Antiy LabsPE Trojan Detection Based onthe Assessment of Static File          Features         Wei, Wang       David@antiy....
Antiy LabsStatic Assessment vs. Traditional Detection• Traditional signature detection technology:  Build a complete sampl...
Antiy LabsCan static assessment complement    signature code detection?                   Signature        AssessmentVirus...
Antiy LabsBuilding an Intelligent Assessment               Model• Ultimate goal: recognize Trojan files• Method: develop a...
Antiy Labs  Neural Network Modelinput layer            Hidden layer            The output layer              Modify       ...
Antiy Labs     Primary Static Assessment             Searches• Script file assessment based on grammar• Binary file assess...
Antiy Labs    The Structure of PE FilesPE file information: PE DosHeader PE OptionalHeader PE SectionHeader PE ImportSecti...
Antiy Labs    Conflicts Between PE Structure            and BP NetworkBP Network Requirement                    PE FileOne...
Antiy Labs     第一层    The first layer     第二层                      The second layer                         Section1      ...
Antiy Labs     Solutions for a Multi-Dimensional                 StructureHierarchical tests based on changes of granulari...
Antiy Labs  String Attribute Normalization• In PE files, there are plenty of import  function names, while the BP network ...
Antiy Labs     Experiment Result• Samples in the test:      Trojan Files: 158      Normal Files: 228      Unstudied Trojan...
Antiy Labs            Result Analysis• The alarm rate for unstudied Trojans is  good• If the false positive rate can’t be ...
Antiy Labs              Demo Time• Now it is time for a demonstration, you can  go the bathroom or get some coffee.       ...
Antiy Labs              Where Are We?• Currently, we are in the experimental phase.• Our network has been used in filterin...
Antiy Labs               Some Thoughts• Static assessment based on the neural network should  be able to defy all unknown ...
Antiy LabsThank You            www.antiy.net
Upcoming SlideShare
Loading in …5
×

PE Trojan Detection Based on the Assessment of Static File Features

424 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
424
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PE Trojan Detection Based on the Assessment of Static File Features

  1. 1. Antiy LabsPE Trojan Detection Based onthe Assessment of Static File Features Wei, Wang David@antiy.net www.antiy.net
  2. 2. Antiy LabsStatic Assessment vs. Traditional Detection• Traditional signature detection technology: Build a complete sample database and extract malware signatures. Signature based detection is the basis of virus and Trojan detection.• Static assessment model using neural algorithm: Use an intelligent algorithm to analyze and study known samples, extract signatures and assess unknown samples. www.antiy.net
  3. 3. Antiy LabsCan static assessment complement signature code detection? Signature AssessmentVirus Database needed unneededProgram Updates rare requiredUpdate Downloads required rareUpdate Size > 100 KB <1KBUnknown Sample specific signature targetAccuracy 100% ??%Speed high ?? www.antiy.net
  4. 4. Antiy LabsBuilding an Intelligent Assessment Model• Ultimate goal: recognize Trojan files• Method: develop a categorization machine• Build a BP (reverse transmission) neural network, then use a batch of sample files to test it; eventually get a reasonable neural network• Result: Improved rate of Trojan detection www.antiy.net
  5. 5. Antiy Labs Neural Network Modelinput layer Hidden layer The output layer Modify Modify Teacher signals www.antiy.net
  6. 6. Antiy Labs Primary Static Assessment Searches• Script file assessment based on grammar• Binary file assessment based on file association• The 2nd one aims at PE files, which is our focus. www.antiy.net
  7. 7. Antiy Labs The Structure of PE FilesPE file information: PE DosHeader PE OptionalHeader PE SectionHeader PE ImportSectionHeader …… www.antiy.net
  8. 8. Antiy Labs Conflicts Between PE Structure and BP NetworkBP Network Requirement PE FileOne dimensional I/O Several one-to-many relationships One FileHeader corresponds to several SectionHeaders. The input header corresponds to several input functions.Data Type Attributes based on strings (names of input functions)Normalized Data [0,1] Various data types www.antiy.net
  9. 9. Antiy Labs 第一层 The first layer 第二层 The second layer Section1 File 1 DosHeader_Info Section2 PEHeader_InfoOptionalHeader_Info Section3 Section4 File 2 Section5 DosHeader_Info PEHeader_Info Section6OptionalHeader_Info Section7 www.antiy.net
  10. 10. Antiy Labs Solutions for a Multi-Dimensional StructureHierarchical tests based on changes of granularity:1. Test attributes of the same level (one-to-one structure) individually, ordered from lowest to highest granularity2. The low granularity attributes participate in the higher levels of tests3. Until the highest granularity is achieved. That is, the file correspondence is one to one www.antiy.net
  11. 11. Antiy Labs String Attribute Normalization• In PE files, there are plenty of import function names, while the BP network input data range is [0,1]• Introduce a method of statistical probability on the imported function names, and then normalize them. The probability value will range between 0 and 1 to meet the needs of the neural network. www.antiy.net
  12. 12. Antiy Labs Experiment Result• Samples in the test: Trojan Files: 158 Normal Files: 228 Unstudied Trojan Samples: 152 Unstudied Normal Samples: 1000• Accuracy rate of unknown file detection is 90% higher.• The false positive rate with normal files is 7%. www.antiy.net
  13. 13. Antiy Labs Result Analysis• The alarm rate for unstudied Trojans is good• If the false positive rate can’t be brought below 0.05%, it is not applicable. www.antiy.net
  14. 14. Antiy Labs Demo Time• Now it is time for a demonstration, you can go the bathroom or get some coffee. www.antiy.net
  15. 15. Antiy Labs Where Are We?• Currently, we are in the experimental phase.• Our network has been used in filtering unknown files (we receive malware reports from 100,000 users, network sniffers and honey pots per month).• The early results indicate that we are headed in the right direction and our work is of value.• It’s a lot of work to extract PE file information. Currently, we only analyze the DosHeader, FileHeader, OptionalHeader, SectionHeader, and ImportSection. Some important sections such as ResourceSection and ExportSection haven’t been analyzed.• It hasn’t yet been integrated with our automatic signature extraction mechanism. www.antiy.net
  16. 16. Antiy Labs Some Thoughts• Static assessment based on the neural network should be able to defy all unknown viruses with a 50% alarm rate.• We can see that avoidance of such mechanisms is not difficult. But then, no Trojan detection technique can defeat targeted avoidance.• We hope in April or May of 2005, this technology will be much more mature. www.antiy.net
  17. 17. Antiy LabsThank You www.antiy.net

×