Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Recognition with Binary Fingerprint Final Meeting

Published byEdwina Walters Modified over 6 years ago

Similar presentations

Presentation on theme: "Malware Recognition with Binary Fingerprint Final Meeting"— Presentation transcript:

1 Malware Recognition with Binary Fingerprint Final Meeting
Students : Tal Greenshpan & Offer Akrabi Supervisors : Ben Herzog & Amir Mizrahi (CheckPoint)

2 Goals Build an automated classifier for new malware
Using static analysis methods Help reverse engineers classify new malware Comparing new functions to known functions

3 Methodology Static Analysis
PE files Research important features in function comparison Reverse engineering Extract key features in order to identify resemblance between functions Keep only key features Develop an algorithm to determine feature similarity Compare functions Feature contribution

4 Methodology Build a database of known functions
MSSQL Develop extractor and classifier Python IDAPython Testing Extra: GUI

5 Achievements Decided on a set of features to be used to differentiate functions Function size Number of API call Register count Memory count Arguments count Local variables size Features from the Function Call Graph (Generated by IDA) Number of Nodes Min/Max Out-degree Min /Max In-degree Min/Max Well Connected Components size Ratio of out-degrees that are larger than 1 Ratio of in-degrees that are larger than 1 Ratio of Well Connected Components that are larger than 1 Number of API call – All API calls made and the number of occurrences Register count – Number of time the registers were accessed Mem count – Number of times the memory was accessed Arguments count – Number of arguments the function has Local variables – Number of local variables

6 Achievements Automated mass feature extraction
Low runtime complexity Created an Algorithm to differentiate functions Feature contribution Standard deviation Using the Numpy Python library Distance Algorithm – Contribution = -log(distance)

7 Achievements Successfully matched functions from actual malware samples! Distance Algorithm – Contribution = -log(distance)

8 Example Two very similar simple C++ malware like programs
Different number of arguments Different number of local variables Different order of declaration Database containing about 2,500 functions

9 Perfect match : Resemblance = 34
כ

10 Function Call Graphs (generated by IDA) for the encryption function
twin1.exe twin2.exe

11 Live Demonstration Database containing about 1,000 functions
Suspected Zeus malware related files Locky ransomware samples Analysis of a different Locky sample, not in the database File analyzed : 0deb_U.exe Function analyzed: sub_402743

12 Conclusions Efficient classification of functions with selected features The first set of features we selected did not get sufficient results Euclidian distance not good enough to differentiate functions Good classification accuracy Run time complexity for very large databases could be problematic Can improve run time significantly – cost to accuracy Removing only one feature Most of the run time is spent calculating the contribution of each feature , therefore if the database is left unchanged than no need to calculate it again – saves a lot of time. Our run time complexity is O(n^2)

13 Thank you!

Download ppt "Malware Recognition with Binary Fingerprint Final Meeting"

Similar presentations

Complex Networks for Representation and Characterization of Images For CS790g Project Bingdong Li 9/23/2009.

Complex Networks for Representation and Characterization of Images For CS790g Project Bingdong Li 9/23/2009.
Segmentation of Touching Characters in Devnagari & Bangla Scripts Using Fuzzy MultiFactorial Analysis Presented By: Sanjeev Maharjan St. Xavier’s College.

Segmentation of Touching Characters in Devnagari & Bangla Scripts Using Fuzzy MultiFactorial Analysis Presented By: Sanjeev Maharjan St. Xavier’s College.
Queries with Difference on Probabilistic Databases Sanjeev Khanna Sudeepa Roy Val Tannen University of Pennsylvania 1.

Queries with Difference on Probabilistic Databases Sanjeev Khanna Sudeepa Roy Val Tannen University of Pennsylvania 1.
Face Recognition Method of OpenCV

Face Recognition Method of OpenCV
Development of a visual studio plugin to visualize a Blocks-Graph

Development of a visual studio plugin to visualize a Blocks-Graph
Fingerprint Minutiae Matching Algorithm using Distance Histogram of Neighborhood Presented By: Neeraj Sharma M.S. student, Dongseo University, Pusan South.

Fingerprint Minutiae Matching Algorithm using Distance Histogram of Neighborhood Presented By: Neeraj Sharma M.S. student, Dongseo University, Pusan South.
Jianwei Lu1 Information Extraction from Event Announcements Student: Jianwei Lu (40942937) Supervisor: Robert Dale.

Jianwei Lu1 Information Extraction from Event Announcements Student: Jianwei Lu ( ) Supervisor: Robert Dale.
SE 450 Software Processes & Product Metrics Reliability: An Introduction.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.
LYU0603 A Generic Real-Time Facial Expression Modelling System Supervisor: Prof. Michael R. Lyu Group Member: Cheung Ka Shun (05521661) Wong Chi Kin (05524554)

LYU0603 A Generic Real-Time Facial Expression Modelling System Supervisor: Prof. Michael R. Lyu Group Member: Cheung Ka Shun ( ) Wong Chi Kin ( )
Is Sampling Useful in Data Mining? A Case in the Maintenance of Discovered Association Rules S.D. Lee, David W. Cheung, Ben Kao The University of Hong.

Is Sampling Useful in Data Mining? A Case in the Maintenance of Discovered Association Rules S.D. Lee, David W. Cheung, Ben Kao The University of Hong.
On Comparing Classifiers: Pitfalls to Avoid and Recommended Approach Published by Steven L. Salzberg Presented by Prakash Tilwani MACS 598 April 25 th.

On Comparing Classifiers: Pitfalls to Avoid and Recommended Approach Published by Steven L. Salzberg Presented by Prakash Tilwani MACS 598 April 25 th.
Oral Defense by Sunny Tang 15 Aug 2003

Oral Defense by Sunny Tang 15 Aug 2003
COVERTNESS CENTRALITY IN NETWORKS Michael Ovelgönne UMIACS University of Maryland 1 Chanhyun Kang, Anshul Sawant Computer Science Dept.

COVERTNESS CENTRALITY IN NETWORKS Michael Ovelgönne UMIACS University of Maryland 1 Chanhyun Kang, Anshul Sawant Computer Science Dept.
Vision-Based Biometric Authentication System by Padraic o hIarnain Final Year Project Presentation.

Vision-Based Biometric Authentication System by Padraic o hIarnain Final Year Project Presentation.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Silvio Cesare Ph.D. Candidate, Deakin University.

Silvio Cesare Ph.D. Candidate, Deakin University.
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.

MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
Multiclass object recognition

Multiclass object recognition
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Industrial Project (234313) Final Presentation “App Analyzer” Deliver the right apps users want! (VMware) Students: Edward Khachatryan & Elina Zharikov.

Industrial Project (234313) Final Presentation “App Analyzer” Deliver the right apps users want! (VMware) Students: Edward Khachatryan & Elina Zharikov.

Similar presentations

Ads by Google