Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 20-23rd, 2015 Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features Joshua Saxe, Dr. Konstantin Berlin Invincea.

Published byGyles Bishop Modified over 8 years ago

Similar presentations

Presentation on theme: "October 20-23rd, 2015 Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features Joshua Saxe, Dr. Konstantin Berlin Invincea."— Presentation transcript:

1 October 20-23rd, 2015 Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features Joshua Saxe, Dr. Konstantin Berlin Invincea Labs

2 October 20-23rd, 2015 Motivation and research question  On average, anti-virus sensors have a 40% chance of missing zero-day malware (according to a 2014 study performed by Lastline/UCSB)  The data seem to suggest that it takes almost a year before anti- virus sensors start detecting the hardest-to-detect zero-day malware  Deep learning holds the promise of providing an orthogonal detection methodology that can significantly increase our overall detection rate  Deep learning has produced big breakthroughs in computer science problem areas recently: could this extend to malware detection? 2

3 October 20-23rd, 2015 Our “deep learning” neural network approach  Goal: Exploit recent breakthroughs in deep neural networks to achieve breakthrough results in malware detection

4 October 20-23rd, 2015 Previous Work  Our overall approach is not new, machine learning based malware detection is two decades old  What is new is our attempt to exploit recent developments in machine learning that have produced breakthroughs against other problems (object recognition)  Specifically: new neural network activation functions, new optimization approaches, GPU-based training, new dimensionality reduction 4

5 October 20-23rd, 2015 Our approach 5

6 October 20-23rd, 2015 What are neural networks? -A set of inputs -A set of nonlinear transforms to those inputs -A set of outputs -This simple setup can approximate any function, given the right parameters Learned decision boundary

7 October 20-23rd, 2015 Our neural network architecture 7

8 October 20-23rd, 2015 Contextual byte histogram features: a key component of our feature space -Feature extraction algorithm: -Slide a 1024 byte window over the target binary, taking 256 byte steps -Compute the entropy of each 1024 byte window -For each byte in the window, store a tuple (byte, entropy) -Create a 2d histogram with byte values on one axis and entropy on another axis

9 October 20-23rd, 2015 Byte/entropy histograms: a key component of our feature space

10 October 20-23rd, 2015 Byte/entropy representation of a binary file (benign in this example)

11 October 20-23rd, 2015 Byte/entropy representation of a binary file with a simulated component added

12 October 20-23rd, 2015 Findings 12

13 October 20-23rd, 2015 In-lab accuracy evaluation on 400k files ROC curve zoomed to low FPR range We can detect about 75% of malware samples our neural network has never seen before at a 0.01% false positive rate We can detect 95% of malware samples that our neural network has never seen before at a 0.1% false positive rate

14 October 20-23rd, 2015 Simulating concept drift On this test we train on malware with compile timestamps between 2000 and July 31 st 2014 Then we evaluate our ability to detect malware received in our lab over the last year The results, as you’d expect, are noticeably worse, but still pretty good!

15 October 20-23rd, 2015 Measuring the positive impact of more training data 15

16 October 20-23rd, 2015 Product integration and results in live settings  Our detection model has been integrated into the upcoming release of our product and is currently under testing on customer networks  60% detection rate on new malware as false positives converge on 0 (in contrast to anti-virus engines’ 40%)  95% detection rate on new malware as false positives approach five per day  Test performed on feed of new binaries obtained from multiple customer networks compromising on the order of thousands of individual machines

17 October 20-23rd, 2015 Impact, summary and conclusions  Deep learning methods yield state-of-the-art results on the static malware detection problem  Our novel insertion/reordering invariant feature representation for static binaries yields improved static detection results  Our time-splitting evaluation reveals malware “concept drift” and is an important evaluation that should be built upon by other malware detection researchers 17

18 October 20-23rd, 2015 Remaining Questions  What happens when we train on more samples?  What happens when we mix in behavioral analysis?  Could sequence oriented deep learning models (recurrent neural networks) improve our results over feed-forward networks?  How would our results compare to traditional AV systems in head-to-head comparisons? 18

19 October 20-23rd, 2015 Questions / comments? Joshua Saxe Senior Principal Research Engineer Invincea Labs josh.saxe@invincea.com 19

Download ppt "October 20-23rd, 2015 Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features Joshua Saxe, Dr. Konstantin Berlin Invincea."

Similar presentations

Patch to the Future: Unsupervised Visual Prediction

Patch to the Future: Unsupervised Visual Prediction
Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.

Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.
Pattern Classification All materials in these slides were taken from Pattern Classification (2nd ed) by R. O. Duda, P. E. Hart and D. G. Stork, John.

Pattern Classification All materials in these slides were taken from Pattern Classification (2nd ed) by R. O. Duda, P. E. Hart and D. G. Stork, John.
Final Project: Project 9 Part 1: Neural Networks Part 2: Overview of Classifiers Aparna S. Varde April 28, 2005 CS539: Machine Learning Course Instructor:

Final Project: Project 9 Part 1: Neural Networks Part 2: Overview of Classifiers Aparna S. Varde April 28, 2005 CS539: Machine Learning Course Instructor:
Machine Learning Motivation for machine learning How to set up a problem How to design a learner Introduce one class of learners (ANN) –Perceptrons –Feed-forward.

Machine Learning Motivation for machine learning How to set up a problem How to design a learner Introduce one class of learners (ANN) –Perceptrons –Feed-forward.
Face Processing System Presented by: Harvest Jang Group meeting Fall 2002.

Face Processing System Presented by: Harvest Jang Group meeting Fall 2002.
05/06/2005CSIS © M. Gibbons On Evaluating Open Biometric Identification Systems Spring 2005 Michael Gibbons School of Computer Science & Information Systems.

05/06/2005CSIS © M. Gibbons On Evaluating Open Biometric Identification Systems Spring 2005 Michael Gibbons School of Computer Science & Information Systems.
Oral Defense by Sunny Tang 15 Aug 2003

Oral Defense by Sunny Tang 15 Aug 2003
SOMTIME: AN ARTIFICIAL NEURAL NETWORK FOR TOPOLOGICAL AND TEMPORAL CORRELATION FOR SPATIOTEMPORAL PATTERN LEARNING.

SOMTIME: AN ARTIFICIAL NEURAL NETWORK FOR TOPOLOGICAL AND TEMPORAL CORRELATION FOR SPATIOTEMPORAL PATTERN LEARNING.
Face Recognition Using Neural Networks Presented By: Hadis Mohseni Leila Taghavi Atefeh Mirsafian.

Face Recognition Using Neural Networks Presented By: Hadis Mohseni Leila Taghavi Atefeh Mirsafian.
CSC 4510 – Machine Learning Dr. Mary-Angela Papalaskari Department of Computing Sciences Villanova University Course website: www.csc.villanova.edu/~map/4510/

CSC 4510 – Machine Learning Dr. Mary-Angela Papalaskari Department of Computing Sciences Villanova University Course website:
PPT 206 Instrumentation, Measurement and Control SEM 2 (2012/2013) Dr. Hayder Kh. Q. Ali 1.

PPT 206 Instrumentation, Measurement and Control SEM 2 (2012/2013) Dr. Hayder Kh. Q. Ali 1.
Intelligent Database Systems Lab 國立雲林科技大學 National Yunlin University of Science and Technology 1 On-line Learning of Sequence Data Based on Self-Organizing.

Intelligent Database Systems Lab 國立雲林科技大學 National Yunlin University of Science and Technology 1 On-line Learning of Sequence Data Based on Self-Organizing.
Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.
Table 3:Yale Result Table 2:ORL Result Introduction System Architecture The Approach and Experimental Results A Face Processing System Based on Committee.

Table 3:Yale Result Table 2:ORL Result Introduction System Architecture The Approach and Experimental Results A Face Processing System Based on Committee.
Neural Networks Chapter 6 Joost N. Kok Universiteit Leiden.

Neural Networks Chapter 6 Joost N. Kok Universiteit Leiden.
Classification / Regression Neural Networks 2

Classification / Regression Neural Networks 2
1 A Feature Selection and Evaluation Scheme for Computer Virus Detection Olivier Henchiri and Nathalie Japkowicz School of Information Technology and Engineering.

1 A Feature Selection and Evaluation Scheme for Computer Virus Detection Olivier Henchiri and Nathalie Japkowicz School of Information Technology and Engineering.
Building high-level features using large-scale unsupervised learning Anh Nguyen, Bay-yuan Hsu CS290D – Data Mining (Spring 2014) University of California,

Building high-level features using large-scale unsupervised learning Anh Nguyen, Bay-yuan Hsu CS290D – Data Mining (Spring 2014) University of California,
Methodology of Simulations n CS/PY 399 Lecture Presentation # 19 n February 21, 2001 n Mount Union College.

Methodology of Simulations n CS/PY 399 Lecture Presentation # 19 n February 21, 2001 n Mount Union College.

Similar presentations

Ads by Google