1. June 13, 2018
MASSE ANALYSIS MODULES
Experimental Results (6 mos)
Alexander Zhdanov
MASSE
TAMIS
Inria Rennes-
Bretagne Atlantique
2. MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 2
introduction
The purpose of the presentation is to summarize experimental
results for the first 6 months of research. It gives explanations
about algorithms used, experimental setup and datasets
together with analysis of the resulting output.
3. Outline
Problem formulation
MASSE-Overview
Yara rules
two algorithms
n-gram based Markov model difference (baseline)
Genetic Algorithm (GA)
experiments
setup
conclusions and discussion
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 3
4. MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 4
1Problem formulation
MASSE - Yara rules
6. Problem formulation Yara rules
Yara rules
YARA library and scanner is a defacto standard in malware
signature scanning for files
The YARA signature rule format is an easy-to-understand
DSL with a C-like syntax
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 6
7. Problem formulation Yara rules
Yara rules
1 rule silent_banker : banker
{
3 meta:
description = "This is just an
example"
5 thread_level = 3
in_the_wild = true
7 strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D
91}
9 $b = {8D 4D B0 2B C1 83 C0 27 99 6A
4E 59 F7 F9}
$c = " UVODFRYSIHLNWPEJXQZAKCBGMT "
11 condition:
$a or $b or $c
13 }
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 7
8. Problem formulation Yara rules
Yara rules
The yara rules contain the following sections:
metadata: additional information about the rule
strings: hexadecimal strings, text and regular expressions
conditions: boolean expressions (with variables)
the pattern matching swiss army knife
Usage: yara [OPTION]... RULES FILE FILE | DIR | PID
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 8
9. Problem formulation Yara rules
Yara rules
pros:
easy-to read and understand
fast classification (string (pattern) matching)
fast sharing and update of yara-database (virus-total)
cons:
Static signatures are not prone to malware mutation, packing,
obfuscation
Yara-rules are written manually (performance, optimality)
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 9
10. Problem formulation Yara rules
Yara rules
Q: why YARA is so popular?
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 10
12. Problem formulation Yara rules
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 12
2two algorithms
n-gram based Markov model
difference (baseline) & GA
13. two algorithms n-gram based Markov model difference (baseline)
n-gram based Markov model difference (baseline)
difference of n-gram based Markov models
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 13
14. two algorithms n-gram based Markov model difference (baseline)
n-gram based Markov model difference (baseline)
calculate n-gram Markov model for cleanware
calculate n-gram Markov model for malware
subtract two models
(optional): subtract models for other malware families (diff)
filter n-grams using two-step filtration:
sort
calculate entropy
select top (number of bytes)
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 14
15. two algorithms Genetic Algorithm (GA)
Genetic Algorithm (GA) steps
calculate n-gram Markov model of malware
apply two step filtration
sort
calculate entropy
generate a new population
calculate f1 scores for the new population
while condition for the termination is not reached:
apply mutation
apply crossover
replace min elements in the population with children
select best individuals
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 15
16. two algorithms Genetic Algorithm (GA)
Genetic Algorithm steps
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 16
17. two algorithms Genetic Algorithm (GA)
f1 score (binary classification)
precision = tp
tp+fp
recall = tp
tp+fn
F1 = 2 ∗ precision∗recall
precision+recall
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 17
18. two algorithms Genetic Algorithm (GA)
f1 score (binary classification with rejection)
precision = tp
tp+fp
recall = tp
tp+fn
F1 = 2 ∗ precision∗recall
precision+recall
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 18
19. two algorithms Genetic Algorithm (GA)
Stopping criteria and a minimization function of the
Genetic Algorithm
((num unique − self .config.num unique el) + (eval score −
self .config.max score)) ∗ ((num cycles −
self .config.max num cycles) + (prev score − eval score) −
self .config.prec))
where
num unique is the number of unique elements in the
generation
eval score is the average f1 score calculated for the current
generation
num cycles is the number of cycles for the current generation
self .config.prec is the lower bound on changing of the
minimization function
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 19
20. two algorithms Genetic Algorithm (GA)
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 20
3experimental results
5 malware families
21. experiments setup
datasets
cleanware
10 elf files both packed and unpacked
malware
5 malware families
blihan
rebhip
viking
vmprotect (packer)
zvuzona
in total 217 binaries
blihan and zvuzona are unpacked
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 21
22. experiments setup
algorithmic parameters
n-gram based Markov model difference (baseline)
number of bytes in n-gram: 5
Genetic Algorithm (GA)
number of individuals in a generation: 1000
number of selected individuals: 100
gaussian distribution of chromosomes with params:
mu = 4
sigma = 1
number of bits in the mutation step: 2
max score to evaluate: 1.0
number of unique elements expected: 2
max number of cycles: 10
masse analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 22
23. experiments setup
Prior distribution of individuals by the number of strings
MASSE analysis modules: experimental results (6 mos) Alexander Zhdanov June 13, 2018- 23
24. experiments setup
f1 scores binary classification
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 24
25. experiments setup
f1 scores binary classification with rejection
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 25
26. experiments setup
length of yara rules (number of strings)
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 26
27. experiments setup
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 27
4conclusions
and discussion
28. conclusions and discussion
conclusions and discussion
implemented construction of syntactic malware/cleanware
Markov models based on n-grams
implemented three algorithms for yara rules generation:
n-gram based Markov model difference (baseline)
Genetic Algorithm (GA)
n-gram based Markov model difference with multiple models
(diff)
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 28
29. conclusions and discussion
conclusions and discussion
both baseline and GA work on unpacked malware (packed:
packer signatures)
parameters of GA are chosen so that the algorithm does a fast
evaluation
for GA detection rates depend on the number of generated
individuals in a population (higher coverage)
for binary classification:
GA has the same detection rate as baseline for blihan and
zvuzona
for vmprotect, GA produces higher detection rate
for rebhip and viking, GA has slightly less detection rates
(0.98/0.93 and 0.90/0.86)
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 29
30. conclusions and discussion
conclusions and discussion
for binary classification with rejection:
GA produces signatures with better detection rates than
baseline (significantly better: rebhip, viking )
multiple models heuristic (diff) does not produce signatures on
packed/obfuscated malware
for zvuzona, multiple models heuristic (diff) produces the same
detection as Genetic Algorithm
length of the produced yara rules:
on average, Genetic Algorithm produces shorter yara rules than
baseline: 4/39,2
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 30
31. conclusions and discussion
future work
extend cleanware dataset
run tests on more malware families (need for good packing
detector/extractor)
improve Genetic Algorithm:
run more experiments with higher parameter values:
more cycles, more individuals, higher mutation rates, ...
use more machine learning techniques
Hidden Markov Models (HMM)
THANKS
MASSE analysis modules: experimental results (6 mos) alexander zhdanov June 13, 2018- 31