OpenTalks.AI - Александр Чистяков, Построение общего глубокого представления исполняемых файлов для поиска новых угроз и расследования киберпреступлений

Transcript

1. 1 Constructing shared deep representation of executable files to search

   for new threats and cybercrime investigations Alexander Chistyakov Senior Research-Developer, Detection Methods Analysis, Kaspersky Lab

2. 2 File processing route (known threat) Benign file Malicious file

   Download file Check file’s reputation Static analysis Dynamic analysis Execution artefacts Raw file artefacts Status, popularity, sources, … Label obtained?

3. File processing route (modified known threat) Download file Check file’s

   reputation Static analysis Dynamic analysis Execution artefacts Raw file artefacts Status, popularity, sources, … ML detection model Benign file Malicious file Label obtained?

4. File processing route (new unknown threat) Download file Check file’s

   reputation Static analysis Dynamic analysis Execution artefacts Raw file artefacts Status, popularity, sources, … ML detection model Expert decision Benign file Malicious file

5. Manual data labeling Expert decision Benign file Malicious file Dynamic

   analysis

6. 6 World 2 Vec

7. Latent representations for malware Executable file 1. Polymorphic 2. Obfuscated

   3. Selfpacked 4. Multicomponent Execution process 1. Context dependent 2. Unstable 3. Concurrent 4. Distributed

8. Evidence lower bound Variational Auto-Encoder (Basic) Variational Auto-Encoder (Symmetric)

9. File and file’s behavior joint distribution

10. File’s behavior conditional distribution

11. File’s and behavior shared embedding

12. Reducing internal traffic Expert decision Benign file Malicious file File’s

    distribution approximator Dynamic analysis

13. Reducing external traffic User 1 User 2 User 3 Previously

    observed malware collection File’s distribution approximator

14. Cybercrime investigations File’s distribution approximator Incident logs and artefacts Corporate

    network Alarm!

15. What’s next? 1.Estimating real world file’s distribution 2.Avoiding model-based adversarial

    attacks 3.Preventing private data leakage 4.Environment based anomaly detection

16. LET’S TALK? Kaspersky Lab HQ 39A/3 Leningradskoe Shosse Moscow, 125212,

    Russian Federation Tel: +7 (495) 797-8700 www.kaspersky.com