マルウェアを機械学習する前に

Slide 1

Slide 1 text

@ntddk Kaggle - Malware Classification Challenge 2016.02.13 1

Slide 2

Slide 2 text

• http://ntddk.github.io/ • 2

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Kaggle 5 https://www.kaggle.com/

Slide 6

Slide 6 text

6 • • • ※ David H. Wolpert, The Supervised Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

Slide 7

Slide 7 text

7 • • • ※ David H. Wolpert, The Supervised Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

Slide 8

Slide 8 text

8 There ain't no such thing as a free lunch http://www.amazon.co.jp/dp/4150117489 http://www.amazon.co.jp/dp/B00GJMUKMG/ http://www.amazon.co.jp/dp/4150312133/

Slide 9

Slide 9 text

9 There ain't no such thing as a free lunch http://www.amazon.co.jp/dp/4150117489 http://www.amazon.co.jp/dp/B00GJMUKMG/ http://www.amazon.co.jp/dp/4150312133/

Slide 10

Slide 10 text

10 http://blog.kaggle.com/

Slide 11

Slide 11 text

11 x η g a b c x …

Slide 12

Slide 12 text

12 x η g a b c x …

Slide 13

Slide 13 text

13 • • A B Satoshi Watanabe, Knowing and Guessing ― Quantitative Study of Inference and Information John Wiley & Sons, 1969.

Slide 14

Slide 14 text

14 • • A B Satoshi Watanabe, Knowing and Guessing ― Quantitative Study of Inference and Information John Wiley & Sons, 1969.

Slide 15

Slide 15 text

15 • • • •

Slide 16

Slide 16 text

16 https://www.av-test.org/en/statistics/malware/

Slide 17

Slide 17 text

17 http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf

Slide 18

Slide 18 text

18 http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf http://www.mcafee.com/jp/resources/reports/rp-threats-predictions-2016.pdf

Slide 19

Slide 19 text

19 • KERNEL32!VirtualAllocStub • KERNEL32!VirtualProtectStub • KERNEL32!OpenProcessStub • KERNEL32!OpenThreadStub • …

Slide 20

Slide 20 text

20 CSEC: MWS: http://www.iwsec.org/mws/2015/about.html

Slide 21

Slide 21 text

21 https://www.kaggle.com/c/malware-classification/data 16

Slide 22

Slide 22 text

22 • https://virusshare.com/ • http://malware-traffic-analysis.net/

Slide 23

Slide 23 text

23 • • • •

Slide 24

Slide 24 text

24 • • • • API PE

Slide 25

Slide 25 text

25 https://github.com/corkami/

Slide 26

Slide 26 text

26 • • • • • •

Slide 27

Slide 27 text

27 #include typedef int (WINAPI *LPFNMESSAGEBOXW)(HWND, LPCWSTR, LPCWSTR, UINT); int main() { HMODULE hmod = LoadLibrary(TEXT("user32.dll")); LPFNMESSAGEBOXW lpfnMessageBoxW = (LPFNMESSAGEBOXW)GetProcAddress(hmod, "MessageBoxW"); lpfnMessageBoxW(NULL, L"Hello, world!", L"Test", MB_OK); FreeLibrary(hmod); return 0; } •

Slide 28

Slide 28 text

28 { "category": "registry", "status": true, "return": "0x00000000", "timestamp": "2015-05-24 02:46:50,773", "thread_id": "3220", "repeated": 0, "api": "NtOpenKey", "arguments": [ { "name": "DesiredAccess", "value": "33554432" }, { "name": "KeyHandle", "value": "0x00000154" }, { "name": "ObjectAttributes", "value": "¥¥REGISTRY¥¥USER¥¥S-1-5-21-916742657-1382504153-4155998892-1001" } ], "id": 83 },

Slide 29

Slide 29 text

29 • • • ※ David H. Wolpert, The Supervised Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

Slide 30

Slide 30 text

30 • AdaBoost, Gradient Boosting • Kaggle

Slide 31

Slide 31 text

DAF 31 Mohammad M. Masud, Latifur Khan, Bhavani Thuraisingham, A scalable multi-level feature extraction technique to detect malicious executables, Information Systems Frontiers, Vol.10, Issue.1, pp.33-45, 2008. 16 DAF: Derived Assembly Features BFS: Binary N-gram Features