SlideShare a Scribd company logo

This malware looks familiar: Layment identify malware runtime similarity with Chernoff faces and stick figures

Download as PPTX, PDF
E
Elli Kanal

Original paper: http://eudl.eu/doi/10.4108/eai.22-3-2017.152417 Classifying unknown malicious binaries into malware families provides valuable information to security professionals. The task of recognizing a malicious binary (i.e., attributing it to a previously observed attack pattern) is widely considered a difficult task requiring extensive domain expertise. In this work, we offer a new approach which focuses on transforming the the recognition problem domain from system traces to Chernoff faces, thereby engaging the facial recognition aptitude of laymen. To do so we (i) curated a expert tagged dataset of malware variants, (ii) instrumented behavior trace monitors for each variant, (iii) constructed a simple, graph based feature set from the runtime behavior, and (iv) visualized low-dimensional representations of these system call graphs with stick figures and Chernoff faces. We then selected the three families with the largest variation and asked non-experts on Amazon Mechanical Turk to classify binaries between these three families using the generated visual representations, a task that would otherwise be delegated to experts. We found that non-experts completed the task with between 63\% and 86\% accuracy, and when aggregated, these non-expert labels successfully trained a classifier to a similar level of performance as the ground truth labels. Although simple, the experiments conducted provide a novel evaluation of the inherent difficulty of malware recognition tasks. Additionally new operational possibilities for effective human in the loop malware recognition are indicated and discussed as future work within the research prospectus.

Data & Analytics
1 of 14
1 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures BICT ‘17 -- Elli Kanal Joint work with N. VanHoudnos, W. Casey, D. French, B. Lindauer, S. Moon, P. Jansen, J. Carbonell, and E. Wright
2 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Copyright 2016 Carnegie Mellon UniversityThis material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT® is a registered mark of Carnegie Mellon University. DM-0004098
3 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Motivation: Longitudinal Analysis of Malware Families Reverse Engineering Discovery Refinement Reflection File New Family Artifact Catalog Signature 1 Signature 2 Signature 3 … Files 1a 1b 1c 1d … Files 2a 2b 2c 2d … Files 3a 3b 3c 3d … … Which files hang together?
4 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Motivation: Would non-experts be fast and cheap? • Task: Given an exemplar, find other malware artifacts of the same class (family, behavior, etc.) in our existing catalog. • Problem: Diversity and volume of incoming malware • Human analysis is far too expensive • Can’t run all tools on all samples • Malware variation is unpredictable in mode or frequency • “I’ll know it when I see it” hard to quantify Artifacts Year Total Artifacts Over Time
5 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Features for malware classification • Features from static analysis • Decompositional Techniques • *Section hashes • Resource hashes • Interpretive Techniques • Function hashes • *Mnemonic class histograms • *Import address table (IAT) hashes • Features from runtime analysis • Host-based • *System call traces / call graphs • Filesystem operations • Registry operations • Network-based * Explored in this project
6 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 A proxy task For validation, we need a learnable task and ground truth. To stay close to the real data, we projected the samples into a four dimensional PCA space, and mapped those dimensions onto either stick figures or Chernoff faces.
7 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Creature Classification on AMT
8 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Creature Classification on AMT
9 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 • The difficulty of a given stimulus is consistent across runs. Results Stick figures are harder.
10 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Expert labels vs. Turker labels • “Ground Truth” shows an SVM trained with expert ground truth labels. • ”Turkers Avg” trains the classifier with layperson labels instead.
11 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Simple visualizations can allow even completely untrained people to differentiate malware families! Results
12 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 The Real World • Discovery found 23 files • Manual reverse engineering was slow: only two files in 5 days • Visualizing files with Chernoff faces immediately suggests groups of related files. • Analysis burden shifts from forming candidate groups to verifying groups • Faster and cheaper = happy clients
13 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 • Machine learning and human analysts provide complementary capabilities in malware analysis. • Visualization of runtime features is surprisingly powerful – so much so that laypeople can label malware. • Using more advanced dimensionality reduction, we can combine IAT hashes and t-SNE over mnemonic counts to achieve an order-of- magnitude reduction in analyst workload. Conclusions
14 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Contact Information Eliezer Kanal Technical Manager & Principle Researcher Telephone: +1 412.268.5204 Email: ekanal@sei.cmu.edu

