OpenTalks.AI

1 Constructing shared deep representation of executable files to search
for new threats and cybercrime investigations Alexander Chistyakov Senior Research-Developer, Detection Methods Analysis, Kaspersky Lab

2 File processing route (known threat) Benign file Malicious file
Download file Check file’s reputation Static analysis Dynamic analysis Execution artefacts Raw file artefacts Status, popularity, sources, … Label obtained?

File processing route (modified known threat) Download file Check file’s
reputation Static analysis Dynamic analysis Execution artefacts Raw file artefacts Status, popularity, sources, … ML detection model Benign file Malicious file Label obtained?

File processing route (new unknown threat) Download file Check file’s
reputation Static analysis Dynamic analysis Execution artefacts Raw file artefacts Status, popularity, sources, … ML detection model Expert decision Benign file Malicious file

Manual data labeling Expert decision Benign file Malicious file Dynamic
analysis

6 World 2 Vec

Latent representations for malware Executable file 1. Polymorphic 2. Obfuscated
3. Selfpacked 4. Multicomponent Execution process 1. Context dependent 2. Unstable 3. Concurrent 4. Distributed

Evidence lower bound Variational Auto-Encoder (Basic) Variational Auto-Encoder (Symmetric)

File and file’s behavior joint distribution

File’s behavior conditional distribution

File’s and behavior shared embedding

Reducing internal traffic Expert decision Benign file Malicious file File’s
distribution approximator Dynamic analysis

Reducing external traffic User 1 User 2 User 3 Previously
observed malware collection File’s distribution approximator

Cybercrime investigations File’s distribution approximator Incident logs and artefacts Corporate
network Alarm!

What’s next? 1.Estimating real world file’s distribution 2.Avoiding model-based adversarial
attacks 3.Preventing private data leakage 4.Environment based anomaly detection

LET’S TALK? Kaspersky Lab HQ 39A/3 Leningradskoe Shosse Moscow, 125212,
Russian Federation Tel: +7 (495) 797-8700 www.kaspersky.com

OpenTalks.AI - Александр Чистяков, Построение о...

OpenTalks.AI - Александр Чистяков, Построение общего глубокого представления исполняемых файлов для поиска новых угроз и расследования киберпреступлений

More Decks by OpenTalks.AI

Other Decks in Science

Featured

Transcript

1 Constructing shared deep representation of executable files to search

2 File processing route (known threat) Benign file Malicious file

File processing route (modified known threat) Download file Check file’s

File processing route (new unknown threat) Download file Check file’s

Manual data labeling Expert decision Benign file Malicious file Dynamic

6 World 2 Vec

Latent representations for malware Executable file 1. Polymorphic 2. Obfuscated

Evidence lower bound Variational Auto-Encoder (Basic) Variational Auto-Encoder (Symmetric)

File and file’s behavior joint distribution

File’s behavior conditional distribution

File’s and behavior shared embedding

Reducing internal traffic Expert decision Benign file Malicious file File’s

Reducing external traffic User 1 User 2 User 3 Previously

Cybercrime investigations File’s distribution approximator Incident logs and artefacts Corporate

What’s next? 1.Estimating real world file’s distribution 2.Avoiding model-based adversarial

LET’S TALK? Kaspersky Lab HQ 39A/3 Leningradskoe Shosse Moscow, 125212,