Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Machine Learning for Cyber Security – Static Detection of Malicious PE Files
Message
<blockquote data-quote="Andy Ful" data-source="post: 930127" data-attributes="member: 32260"><p>This article is from the year 2019 but still worth recalling. It contains some well known information about factors that are important to static malware detection. Here are some interesting fragments:</p><p></p><p><em><strong>"</strong></em><strong><em>PE Imports</em></strong></p><p><em>A PE can import code from other PEs. To do so, it specifies the PE file name and the functions to import. It is important to analyze the imports to get a coherent image of what the PE is doing. Some of the imported functions are indicative of potential malicious operations such as crypto APIs used for unpacking/encryption or APIs used for anti-debugging.Some example of potential malicious imports:</em></p><p></p><p style="text-align: center"></p> <table style='width: 100%'><tr><td><strong>Import Names</strong></td><td><strong>Potential Malicious Usage</strong></td></tr><tr><td>KERNEL32.DLL!MapViewOfFile</td><td>Code Injection</td></tr><tr><td>KERNEL32.DLL!IsDebuggerPresent</td><td>Anti-Debugging</td></tr><tr><td>KERNEL32.DLL!GetThreadContext</td><td>Code Injection</td></tr><tr><td>KERNEL32.DLL!ReadProcessMemory</td><td>Code Injection</td></tr><tr><td>KERNEL32.DLL!ResumeThread</td><td>Code Injection</td></tr><tr><td>KERNEL32.DLL!ResumeThread</td><td>Code Injection</td></tr><tr><td>KERNEL32.DLL!WriteProcessMemory</td><td>Code Injection</td></tr><tr><td>KERNEL32.DLL!SetFileTime</td><td>Stealth</td></tr><tr><td>USER32.DLL!SetWindowsHookExW</td><td>API Hooking</td></tr><tr><td>KERNEL32.DLL!MapViewOfFile</td><td>Code Injection</td></tr><tr><td>ADVAPI32.DLL!CryptGenRandom</td><td>Encryption</td></tr><tr><td>ADVAPI32.DLL!CryptAcquireContextW</td><td>Encryption</td></tr><tr><td>KERNEL32.DLL!CreateToolhelp32Snapshot</td><td>Process Enumeration</td></tr><tr><td>ADVAPI32.DLL!OpenThreadToken</td><td>Token Manipulation</td></tr><tr><td>ADVAPI32.DLL!DuplicateTokenEx</td><td>Token Manipulation</td></tr><tr><td>CRYPT32.DLL!CertDuplicateCertificateContext</td><td>Encryption</td></tr></table><p></p><p></p><p><em>All these features enable us to learn about the new PE before it is executed or loaded, and therefore before it affects the system.</em></p><p><em></em></p><p><em>...</em></p><p></p><p>[ATTACH=full]254083[/ATTACH]</p><p></p><p><em>From these results, we can conclude that the most useful feature for distinguishing between benign PE files and malicious PE files is the maximum entropy of all the PE section entropies. This observation fits with our assumptions that high entropy is not common with benign PE files. In addition, it seems that there is great importance to the signature status of the file. Namely, if the PE file is not signed or it is signed with an unverified signature there is a very high probability that it is a malicious PE file.</em></p><p><em></em></p><p><em>The next most important features are related to section names and permissions. Malware often uses packing techniques to avoid being detected by antivirus signatures. This results in nonstandard sections names and write permissions.</em></p><p><em></em></p><p><em>We also notice that the categories of the suspicious import had an impact on the model accuracy. In these features, we grouped different suspicious API functions by categories such as evasion, encryption, remote allocation etc. In each group, there can be several functions from different DLLs. This allowed us to learn the malicious activity without overfitting to specific functions."