Hello everyone, I am LINE Tech Evangelist – Evan Lin. LINE has been unremittingly improving information security. In addition to basing itself on the concept of DevSecOps, injecting the security DNA into LINE products and services, it is also actively promoting the growth of the overall information security ecosystem. And Beer is beautiful, hacks is amazing, BECKS is gold. BECKS is composed of the words Beer and Hacks. Through a series of BECKS.IO – Security Meetup security community events, it provides opportunities for face-to-face exchanges and establishing good connections for outstanding security talents in South Korea, Japan, Taiwan, and other places! This BECKS.IO meetup was held in Avenue, Taipei, inviting speakers from Taiwan to talk about the security thinking and practical experience of different companies and individuals in a relaxed and open atmosphere, and to look forward to the future development of related technologies.
KKTIX event webpage: Event URL
Detect and track Apple devices for fun and profit - Ta-Lun Yen / TXOne Networks (Trend Micro) Threat Researcher
Apple HotSpot
Bluetooth scan and detection
From NLP to Neural Network based Malware Detection - aaaddress1 / Chroot member
Original paper: https://github.com/Lancern/asm2vec
Syntax pattern of malware (from assembly call)
- uExitCode -> intterup
How to defend against Malware
- Break the program into blocks and look for suspicious blocks.
Can "semantics" models be used to find malware determination methods?
Disadvantages:
- The relationship between instructions (for loop returns pattern)
- A large number of revisions, variants of malware.
- Adding index packages based on old malware is easily judged to escape
Introduction to semantics
- Determine the meaning of the text itself based on the context of a word
- e.g.
- I
drinkbeer, Idrinkwine. - I
guzzlebeer, Iguzzlewine.
- I
- Find the frequency of occurrence of context through the co-occurrence matrix (tokenFeq), and +1 if it appears.
- Similar words can be found through the line graph drawn by word frequency. (e.g. drink and guzzle)
- cosine similarity
Why not directly use semantics analysis?
- If a new word appears, tokenFeq needs to be rebuilt (trained)
Therefore, this sharing will use a distributed memory sharing method to build, instead of using a common tokenFeq.
Categorize through related dimensions, rather than directly following words.
e.g.
- Apple -> technology-related brands
- NBA -> sports category
- Apple Watch -> sports heartbeat -> technology brand
- China -> political category
- Huawei -> technology brand -> political category
- Then you can calculate the similarity of two words similarity
- China x Huawei –> The similarity will be very high.
- Frequently used method: sigmoid normalizes the infinite value to 0~1.
- Continuous sigmoid will cause similarity to converge together (over-fitting)
- Solution:
- Google's approach also needs to calculate the wrong way.
- Through the average of a whole paragraph of words, to confirm the value of the middle word.
Asm2Vec
So, how to use word2vec to determine malware?
- Distribution of instruction words
- Through the similarity distribution of the complete asm instruction context
To be able to get the context of the instruction completely, you need to use static scanning. How to get the context in the dynamic execution state?
- Grouping by block
- Through the process between blocks block a -> block b -> block c -> block b
The relationship between context is determined by throwing dice between code blocks. (Random walking)
- This can also be used to determine whether the middle word is similar through the average of three words
Should push rbp be used to create tokenFeq?
sub rsp, 138h- sub -> op
- Rsp -> parameter
- 138h -> parameter
- Fill in the parameters for matrix operations
- For asm frequently used instructions
mov rax 8h- Need to pass one
- Loss function theda to adjust, as a sigmoid adjustment for similarity
Results
- Use 25 mirai samples to train. To predict more than 40,000 samples:
- MIPS 96%
- x86 96%
Challenge
- Malware is not easy to catch as long as it is covered with a "shellcode"
- dll side-loading method, the control graph cannot be found
- mov semantics is quite weak
- Dynamically modify its own code
- 95% is normal code, only the last 5% is malware
Related Q&A
- Q: How to confirm the correctness of Random walking? If the order is wrong, it is completely different.
- A: The original paper has 30 ~ 40% accuracy
- Q: Why are the related results not published?
- A: The paper is still under research, and there are some differences from the original author's ideas.
Event Summary
Tonight's gathering invited domestic and foreign security experts to share security strategies and experiences without reservation, helping participants to understand the various possibilities of implementing security from different angles in just a few hours. BECKS is composed of the words Beer and Hacks. Through this meetup, we once again gather the security community, allowing security experts to share the latest research, and allowing security researchers in various fields to conduct face-to-face discussions. In addition to helping more people understand LINE's security design, we also hope that through exchanges, diverse security thinking can spark wonderful sparks!
Follow the "BECKS" event information immediately, and you will receive the push notification of the latest news of the Meetup event. ▼
"BECKS" event page: https://becks.io
About the "LINE Developer Community Program"
LINE launched the "LINE Developer Community Program" in Taiwan at the beginning of this year, and will invest manpower and resources in Taiwan for a long time to hold developer community gatherings, job fairs, developer conferences, etc., both internally and externally, online and offline, and has held more than 30 events. Readers are welcome to continue to check back for the latest updates. For details, please see:
- 2019 LINE Developer Community Program Event Schedule
- LINE Taiwan Developer Relations 2019 Review and 2019 Developer Community Program Report
- 2020 LINE Developer Community Program Event Schedule
Recruitment Information
《LINE is strongly recruiting!》 Close the Distance with us and connect the smart new world » Detailed job information
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.