Date post: | 12-Jan-2017 |
Category: |
Technology |
Upload: | crowdstrike |
View: | 186 times |
Download: | 0 times |
BATTLING UNKNOWN MALWARE WITH MACHINE LEARNING
DR. SVEN KRASSER CHIEF SCIENTIST@SVENKRASSER
FALCON ON VIRUSTOTAL
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SUBMITTING TO VIRUSTOTAL
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SCAN RESULTS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SCAN RESULTS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SCAN RESULTS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MACHINE LEARNING PRIMER
More on this: watch http://tinyurl.com/MLcrowdcast
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Some Data to Get Started:1988 ANTHROPOMETRIC
SURVEY OF ARMY PERSONNEL
Source: http://mreed.umtri.umich.edu/mreed/downloads.html#anthro 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
• Over 4000 soldiers surveyed• Over 100 measurements• Reported by gender
Data
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FIRST LOOK
Height [mm]
Den
sity
• Difference in distribution
• Significant overlap
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SECOND DIMENSION
Height [mm]
Wei
ght [
10-1
kg]
• Correlation
• Overlap
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FEATURE SELECTION
“Buttock Circumference” [mm]
Wei
ght [
10-1
kg]
• Correlation
• Reduced overlap
• Selection of features matters
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LET’S CLASSIFY
“Buttock Circumference” [mm]
Wei
ght [
10-1
kg]
• Let’s assume we want to detect males (blue)
• I.e. “blue” is our positive class
• TP: classify blue as blue
• Note some misclassifications
• FP: classify red as blue
• FN: classify blue as red
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
“Buttock Circumference” [mm]
Wei
ght [
10-1
kg]
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LET’S CLASSIFY
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
“Buttock Circumference” [mm]
Wei
ght [
10-1
kg]
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LET’S CLASSIFY
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
“Buttock Circumference” [mm]
Wei
ght [
10-1
kg]
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LET’S CLASSIFY
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
“Buttock Circumference” [mm]
Wei
ght [
10-1
kg]
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LET’S CLASSIFY
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
“Buttock Circumference” [mm]
Wei
ght [
10-1
kg]
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LET’S CLASSIFY
• Get more “blue”right (true positives)
• Get more “red”wrong (false positives)
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RECEIVER OPERATING CHARACTERISTICS CURVE
False Positive Rate
True
Pos
itive
Rat
e
Detectmorebyacceptingmorefalsepositives
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MORE DIMENSIONS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MISSION ACCOMPLISHED:WE JUST ADD MORE DIMENSIONS…
RIGHT?
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CURSE OF DIMENSIONALITY
REDUCEDpredictive performance
INCREASEDtraining time
SLOWERclassification
LARGERmemory footprint
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Source: https://commons.wikimedia.org/w/index.php?curid=2257082 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Source: https://commons.wikimedia.org/w/index.php?curid=2257082
Height (mm)
Wei
ght [
10-1
kg]
DIMENSIONALITYAND SPARSENESS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2016CrowdStrike,Inc.Allrightsreserved.Height (mm)
Wei
ght [
10-1
kg]
DIMENSIONALITYAND SPARSENESS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LET’S APPLY THIS TO SECURITY
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILE ANALYSISAKA Static Analysis
• THE GOOD
– Relatively fast
– Scalable
– No need to detonate
– Platform independent, can be done at gateway
• THE BAD
– Limited insight due to narrow view
– Different file types require different techniques
– Different subtypes need special consideration
– Packed files
– .Net
– Installers
– EXEs vs DLLs
– Obfuscations (yet good if detectable)
– Ineffective against exploitation and malware-less attacks
– Asymmetry: a fraction of a second to decide for the defender, months to craft for the attacker
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILE CONTENT
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXAMPLE FEATURES
32/64 BIT EXECUTABLE
GUI SUBSYSTEM
COMMAND LINE
SUBSYSTEMFILE SIZE TIMESTAMP
DEBUG INFORMATION
PRESENTPACKER TYPE FILE ENTROPY NUMBER OF
SECTIONSNUMBER
WRITABLE
NUMBER READABLE
NUMBER EXECUTABLE
DISTRIBUTION OF SECTION
ENTROPYIMPORTED DLL
NAMESIMPORTED FUNCTION
NAMES
COMPILER ARTIFACTS
LINKER ARTIFACTS
RESOURCE DATA
EMBEDDED PROTOCOL
STRINGSEMBEDDED
IPS/DOMAINS
EMBEDDED PATHS
EMBEDDED PRODUCT
META DATADIGITAL
SIGNATUREICON
CONTENT …
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
String-based feature
Exec
utab
le se
ctio
n si
ze-b
ased
feat
ure
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
COMBINING FEATURES
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Subspace Projection A
Subs
pace
Pro
ject
ion
B
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
COMBINING FEATURES
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
False Positive Rate
True
Pos
itive
Rat
e
Detectmorebyacceptingmorefalsepositives
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ARMY DATA ROC CURVE
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
False Positive Rate
True
Pos
itive
Rat
e
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ML MALWARE DETECTION ROC CURVE
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
APTS & 99% OF MALWARE DETECTED…
36
Ch
ance
of
at le
ast
one
succ
ess
for
ad
vers
ary
Number of attempts
1%
>99%
500
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MALWARE
40%
THREAT
SOPHISTICATION
MALWARE
STOPPING MALWARE
IS NOTENOUGH
HA
RD
ER
TO
PR
EV
EN
T &
DETE
CTLOW
HIGH
HIGH
LOW
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THREAT
SOPHISTICATION
MALWARE
NON-MALWARE
ATTACKS
MALWARE
40%
NATION-STATES
60%NON-MALWARE ATTACKS
ORGANIZED CRIMINAL GANGS
HACKTIVISTS/VIGILANTES
TERRORISTS CYBER-CRIMINALS
YOU NEED COMPLETE
BREACHPREVENTION
HA
RD
ER
TO
PR
EV
EN
T &
DETE
CTLOW
HIGH
HIGH
LOW
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Next-Generation Endpoint Protection Cloud Delivered. Enriched by Threat Intelligence
MANAGEDHUNTING
ENDPOINT DETECTION AND RESPONSE
NEXT-GEN ANTIVIRUS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ML SETTINGS WITHIN FALCON HOST
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ML PREVENTION IN ACTION
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KEY POINTS
• Machine Learning is an effective tool against unknown malware
• Try it out on VirusTotal
• Trading off true positives and false positives
• Detecting 99% malware means an APT has a 100% chance of getting malware into your environment
• The majority of intrusions are not malware-based
• Avoid silent failure
• Use a comprehensive array of techniques
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
www.crowdstrike.com
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.