Automated in-memory malware/rootkit detection via binary analysis and machine learning
CAMLIS 2018, Malachi Jones, PhD, MITRE
Automated in-memory malware/rootkit detection via binary analysis and machine learning (slides: https://www.camlis.org/malachi-jones/)
A prominent technique for detecting sophisticated malware consists of monitoring the execution behavior of each binary to identify anomalies and/or malicious intent. Hooking and emulation are two primary mechanisms that are employed to facilitate the monitoring. Although these behavioral monitoring mechanisms are a substantial improvement over classic signature detection, skilled malware authors have developed reliable techniques to defeat them. As an example, sophisticated malware can exploit hooking implementations by either utilizing alternative (e.g. lower level) unhooked API or by removing the hooks at run-time to evade monitoring. In addition, the malware can also perform checks to detect if it is executing in an emulator/VM and modify its behavior accordingly.
In this talk, we will demonstrate an approach for pairing Memory Forensics with Binary Analysis and Machine Learning to analyze the behavior of binaries on a set of hosts to detect advanced persistent threats (APT)s that may evade detection by hooking and traditional emulation. In particular, we will discuss how an approximate clustering algorithm with linear run-time performance can be leveraged to identify outliers (i.e. potential APTs) among sets of clustered memory artifacts (i.e. processes, shared libraries, drivers, and kernel modules). Note that these memory artifacts are collected from live, networked hosts and clustered real-time in a scalable manner. We will also discuss and demonstrate how dynamic binary analysis can be leveraged with Machine Learning techniques to differentiate between benign anomalous code and malware to improve detection accuracy.
Видео Automated in-memory malware/rootkit detection via binary analysis and machine learning канала CAMLIS
Automated in-memory malware/rootkit detection via binary analysis and machine learning (slides: https://www.camlis.org/malachi-jones/)
A prominent technique for detecting sophisticated malware consists of monitoring the execution behavior of each binary to identify anomalies and/or malicious intent. Hooking and emulation are two primary mechanisms that are employed to facilitate the monitoring. Although these behavioral monitoring mechanisms are a substantial improvement over classic signature detection, skilled malware authors have developed reliable techniques to defeat them. As an example, sophisticated malware can exploit hooking implementations by either utilizing alternative (e.g. lower level) unhooked API or by removing the hooks at run-time to evade monitoring. In addition, the malware can also perform checks to detect if it is executing in an emulator/VM and modify its behavior accordingly.
In this talk, we will demonstrate an approach for pairing Memory Forensics with Binary Analysis and Machine Learning to analyze the behavior of binaries on a set of hosts to detect advanced persistent threats (APT)s that may evade detection by hooking and traditional emulation. In particular, we will discuss how an approximate clustering algorithm with linear run-time performance can be leveraged to identify outliers (i.e. potential APTs) among sets of clustered memory artifacts (i.e. processes, shared libraries, drivers, and kernel modules). Note that these memory artifacts are collected from live, networked hosts and clustered real-time in a scalable manner. We will also discuss and demonstrate how dynamic binary analysis can be leveraged with Machine Learning techniques to differentiate between benign anomalous code and malware to improve detection accuracy.
Видео Automated in-memory malware/rootkit detection via binary analysis and machine learning канала CAMLIS
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
![SQL Driven Infrastructure for Cybersecurity ML Operations](https://i.ytimg.com/vi/Q15Os0P1Td8/default.jpg)
![Using Anomaly Detection on User Demographic Distributions to Identify Fake Account Bursts](https://i.ytimg.com/vi/RBu2WXbD684/default.jpg)
![Threat Detection on Kubernetes Logs Using GNN Embeddings](https://i.ytimg.com/vi/hZbNHZKUqQg/default.jpg)
![MalDICT: Benchmark Datasets on Malware Behaviors, Platforms, Exploitation, and Packers](https://i.ytimg.com/vi/oSTkXPK4pUA/default.jpg)
![Minimizing Compute Costs: When When Should We Run More Expensive Malware Analysis? (CAMLIS 2022)](https://i.ytimg.com/vi/NJG6REGwr24/default.jpg)
![An Effective Framework for Malware Detection and Classification using Feature Prioritization](https://i.ytimg.com/vi/c5T2AWuPPPU/default.jpg)
![FASER: Binary Code Similarity Search through the use of Intermediate Representations](https://i.ytimg.com/vi/d5SGeQbvG4o/default.jpg)
![Activation Analysis of a Byte-based Deep Neural Network for Malware Classification](https://i.ytimg.com/vi/6INFR2AVWU0/default.jpg)
![LLM Prompt Injection: Attacks and Defenses](https://i.ytimg.com/vi/Mp2VZyUUSEo/default.jpg)
![Exploring Backdoor Poisoning Attacks Against Malware Classifiers](https://i.ytimg.com/vi/0QJgmIeUzA4/default.jpg)
![Compilation as a Defense: Enhancing DL Model Attack Robustness via Tensor Optimization](https://i.ytimg.com/vi/TMtUo5pp1Mg/default.jpg)
![A feature presentation: semi-supervised learning of file representations](https://i.ytimg.com/vi/1tB7lALJ3ew/default.jpg)
![Playing Cat and Mouse with the Attacker: Frequent Item Set Mining in the Registry (CAMLIS 2022)](https://i.ytimg.com/vi/4cLz5YyatnI/default.jpg)
![Keynote: Lessons Learned in Red Teaming AI Systems in High-Stakes Environments (CAMLIS 2022)](https://i.ytimg.com/vi/U791dysQQPY/default.jpg)
![Next Generation Process Emulation with Binee](https://i.ytimg.com/vi/s-1PbX9Rq2E/default.jpg)
![Describing Malware via Tagging](https://i.ytimg.com/vi/q1axkVsm0_c/default.jpg)
![EMBER Improvements](https://i.ytimg.com/vi/MsZmnUO5lkY/default.jpg)
![ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships](https://i.ytimg.com/vi/FXbdANtUE_k/default.jpg)
![Playing Defense: Benchmarking Cybersecurity Capabilities of Large Language Models](https://i.ytimg.com/vi/8uxDMu7iMPo/default.jpg)
![Inroads in Autonomous Network Defence using Explained Reinforcement Learning (CAMLIS 2022)](https://i.ytimg.com/vi/i59PtruGd1o/default.jpg)
![Keynote - Lessons for AI Security Preparedness](https://i.ytimg.com/vi/nFrpJ3tDoJE/default.jpg)