Upgrade to Pro — share decks privately, control downloads, hide ads and more …

マルウェアを機械学習する前に

Yuma Kurogome
February 13, 2016
Programming
3
1.4k

 マルウェアを機械学習する前に

Kaggle - Malware Classification Challenge勉強会 connpass.com/event/25007/ 発表資料

Yuma Kurogome

February 13, 2016
Tweet

More Decks by Yuma Kurogome

See All by Yuma Kurogome
The Art of De-obfuscation
ntddk
16
26k
死にゆくアンチウイルスへの祈り
ntddk
55
38k
Windows Subsystem for Linux Internals
ntddk
10
2.6k
なぜマルウェア解析は自動化できないのか
ntddk
6
3.8k
Linear Obfuscation to Drive angr Angry
ntddk
4
760
CAPTCHAとボットの共進化
ntddk
2
970
Peeling Onions
ntddk
7
3.2k
仮想化技術を用いたマルウェア解析
ntddk
8
27k
An Introduction to Drawbridge(ja)
ntddk
11
2.9k

Other Decks in Programming

See All in Programming
Kotlin 2.0을 통해 알아보는 코틀린의 미래
dalinaum
1
1.6k
Load gem from browser
ledsun
2
500
シン・リッチエディタ徹底解説
microcms
1
370
Design Doc の書き方 / How to Write a Design Doc (Ja ver.)
munetoshi
20
6.6k
スクラムマスターを目指すためにギャルになってみた話
kinocoboy2
7
2.2k
The future vision of Ruby Parser
yui_knk
3
3.4k
Modern and Lightweight Cloud Application Development with Jakarta EE 10
ivargrimstad
0
100
SpringIO_19-05-2023.pdf
ancaghenade
0
120
Github CopilotとChatGPTを使って感じた使い分けの糸口 / JavaDo #22
gishi_yama
0
160
Developing Chrome Extension with ruby.wasm
logiteca7
1
400
良い開発生産性を目指せば採用もうまくいく
rinchsan
1
370
Micro Frontends for Java Developers - Devoxx UK 2023
mraible
PRO
1
210

Featured

See All Featured
Designing with Data
zakiwarfel
91
4.3k
The Mythical Team-Month
searls
211
41k
Building an army of robots
kneath
300
41k
The Language of Interfaces
destraynor
149
21k
Atom: Resistance is Futile
akmur
256
24k
The Cult of Friendly URLs
andyhume
70
5.2k
Designing for Performance
lara
601
65k
From Idea to $5000 a Month in 5 Months
shpigford
374
45k
Into the Great Unknown - MozCon
thekraken
6
480
Large-scale JavaScript Application Architecture
addyosmani
500
110k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
8.9k
Clear Off the Table
cherdarchuk
81
300k

Transcript

  1. @ntddk
    Kaggle - Malware Classification Challenge
    2016.02.13
    1

    View Slide

  2. • http://ntddk.github.io/

    2

    View Slide

  3. 3

    View Slide

  4. 4

    View Slide

  5. Kaggle
    5
    https://www.kaggle.com/

    View Slide

  6. 6




    David H. Wolpert,
    The Supervised Learning No-Free-Lunch Theorems,
    In Proc. 6th Online World Conference on Soft Computing in
    Industrial Applications, pp.25-42, 2001.

    View Slide

  7. 7




    David H. Wolpert,
    The Supervised Learning No-Free-Lunch Theorems,
    In Proc. 6th Online World Conference on Soft Computing in
    Industrial Applications, pp.25-42, 2001.

    View Slide

  8. 8
    There ain't no such
    thing as a free lunch
    http://www.amazon.co.jp/dp/4150117489
    http://www.amazon.co.jp/dp/B00GJMUKMG/
    http://www.amazon.co.jp/dp/4150312133/

    View Slide

  9. 9
    There ain't no such
    thing as a free lunch
    http://www.amazon.co.jp/dp/4150117489
    http://www.amazon.co.jp/dp/B00GJMUKMG/
    http://www.amazon.co.jp/dp/4150312133/

    View Slide

  10. 10
    http://blog.kaggle.com/

    View Slide

  11. 11
    x η g
    a
    b
    c
    x

    View Slide

  12. 12
    x η g
    a
    b
    c
    x

    View Slide

  13. 13

    • A B
    Satoshi Watanabe,
    Knowing and Guessing ― Quantitative Study of Inference
    and Information
    John Wiley & Sons, 1969.

    View Slide

  14. 14

    • A B
    Satoshi Watanabe,
    Knowing and Guessing ― Quantitative Study of Inference
    and Information
    John Wiley & Sons, 1969.

    View Slide

  15. 15




    View Slide

  16. 16
    https://www.av-test.org/en/statistics/malware/

    View Slide

  17. 17
    http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf

    View Slide

  18. 18
    http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf
    http://www.mcafee.com/jp/resources/reports/rp-threats-predictions-2016.pdf

    View Slide

  19. 19
    • KERNEL32!VirtualAllocStub
    • KERNEL32!VirtualProtectStub
    • KERNEL32!OpenProcessStub
    • KERNEL32!OpenThreadStub
    • …

    View Slide

  20. 20
    CSEC:
    MWS:
    http://www.iwsec.org/mws/2015/about.html

    View Slide

  21. 21
    https://www.kaggle.com/c/malware-classification/data
    16

    View Slide

  22. 22
    • https://virusshare.com/
    • http://malware-traffic-analysis.net/

    View Slide

  23. 23




    View Slide

  24. 24



    • API
    PE

    View Slide

  25. 25
    https://github.com/corkami/

    View Slide

  26. 26






    View Slide

  27. 27
    #include
    typedef int (WINAPI *LPFNMESSAGEBOXW)(HWND, LPCWSTR, LPCWSTR, UINT);
    int main()
    {
    HMODULE hmod = LoadLibrary(TEXT("user32.dll"));
    LPFNMESSAGEBOXW lpfnMessageBoxW = (LPFNMESSAGEBOXW)GetProcAddress(hmod, "MessageBoxW");
    lpfnMessageBoxW(NULL, L"Hello, world!", L"Test", MB_OK);
    FreeLibrary(hmod);
    return 0;
    }

    View Slide

  28. 28
    {
    "category": "registry",
    "status": true,
    "return": "0x00000000",
    "timestamp": "2015-05-24 02:46:50,773",
    "thread_id": "3220",
    "repeated": 0,
    "api": "NtOpenKey",
    "arguments": [
    {
    "name": "DesiredAccess",
    "value": "33554432"
    },
    {
    "name": "KeyHandle",
    "value": "0x00000154"
    },
    {
    "name": "ObjectAttributes",
    "value": "¥¥REGISTRY¥¥USER¥¥S-1-5-21-916742657-1382504153-4155998892-1001"
    }
    ],
    "id": 83
    },

    View Slide

  29. 29




    David H. Wolpert,
    The Supervised Learning No-Free-Lunch Theorems,
    In Proc. 6th Online World Conference on Soft Computing in
    Industrial Applications, pp.25-42, 2001.

    View Slide

  30. 30
    • AdaBoost, Gradient Boosting
    • Kaggle

    View Slide

  31. DAF
    31
    Mohammad M. Masud, Latifur Khan, Bhavani Thuraisingham,
    A scalable multi-level feature extraction technique to detect
    malicious executables,
    Information Systems Frontiers, Vol.10, Issue.1, pp.33-45,
    2008.
    16
    DAF: Derived Assembly Features
    BFS: Binary N-gram Features

    View Slide