Sometimes, detections would be too late – The hybrid detection above might be also useful in this perspective 35
  36. 36. FFRI, Inc. Conclusion • Traditional pattern-matching reaches its limit • Current behavioral detections hardly contributes to detect • By applying ML to behavioral detections – TPR is improved – Computers recognize new features which human can’t – We should make use of them 36
  37. 37. FFRI, Inc. Thank you! Contact: Twitter: @FFRI_Research 37