Recommended

Malware1
Malware1Malware1
Malware1
poojamancharkar
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
Michael Scovetta
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
Ivanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
Ivanti
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
Комсс Файквэе
 
Applying DevOps Principles to Address Dynamic Changes in Cyber Security
Applying DevOps Principles to Address Dynamic Changes in Cyber SecurityApplying DevOps Principles to Address Dynamic Changes in Cyber Security
Applying DevOps Principles to Address Dynamic Changes in Cyber Security
SeniorStoryteller
 

Recommended

Malware1
Malware1Malware1
Malware1
poojamancharkar
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
Michael Scovetta
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
Ivanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
Ivanti
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
Комсс Файквэе
 
Applying DevOps Principles to Address Dynamic Changes in Cyber Security
Applying DevOps Principles to Address Dynamic Changes in Cyber SecurityApplying DevOps Principles to Address Dynamic Changes in Cyber Security
Applying DevOps Principles to Address Dynamic Changes in Cyber Security
SeniorStoryteller
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
- Mark - Fullbright
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy Garrett
GovLoop
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Black Duck by Synopsys
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
WASecurity
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
SohanGole1
 
Acquisition of malicious code using active learning
Acquisition of malicious code using active learningAcquisition of malicious code using active learning
Acquisition of malicious code using active learning
UltraUploader
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
Sophos Benelux
 
Forcepoint Advanced Malware Detection
Forcepoint Advanced Malware DetectionForcepoint Advanced Malware Detection
Forcepoint Advanced Malware Detection
Forcepoint LLC
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Android malware detection through online learning
Android malware detection through online learningAndroid malware detection through online learning
Android malware detection through online learning
IJARIIT
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Lauren Sheppard
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Okta
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
The Concurrent Constraint Programming Research Programmes -- Redux
The Concurrent Constraint Programming Research Programmes -- ReduxThe Concurrent Constraint Programming Research Programmes -- Redux
The Concurrent Constraint Programming Research Programmes -- Redux
Pierre Schaus
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware
Invincea, Inc.
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
Boston Institute of Analytics
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
fulawalesam
 

More Related Content

Similar to This malware looks familiar: Layment identify malware runtime similarity with Chernoff faces and stick figures

IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
WASecurity
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
SohanGole1
 
Acquisition of malicious code using active learning
Acquisition of malicious code using active learningAcquisition of malicious code using active learning
Acquisition of malicious code using active learning
UltraUploader
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Android malware detection through online learning
Android malware detection through online learningAndroid malware detection through online learning
Android malware detection through online learning
IJARIIT
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Lauren Sheppard
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Okta
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware
Invincea, Inc.
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 

Similar to This malware looks familiar: Layment identify malware runtime similarity with Chernoff faces and stick figures (20)

Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy Garrett
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
 
Acquisition of malicious code using active learning
Acquisition of malicious code using active learningAcquisition of malicious code using active learning
Acquisition of malicious code using active learning
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
 
Forcepoint Advanced Malware Detection
Forcepoint Advanced Malware DetectionForcepoint Advanced Malware Detection
Forcepoint Advanced Malware Detection
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
Android malware detection through online learning
Android malware detection through online learningAndroid malware detection through online learning
Android malware detection through online learning
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
The Concurrent Constraint Programming Research Programmes -- Redux
The Concurrent Constraint Programming Research Programmes -- ReduxThe Concurrent Constraint Programming Research Programmes -- Redux
The Concurrent Constraint Programming Research Programmes -- Redux
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 

Recently uploaded

Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
Boston Institute of Analytics
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
amitlee9823
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
SUHANI PANDEY
 
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
amitlee9823
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
amitlee9823
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
only4webmaster01
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Delhi Call girls
 
