Bot と Wiki を使った試験的な並列プログラミング環境およびプログラム例を示す。情報セキュリティ担当者が頭を悩ませていた悪性Botの耐障害性と超並列性を、科学技術計算や一般的な計算を行うために有益な方向に利用することを目指す。例として動的計画法を用いて最小経路問題を解く並列プログラムを示す。ここで、必要な計算資源(BotとWebページの数)はノード数に比例し、最小経路を計算するのに必要な時間は、求まる最小経路の弧の数に比例する。
Fighting advanced malware using machine learning (Japanese)FFRI, Inc.
n this paper, behavioral-based detection powered by machine learning is introduced. As the result, detection ratio is dramatically improved by comparison with traditional detection.
Needless to say that malware detection is getting harder today. Everybody knows signature-based detection reaches its limit, so that most anti-virus vendors use heuristic, behavioral and reputation-based detections altogether. About targeted attack, basically attackers use undetectable malware, so that reputation-based detection doesn't work well because it needs other victims beforehand. And it is a fact that detection ratio is not enough though we use heuristic and behavioral-based detections. In our research using the Metascan, average detection ratio of newest malware by most anti-virus scanner is about 30 %( the best is about 60 %).
By the way, heuristic and behavioral-based detections are developed by knowledge and experience of malware analyst. For example, most analysts know that following features are indicator that those programs are malicious.
- A file imports VirtualAlloc, VirtualProtect and LoadLibrary only and has a strange section name
- An entry point that does not fall within declared text or code section
- Creating remote threads into a legitimate process like explore.exe
- After unpacking, calling OpenMutex and CreateMutex to avoid multiple infections
- Register itself to auto start extension points like services and registry
- Creating a .bat file and try to delete own itself through executing the file with cmd.exe
- Setting global hook to capture keystroke using SetWindowsHookEx
Heuristic and behavioral-based detections are developed based on those pre-determined features like above. Analysts are finding those features day by day. But, this kind of work is not appropriate for human. Therefore we classified programs as malware or benign by machine learning through dynamic analysis results. Thereby, detection ratio is dramatically improved and we could recognize that which features are strongly related to malware by numeric score. And then, we could find the features which we’ve never found by this method. Finally, the outlook and challenges of this method will be tackled.
Bot と Wiki を使った試験的な並列プログラミング環境およびプログラム例を示す。情報セキュリティ担当者が頭を悩ませていた悪性Botの耐障害性と超並列性を、科学技術計算や一般的な計算を行うために有益な方向に利用することを目指す。例として動的計画法を用いて最小経路問題を解く並列プログラムを示す。ここで、必要な計算資源(BotとWebページの数)はノード数に比例し、最小経路を計算するのに必要な時間は、求まる最小経路の弧の数に比例する。
Fighting advanced malware using machine learning (Japanese)FFRI, Inc.
n this paper, behavioral-based detection powered by machine learning is introduced. As the result, detection ratio is dramatically improved by comparison with traditional detection.
Needless to say that malware detection is getting harder today. Everybody knows signature-based detection reaches its limit, so that most anti-virus vendors use heuristic, behavioral and reputation-based detections altogether. About targeted attack, basically attackers use undetectable malware, so that reputation-based detection doesn't work well because it needs other victims beforehand. And it is a fact that detection ratio is not enough though we use heuristic and behavioral-based detections. In our research using the Metascan, average detection ratio of newest malware by most anti-virus scanner is about 30 %( the best is about 60 %).
By the way, heuristic and behavioral-based detections are developed by knowledge and experience of malware analyst. For example, most analysts know that following features are indicator that those programs are malicious.
- A file imports VirtualAlloc, VirtualProtect and LoadLibrary only and has a strange section name
- An entry point that does not fall within declared text or code section
- Creating remote threads into a legitimate process like explore.exe
- After unpacking, calling OpenMutex and CreateMutex to avoid multiple infections
- Register itself to auto start extension points like services and registry
- Creating a .bat file and try to delete own itself through executing the file with cmd.exe
- Setting global hook to capture keystroke using SetWindowsHookEx
Heuristic and behavioral-based detections are developed based on those pre-determined features like above. Analysts are finding those features day by day. But, this kind of work is not appropriate for human. Therefore we classified programs as malware or benign by machine learning through dynamic analysis results. Thereby, detection ratio is dramatically improved and we could recognize that which features are strongly related to malware by numeric score. And then, we could find the features which we’ve never found by this method. Finally, the outlook and challenges of this method will be tackled.
Bot Computing using the Power of Wiki CollaborationTakashi Yamanoue
Bot computing using the power of Wiki collaboration and an experimental implementation of the bot running environment are discussed. While botnets are usually created for malicious purposes, the bot computing in this study aims to use bots for beneficial purposes. The massively parallel and persistence features of a botnet can enhance its computing power and high availability for beneficial computing. Bot computing can also enhance people’s collaboration by introducing dynamic Web pages to previously static Wiki networks. Parallel dynamic programming for solving a minimal path problem is shown as an example. Resources such as the number of bots and the number of web pages were proportional to the number of nodes, and the time to solve the minimal path problem was proportional to the number of arcs of the minimal path.
Bot Computing and its Application to Solve Minimal Path ProblemsTakashi Yamanoue
Bot computing using the power of Wiki collaboration and an experimental implementation of the bot run-
ning environment are discussed. While botnets are usually created for malicious purposes, the bot computing in this
study aims to use bots for beneficial purposes. The massively parallel and persistence features of a botnet can enhance
its computing power and high availability for beneficial computing. Bot computing can also enhance people’s col-
laboration by introducing dynamic Web pages to previously static Wiki networks. Parallel dynamic programming for
solving a minimal path problem is shown as an example. Resources such as the number of bots and the number of web
pages were proportional to the number of nodes, and the time to solve the minimal path problem was proportional to
the number of arcs of the minimal path.