</em></p><p></p><p><strong>Full article:</strong></p><p>[URL unfurl="false"]https://www.cyberbit.com/blog/endpoint-security/machine-learning-for-cyber-security-static-detection/[/URL]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 930127, member: 32260"] This article is from the year 2019 but still worth recalling. It contains some well known information about factors that are important to static malware detection. Here are some interesting fragments: [I][B]"[/B][/I][B][I]PE Imports[/I][/B] [I]A PE can import code from other PEs. To do so, it specifies the PE file name and the functions to import. It is important to analyze the imports to get a coherent image of what the PE is doing. Some of the imported functions are indicative of potential malicious operations such as crypto APIs used for unpacking/encryption or APIs used for anti-debugging.Some example of potential malicious imports:[/I] [CENTER][/CENTER] [TABLE] [TR] [TD][B]Import Names[/B][/TD] [TD][B]Potential Malicious Usage[/B][/TD] [/TR] [TR] [TD]KERNEL32.DLL!MapViewOfFile[/TD] [TD]Code Injection[/TD] [/TR] [TR] [TD]KERNEL32.DLL!IsDebuggerPresent[/TD] [TD]Anti-Debugging[/TD] [/TR] [TR] [TD]KERNEL32.DLL!GetThreadContext[/TD] [TD]Code Injection[/TD] [/TR] [TR] [TD]KERNEL32.DLL!ReadProcessMemory[/TD] [TD]Code Injection[/TD] [/TR] [TR] [TD]KERNEL32.DLL!ResumeThread[/TD] [TD]Code Injection[/TD] [/TR] [TR] [TD]KERNEL32.DLL!ResumeThread[/TD] [TD]Code Injection[/TD] [/TR] [TR] [TD]KERNEL32.DLL!WriteProcessMemory[/TD] [TD]Code Injection[/TD] [/TR] [TR] [TD]KERNEL32.DLL!SetFileTime[/TD] [TD]Stealth[/TD] [/TR] [TR] [TD]USER32.DLL!SetWindowsHookExW[/TD] [TD]API Hooking[/TD] [/TR] [TR] [TD]KERNEL32.DLL!MapViewOfFile[/TD] [TD]Code Injection[/TD] [/TR] [TR] [TD]ADVAPI32.DLL!CryptGenRandom[/TD] [TD]Encryption[/TD] [/TR] [TR] [TD]ADVAPI32.DLL!CryptAcquireContextW[/TD] [TD]Encryption[/TD] [/TR] [TR] [TD]KERNEL32.DLL!CreateToolhelp32Snapshot[/TD] [TD]Process Enumeration[/TD] [/TR] [TR] [TD]ADVAPI32.DLL!OpenThreadToken[/TD] [TD]Token Manipulation[/TD] [/TR] [TR] [TD]ADVAPI32.DLL!DuplicateTokenEx[/TD] [TD]Token Manipulation[/TD] [/TR] [TR] [TD]CRYPT32.DLL!CertDuplicateCertificateContext[/TD] [TD]Encryption[/TD] [/TR] [/TABLE] [I]All these features enable us to learn about the new PE before it is executed or loaded, and therefore before it affects the system. ...[/I] [ATTACH type="full" alt="1613228750021.png"]254083[/ATTACH] [I]From these results, we can conclude that the most useful feature for distinguishing between benign PE files and malicious PE files is the maximum entropy of all the PE section entropies. This observation fits with our assumptions that high entropy is not common with benign PE files. In addition, it seems that there is great importance to the signature status of the file. Namely, if the PE file is not signed or it is signed with an unverified signature there is a very high probability that it is a malicious PE file. The next most important features are related to section names and permissions. Malware often uses packing techniques to avoid being detected by antivirus signatures. This results in nonstandard sections names and write permissions. We also notice that the categories of the suspicious import had an impact on the model accuracy. In these features, we grouped different suspicious API functions by categories such as evasion, encryption, remote allocation etc. In each group, there can be several functions from different DLLs. This allowed us to learn the malicious activity without overfitting to specific functions."[/I] [B]Full article:[/B] [URL unfurl="false"]https://www.cyberbit.com/blog/endpoint-security/machine-learning-for-cyber-security-static-detection/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top