Probability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter LessonsProbability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter Lessons
JoseMangaJr1
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
Delhi Call girls
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
amitlee9823
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Recently uploaded (20)

Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
 
Probability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter LessonsProbability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter Lessons
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 

This malware looks familiar: Layment identify malware runtime similarity with Chernoff faces and stick figures

  • 1. 1 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures BICT ‘17 -- Elli Kanal Joint work with N. VanHoudnos, W. Casey, D. French, B. Lindauer, S. Moon, P. Jansen, J. Carbonell, and E. Wright
  • 2. 2 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Copyright 2016 Carnegie Mellon UniversityThis material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT® is a registered mark of Carnegie Mellon University. DM-0004098
  • 3. 3 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Motivation: Longitudinal Analysis of Malware Families Reverse Engineering Discovery Refinement Reflection File New Family Artifact Catalog Signature 1 Signature 2 Signature 3 … Files 1a 1b 1c 1d … Files 2a 2b 2c 2d … Files 3a 3b 3c 3d … … Which files hang together?
  • 4. 4 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Motivation: Would non-experts be fast and cheap? • Task: Given an exemplar, find other malware artifacts of the same class (family, behavior, etc.) in our existing catalog. • Problem: Diversity and volume of incoming malware • Human analysis is far too expensive • Can’t run all tools on all samples • Malware variation is unpredictable in mode or frequency • “I’ll know it when I see it” hard to quantify Artifacts Year Total Artifacts Over Time
  • 5. 5 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Features for malware classification • Features from static analysis • Decompositional Techniques • *Section hashes • Resource hashes • Interpretive Techniques • Function hashes • *Mnemonic class histograms • *Import address table (IAT) hashes • Features from runtime analysis • Host-based • *System call traces / call graphs • Filesystem operations • Registry operations • Network-based * Explored in this project
  • 6. 6 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 A proxy task For validation, we need a learnable task and ground truth. To stay close to the real data, we projected the samples into a four dimensional PCA space, and mapped those dimensions onto either stick figures or Chernoff faces.
  • 7. 7 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Creature Classification on AMT
  • 8. 8 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Creature Classification on AMT
  • 9. 9 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 • The difficulty of a given stimulus is consistent across runs. Results Stick figures are harder.
  • 10. 10 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Expert labels vs. Turker labels • “Ground Truth” shows an SVM trained with expert ground truth labels. • ”Turkers Avg” trains the classifier with layperson labels instead.
  • 11. 11 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Simple visualizations can allow even completely untrained people to differentiate malware families! Results
  • 12. 12 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 The Real World • Discovery found 23 files • Manual reverse engineering was slow: only two files in 5 days • Visualizing files with Chernoff faces immediately suggests groups of related files. • Analysis burden shifts from forming candidate groups to verifying groups • Faster and cheaper = happy clients
  • 13. 13 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 • Machine learning and human analysts provide complementary capabilities in malware analysis. • Visualization of runtime features is surprisingly powerful – so much so that laypeople can label malware. • Using more advanced dimensionality reduction, we can combine IAT hashes and t-SNE over mnemonic counts to achieve an order-of- magnitude reduction in analyst workload. Conclusions
  • 14. 14 This malware looks familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures © 2016 Carnegie Mellon University [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. BICT 2017 Contact Information Eliezer Kanal Technical Manager & Principle Researcher Telephone: +1 412.268.5204 Email: ekanal@sei.cmu.edu

Editor's Notes

  1. Reflection is a judgment call Goal: NOT remove engineers, but ASSIST engineers with discovery, refinement, and reflection
  2. Discuss costs of engineers
  3. mention that static is cheaper Note that none of this is interpretable to layperson, need proxy measure for this stuff
  4. Want to make sure that faces are easier than other stuff (FFA, hypothesis); examined whether repeated trials had similar accuracy
  5. Point out how faces are easier, which is expected based on knowledge of FFA
  6. labels are accurate
  7. Comment to reviewers: only three cases here because there were only a few malware families being chosen between for this (real-life) sample of malware